TechSpot

[Closed] Www.Google-analytics.com

Resolved
By sawzalot
Oct 16, 2010
Topic Status:
Not open for further replies.
  1. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I've been sitting here for an hour trying to make sense out of your logs! There is so much that needs to be removed from the system, rather than try to piece it together, you would do best with a reformay/reinstall.

    It's not all malware! You have processes for 3 antivirus programs running: Avast, AVG, Norton Worm Protect. from Norton Security 2005. You also downloaded the setup for Kaspersky AV. It looks like on 10/15 and 10/16, you went around the internet and gathered this and that, maybe in the hope that it would fix things.

    Instead, it made the system worse. And on the following dates, you got multiples of the same:
    2010-09-09 14:16:31 667136 ----a-w- c:\windows\system32\wininet.dll
    2010-09-09 14:16:31 667136 ----a-w- c:\windows\system32\wininet(2)(2).dll

    2010-09-09 14:16:31 627712 ----a-w- c:\windows\system32\urlmon(2)(2).dll

    2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k(2)(2).sys

    2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc(2)(2).dll

    2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32(2)(2).dll

    2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4(2)(3).dll

    ===============================================
    I am not sure how you could even run multiple processes of the above! You can remove a few entries in HijackThis, but I think it's a waste of your time:

    Please reopen HiackThis to 'do system scan only.' Check each of the following, if present:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
    R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
    O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
    O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
    O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
    O16 - DPF: {361E6B79-4A69-4376-B0F2-3D1EBEE9D7E2} (RtspVaPgCtrl Class) - http://74.73.125.189:8888/RtspVaPgDec.cab


    Close all Windows except HijackThis and click on "Fix Checked"
    ======================================================
    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys
    c:\windows\system32\drivers\klif.sys
    
    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASFWHide]
    "ImagePath"=-
    
    DDS::
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
    uURLSearchHooks: H - No File
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
    DPF: {361E6B79-4A69-4376-B0F2-3D1EBEE9D7E2} - hxxp://74.73.125.189:8888/RtspVaPgDec.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    
    SecCenter::
    {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
    Driver::
    SABKUTI
    KLIF
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    This may help a little but I don't think it will be any significant improvement.
     
  2. sawzalot

    sawzalot TS Rookie Topic Starter Posts: 20

    I could not check the first three items as they did not re-appear on the Hi Jack this again but here is the log as per your advise:

    ComboFix 10-10-21.08 - Robert 10/22/2010 10:53:51.2.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.563 [GMT -4:00]
    Running from: c:\documents and settings\Robert\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Robert\Desktop\cfscript.txt
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

    FILE ::
    "c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys"
    "c:\windows\system32\drivers\klif.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_KLIF
    -------\Service_KLIF


    ((((((((((((((((((((((((( Files Created from 2010-09-22 to 2010-10-22 )))))))))))))))))))))))))))))))
    .

