Solved Google redirect virus etc.

[dixonhand]

Hi,

As is the case with many people in this forum I have had my google searches redirected. It seems to be much worse than that because when I tried to run hijackthis it blocked the results so I had to run in safe mode. I think my computer is seriously comprimised and fear my information is vulnerable. I cannot use AVG anti virus either since it blocks that as well. I used hitman anti virus but that didn't cure the issue and now I have tons of messages coming up from windows saying "sites are blocked" or "continue to block" so and so's site. I have downloaded malwarebytes recently but haven't run yet as I'm awaiting instructions to my hijackthis post. Here is the text. Thanks in advance to anyone who helps.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:58 PM, on 9/12/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\Crusty.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/mail?.intl=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USREL/1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cwpisav01:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*.*.*;192.168.*.*;;;<local>;*.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdoosoft] C:\DOCUME~1\KEVINM~1\LOCALS~1\Temp\herss.exe
O4 - HKCU\..\Run: [TivoServer] C:\Program Files\TiVo\Desktop\TiVoServer.exe /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [TivoTransfer] C:\Program Files\TiVo\Desktop\TiVoTransfer.exe
O4 - HKCU\..\Run: [TivoNotify] C:\Program Files\TiVo\Desktop\TiVoNotify.exe /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TranscodingService] C:\Program Files\TiVo\Desktop\Plus\\TranscodingService.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: YellowJacket.lnk = C:\Program Files\YellowJacket Software\YJ Energy\YJ.Energy.exe
O4 - Global Startup: NETGEAR WNA3100 Smart Wizard.lnk = C:\Program Files\NETGEAR\WNA3100\WNA3100.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Documents and Settings\Kevin McG\Desktop\OldCompFiles\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: .meetthematts.com[/url]
O16 - DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} (STCWeb Control) - https://vpn-chi.mfglobal.com/CACHE/webvpn/stc/1/binaries/stcweb.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444552440000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (file missing)
O23 - Service: AVG Free WatchDog (avg9wd) - Unknown owner - C:\Program Files\AVG\AVG9\avgwdsvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: SeaPort - Unknown owner - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (file missing)
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Unknown owner - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Synergy Server - Unknown owner - C:\Program Files\Synergy\synergys.exe (file missing)
O23 - Service: WSWNA3100 - Unknown owner - C:\Program Files\NETGEAR\WNA3100\WifiSvc.exe

--
End of file - 7889 bytes

 

[Bobbye]

Welcome to TechSpot! I'll help with the redirect and although we don't use HijackThis to 'screen' for malware, I will tell you that you do have this Worm- at least>

W32.SillyFDC.BCT removable media worm. . So if your are using a flash drive, it will need to be disinfected>

Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
========================================
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• Follow the order of the tasks I give you. Order is crucial in cleaning process.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.
• Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================

 

[dixonhand]

Log results:

Thanks so much. Here are the three logs

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7707

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/13/2011 9:29:18 PM
mbam-log-2011-09-13 (21-29-18).txt

Scan type: Quick scan
Objects scanned: 192870
Time elapsed: 11 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\MADOWN (Worm.Magania) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdoosoft (Spyware.OnlineGames) -> Value: cdoosoft -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (PUM.Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-14 05:49:46
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HDP725032GLA360 rev.GM3OA5BA
Running: 2sw9ohch.exe; Driver: C:\DOCUME~1\KEVINM~1\LOCALS~1\Temp\fxriikob.sys


---- System - GMER 1.0.15 ----

SSDT BA6FF944 ZwClose
SSDT BA6FF8FE ZwCreateKey
SSDT BA6FF94E ZwCreateSection
SSDT BA6FF8F4 ZwCreateThread
SSDT BA6FF903 ZwDeleteKey
SSDT BA6FF90D ZwDeleteValueKey
SSDT BA6FF93F ZwDuplicateObject
SSDT BA6FF912 ZwLoadKey
SSDT BA6FF8E0 ZwOpenProcess
SSDT BA6FF8E5 ZwOpenThread
SSDT BA6FF91C ZwReplaceKey
SSDT BA6FF917 ZwRestoreKey
SSDT BA6FF953 ZwSetContextThread
SSDT BA6FF908 ZwSetValueKey
SSDT BA6FF8EF ZwTerminateProcess

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD145 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB44 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254696 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4FEF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F21 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4F8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4DF2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5052 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EB6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[428] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBA0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[428] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E5370 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3476] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3476] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3476] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD145 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3476] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB44 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3476] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254696 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3476] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4FEF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3476] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F21 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3476] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4F8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3476] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4DF2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3476] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3476] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5052 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3476] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EB6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3476] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBA0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3476] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E5370 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3784] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3784] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB44 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3784] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4FEF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3784] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F21 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3784] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4F8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3784] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4DF2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3784] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3784] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5052 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3784] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EB6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[428] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[3476] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\00000435 \GLOBAL??\ACPI#PNP0303#2&da1a3ff&0 89C115F0