    2010-10-19 12:50 . 2010-10-19 12:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Gtek
    2010-10-19 12:50 . 2010-10-19 12:50 -------- d-----w- c:\documents and settings\Robert\Application Data\GTek
    2010-10-16 19:57 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-10-16 19:57 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-10-16 19:57 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-10-16 19:57 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-10-16 19:57 . 2010-04-14 16:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-10-16 19:57 . 2010-04-14 16:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-10-16 19:57 . 2010-04-14 16:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-10-16 19:56 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
    2010-10-16 19:56 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
    2010-10-16 17:20 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-16 17:20 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-16 16:49 . 2010-10-17 01:35 -------- d-----w- c:\documents and settings\Administrator
    2010-10-16 16:11 . 2010-10-16 16:11 -------- d-----w- c:\documents and settings\Robert\Local Settings\Application Data\VS Revo Group
    2010-10-16 15:43 . 2010-10-16 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
    2010-10-16 00:49 . 2010-10-16 00:49 -------- d-----w- c:\documents and settings\Robert\Application Data\AVG10
    2010-10-16 00:47 . 2010-10-16 00:47 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2010-10-16 00:45 . 2010-10-16 15:55 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
    2010-10-16 00:39 . 2010-10-16 00:45 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2010-10-16 00:10 . 2010-10-16 00:50 -------- d-----w- c:\program files\PC Tools Security
    2010-10-16 00:06 . 2010-10-16 02:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-10-16 00:04 . 2010-10-16 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    2010-10-15 23:29 . 2010-10-15 23:29 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-10-15 23:26 . 2010-10-15 23:26 -------- d-----w- c:\documents and settings\Robert\Local Settings\Application Data\WMTools Downloaded Files
    2010-10-15 23:26 . 2010-10-15 23:26 -------- d-----w- c:\documents and settings\Robert\Application Data\IObit
    2010-10-15 23:26 . 2010-10-15 23:26 -------- d-----w- c:\program files\Carbonite
    2010-10-15 22:49 . 2010-10-17 16:39 -------- d-----w- c:\program files\Trend Micro
    2010-10-15 22:20 . 2010-10-17 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-10-15 01:42 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
    2010-10-15 01:42 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
    2010-10-15 01:42 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
    2010-10-15 01:42 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
    2010-10-13 14:46 . 2010-10-13 14:46 -------- d-----w- C:\spoolerlogs

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-20 03:05 . 2004-08-04 21:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
    2010-09-18 16:23 . 2004-08-04 21:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2004-08-04 21:00 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2004-08-04 21:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2004-08-04 21:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-15 08:50 . 2010-06-23 13:12 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-09-15 06:29 . 2010-06-23 13:12 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-09-13 20:27 . 2010-09-13 20:27 25680 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
    2010-09-09 14:16 . 2004-08-04 21:00 667136 ----a-w- c:\windows\system32\wininet.dll
    2010-09-09 14:16 . 2004-08-04 21:00 667136 ----a-w- c:\windows\system32\wininet(2)(2).dll
    2010-09-09 14:16 . 2004-08-04 21:00 627712 ----a-w- c:\windows\system32\urlmon(2)(2).dll
    2010-09-09 14:16 . 2004-08-04 21:00 61952 ----a-w- c:\windows\system32\tdc.ocx
    2010-09-09 14:16 . 2004-08-04 21:00 1510400 ----a-w- c:\windows\system32\shdocvw(2)(2).dll
    2010-09-09 14:16 . 2009-09-11 14:21 81920 ----a-w- c:\windows\system32\ieencode.dll
    2010-09-08 16:49 . 2004-08-04 21:00 369664 ----a-w- c:\windows\system32\html.iec
    2010-09-07 15:34 . 2010-07-11 15:18 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-09-01 11:51 . 2004-08-04 21:00 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42 . 2004-08-04 21:00 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-31 13:42 . 2004-08-04 21:00 1852800 ----a-w- c:\windows\system32\win32k(2)(2).sys
    2010-08-27 08:02 . 2005-10-18 05:14 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57 . 2004-08-04 21:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-27 05:57 . 2004-08-04 21:00 99840 ----a-w- c:\windows\system32\srvsvc(2)(2).dll
    2010-08-26 13:39 . 2005-05-10 08:17 357248 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-08-10 01:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12 . 2004-08-04 21:00 617472 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-23 16:12 . 2004-08-04 21:00 617472 ----a-w- c:\windows\system32\comctl32(2)(2).dll
    2010-08-17 13:17 . 2004-08-04 21:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-16 08:45 . 2004-08-04 21:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2010-08-16 08:45 . 2004-08-04 21:00 590848 ----a-w- c:\windows\system32\rpcrt4(2)(3).dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-10-20_03.31.25 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-10-22 15:01 . 2010-10-22 15:01 16384 c:\windows\temp\Perflib_Perfdata_848.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-21 7561216]
    "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 61952]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]
    "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
    "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-23 131072]
    "RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
    "nwiz"="nwiz.exe" [2006-04-21 1519616]
    "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-02-15 417792]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-31 202256]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
    HP Pavilion Webcam Tray Icon.lnk - c:\program files\Hewlett-Packard\HP Pavilion Webcam\tsnp2std.exe [2009-8-9 98304]
    HP Photosmart Premier Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqpse.exe"=
    "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqsudi.exe"=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqpsapp.exe"=