---- Files - GMER 1.0.15 ----

ADS C:\WINDOWS\1263082771:3974280884.exe 816 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\$NtUninstallKB42409$\2414888853 0 bytes
File C:\WINDOWS\$NtUninstallKB42409$\320686411 0 bytes
File C:\WINDOWS\$NtUninstallKB42409$\320686411\L 0 bytes
File C:\WINDOWS\$NtUninstallKB42409$\320686411\U 0 bytes

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\1263082771:3974280884.exe [MANUAL] 131d494b <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by Kevin McG at 5:56:19 on 2011-09-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1250 [GMT -4:00]
.
AV: AVG Anti-Virus Free *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\NETGEAR\WNA3100\WifiSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\TiVo\Desktop\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\Plus\TranscodingService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Documents and Settings\Kevin McG\Desktop\OldCompFiles\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\NETGEAR\WNA3100\WNA3100.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://login.yahoo.com/config/mail?.intl=us
uSearch Page = hxxp://www.live.com
uInternet Settings,ProxyOverride = 10.*.*.*;192.168.*.*;;;<local>;*.local
uInternet Settings,ProxyServer = cwpisav01:8080
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TivoServer] c:\program files\tivo\desktop\TiVoServer.exe /service /registry /auto:TivoServer
uRun: [TivoTransfer] c:\program files\tivo\desktop\TiVoTransfer.exe
uRun: [TivoNotify] c:\program files\tivo\desktop\TiVoNotify.exe /service /registry /auto:TivoNotify
uRun: [TranscodingService] c:\program files\tivo\desktop\plus\\TranscodingService.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\kevinm~1\startm~1\programs\startup\yellow~1.lnk - c:\program files\yellowjacket software\yj energy\YJ.Energy.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wna3100\WNA3100.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\documents and settings\kevin mcg\desktop\oldcompfiles\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: hp.com\www
Trusted Zone: meetthematts.com
DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} - hxxps://vpn-chi.mfglobal.com/CACHE/webvpn/stc/1/binaries/stcweb.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444552440000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{CD6F39E5-031C-4535-9F51-3471D4653453} : DhcpNameServer = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Hosts: 10.65.10.130 mcocap4
Hosts: 10.65.10.132 mcocap5
Hosts: 10.65.10.131 mcocap6
Hosts: 10.65.10.133 mcocap7
Hosts: 10.65.10.134 mcocap8
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\kevin mcg\application data\mozilla\firefox\profiles\jtll9b8w.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/mail?.intl=us
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\2.0.31005.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2009-2-17 24064]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-9-13 11608]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-5 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-5 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-5 242896]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-9-13 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-9-13 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-9-13 66616]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-12 366152]
R2 WSWNA3100;WSWNA3100;c:\program files\netgear\wna3100\WifiSvc.exe [2011-9-10 285152]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [2011-8-31 642432]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2009-2-17 176640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-12 22216]
R3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2011-8-31 50704]
S2 avg9wd;AVG Free WatchDog;"c:\program files\avg\avg9\avgwdsvc.exe" --> c:\program files\avg\avg9\avgwdsvc.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Synergy Server;Synergy Server;c:\program files\synergy\synergys.exe --> c:\program files\synergy\synergys.exe [?]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [2009-3-21 22136]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-2-21 23624]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 TivoBeacon2;TiVo Beacon Service;c:\program files\tivo\desktop\TiVoBeacon.exe [2010-8-24 1104656]
.
=============== Created Last 30 ================
.
2011-09-14 01:08:33 -------- d-----w- c:\windows\system32\NtmsData
2011-09-14 01:05:27 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-09-14 01:05:27 -------- d-----w- c:\program files\Avira
2011-09-14 01:05:27 -------- d-----w- c:\documents and settings\all users\application data\Avira
2011-09-13 02:57:39 -------- d-----w- c:\program files\Trend Micro
2011-09-13 01:59:52 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-13 01:59:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-13 01:37:23 -------- d-----w- C:\TDSSKiller_Quarantine
2011-09-11 02:17:07 -------- d-----w- c:\program files\TiVo
2011-09-11 02:17:07 -------- d-----w- c:\documents and settings\all users\application data\TiVo
2011-09-10 05:48:55 50112 --sha-w- c:\windows\system32\c_53095.nl_
2011-09-10 05:21:48 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-09-10 05:21:48 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-10 05:21:33 -------- d-----w- c:\program files\NETGEAR
2011-09-10 05:09:18 -------- d-----w- c:\program files\NETGEAR(2)
2011-09-10 04:01:53 6672 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-09-10 03:18:15 -------- d-----w- c:\documents and settings\kevin mcg\application data\Malwarebytes
2011-09-10 03:18:09 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-09-04 14:14:58 -------- d-----w- c:\program files\Amazon
2011-09-01 00:08:35 642432 ----a-w- c:\windows\system32\drivers\bcmwlhigh5.sys
2011-09-01 00:08:34 53299 ----a-w- c:\windows\system32\pthreadVC.dll
2011-09-01 00:08:34 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2011-09-01 00:08:34 281104 ----a-w- c:\windows\system32\wpcap.dll
2011-09-01 00:08:34 100880 ----a-w- c:\windows\system32\Packet.dll
2011-08-30 19:02:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-30 15:59:13 -------- d-----w- c:\documents and settings\kevin mcg\local settings\application data\Thunderbird
.
==================== Find3M ====================
.
2011-09-13 01:37:57 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-09-10 05:48:55 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
.
============= FINISH: 5:56:35.17 ===============

 

[Bobbye]

There is another log from DDS named Attach.txt that is missing. Please paste it into your next reply>> don't zip it.