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 25680]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/16/2010 3:57 PM 162768]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/16/2010 3:57 PM 19024]
    S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-18 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2010-10-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-196392244-1619933075-25941823-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

    2010-10-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-196392244-1619933075-25941823-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.comcast.net/
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    FF - ProfilePath - c:\documents and settings\Robert\Application Data\Mozilla\Firefox\Profiles\uig03ldk.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
    FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
    FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
    FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
    FF - plugin: c:\documents and settings\Robert\Application Data\Mozilla\Firefox\Profiles\uig03ldk.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
    FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol400.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3884)
    c:\windows\system32\nview.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\windows\system32\rundll32.exe
    c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\wdfmgr.exe
    c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
    c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
    c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
    .
    **************************************************************************
    .
    Completion time: 2010-10-22 11:06:05 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-10-22 15:06
    ComboFix2.txt 2010-10-20 03:33

    Pre-Run: 60,972,941,312 bytes free
    Post-Run: 60,840,804,352 bytes free

    - - End Of File - - 4103D4E3A40BD4104B2DD0EF356D162C
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I spent a great deal of time searching for a rational reason for the following entries:

    rpcrt4.dll? Remote Procedure Call (RPC) API, used by Windows applications for network and Internet communication.
    2010-08-16 08:45:00 590848 ---a-w- c:\windows\system32\rpcrt4.(2)(3).dll
    2004-08-04 21:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2010-08-16 08:45 . 2004-08-04 21:00 590848 ----a-w- c:\windows\system32\rpcrt4(2)(3).dll
    .
    comctl32.dll? Windows Common Controls Library -
    2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.(2)(2)dll
    2004-08-04 21:00 617472 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-23 16:12 . 2004-08-04 21:00 617472 ----a-w- c:\windows\system32\comctl32(2)(2).dll

    srvsvc.dll> component of the Server Message Block (SMB)
    2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.2)(2)dll
    2004-08-04 21:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-27 05:57 . 2004-08-04 21:00 99840 ----a-w- c:\windows\system32\srvsvc(2)(2).dll

    win32k.sys?> Multi-User Win32 Driver file.
    2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.(2)(2).sys
    2004-08-04 21:00 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-31 13:42 . 2004-08-04 21:00 1852800 ----a-w- c:\windows\system32\win32k(2)(2).sys

    urlmon.dll? module that contains functions used by Microsoft OLE (Object Linking and Embedding).
    2010-09-09 14:16:31 627712 ----a-w- c:\windows\system32\urlmon(2)(2).dll
    2010-09-09 14:16 . 2004-08-04 21:00 627712 ----a-w- c:\windows\system32\urlmon(2)(2).dll

    WinNet? part of Windows networking stack
    2004-08-04 21:00 667136 ----a-w- c:\windows\system32\wininet(2)(2).dll

    shdocvw.dll? Microsoft Shell Doc Object and Control Library.
    2010-09-09 14:16 . 2004-08-04 21:00 1510400 ----a-w- c:\windows\system32\shdocvw(2)(2).dll

    mfc.dll? module that contains the Microsoft Foundation Classes (MFC) functions used by applications created in Visual C++
    2004-08-04 21:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2004-08-04 21:00 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2004-08-04 21:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2004-08-04 21:00 953856 ----a-w- c:\windows\system32\mfc40u.dll

    I found none. You also still have processes for Kasersky setup 10/116, AVG 10 and Avast
    Hitman Pro data is also evident.

    I do not see anything that will fix this mess and recommend that you do a complete reformat and reinstall.

    I don't even know how the system is running with multiples of system files and folders. Perhaps your family has the right idea keeping you away from their systems..
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.