Question Why do you have this on Startup?
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\documents and settings\kevin mcg\desktop\oldcompfiles\winzip\WZQKPICK.EXE
=====================================
AVG is outdated> Since you put Avira on the system and since Combofix won't tun with AVG, you can remove it as below:
Download AppRemover and save to the desktop

1. Double click the setup on the desktop> click Next
2. Select “Remove Security Application”
3. Let scan finish to determine security apps
4. A screen like below will appear:
   
   
5. Click on Next after choice has been made
6. Check the AVG program you want to uninstall
7. After uninstall shows complete, follow online prompts to Exit the program.

=============================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once installed, you should see a blue screen prompt that says:
  The Recovery Console was successfully installed.
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
==============================================

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESETOnlineScan
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  [o] Double click on the
  
  on your desktop.
• Check 'Yes I accept terms of use.'
• Click Start button
• Accept any security warnings from your browser.
  
  
• Uncheck 'Remove found threats'
• Check 'Scan archives/
• Leave remaining settings as is.
• Press the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
• When the scan completes, press List of found threats
• Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
• Push the Back button
• Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
================================
I strongly recommends that you uninstall Hitman> It is just a bundle of free programs, all available on the internet. But the scam is that Hitman will only remove bad entries for free during the trial period. After that, you have to buy the program. But if you use the same separate files in the bundle, they are fully functional- free.
================================
I notice that you ran the TDSS Killer. If you still have the log, please include it in the next reply.

Logs to be pasted into next reply:
Attach.txt from DDS
Combofix
Eset online virus scan
TDSSKiller

 

[dixonhand]

Hi. I don't know why I have StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\documents and settings\kevin mcg\desktop\oldcompfiles\winzip\WZQKPICK.EXE at startup. Tell me how to stop it and I will delete it from startup.

I also noticed when I held the ctrl button down when clicking on the eset link that the browser said go.eset.com and I know the virus previous that I had would take me to go.google.com so I'm a tad concerned about that. Also Avira keeps popping up with Malware found that I just keep Xing out of. The latest is 'TR/Crypt.ZPACK.Gen was found in file 'C:\Documents and Settings\...\inetnopro.exe'.

I didn't have the attach.txt file on my computer so at the very end I reran it to get it for you. Hope that was ok. I also cant find the TDSSKiller file. Also at the end is the latest DDS.txt file that was generated.

ComboFix 11-09-14.02 - Kevin McG 09/14/2011 22:09:05.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1614 [GMT -4:00]
Running from: c:\documents and settings\Kevin McG\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\LnkFileRename.exe.db6f4065.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL34.tmp.57a113aa.ini
c:\documents and settings\Kevin McG\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Kevin McG\Local Settings\Application Data\ApplicationHistory\LnkFileRename.exe.db6f4065.ini
c:\documents and settings\Kevin McG\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Kevin McG\Local Settings\Application Data\ApplicationHistory\SL34.tmp.57a113aa.ini
c:\windows\$NtUninstallKB42409$
c:\windows\$NtUninstallKB42409$\2414888853
c:\windows\system32\c_53095.nls
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wpcap.dll
.
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - The cat found it
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_131d494b
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-08-15 to 2011-09-15 )))))))))))))))))))))))))))))))
.
.
2011-09-15 02:06 . 2008-04-14 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-09-15 01:50 . 2011-09-15 01:50 -------- d-----w- c:\documents and settings\Kevin McG\Application Data\Avira
2011-09-14 01:08 . 2011-09-14 01:08 -------- d-----w- c:\windows\system32\NtmsData
2011-09-14 01:05 . 2011-09-14 01:05 -------- d-----w- c:\program files\Avira
2011-09-14 01:05 . 2011-09-14 01:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-09-14 01:05 . 2011-07-21 16:15 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-09-14 01:05 . 2011-07-21 16:15 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-09-14 01:05 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-09-14 01:05 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-09-13 02:57 . 2011-09-13 02:57 -------- d-----w- c:\program files\Trend Micro
2011-09-13 01:59 . 2011-09-13 02:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-13 01:59 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-13 01:37 . 2011-09-13 01:37 -------- d-----w- C:\TDSSKiller_Quarantine
2011-09-11 02:17 . 2011-09-11 02:17 -------- d-----w- c:\program files\TiVo
2011-09-11 02:17 . 2011-09-11 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\TiVo
2011-09-10 05:48 . 2011-09-13 02:47 50112 --sha-w- c:\windows\system32\c_53095.nl_
2011-09-10 05:21 . 2011-09-10 05:21 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-10 05:21 . 2011-09-10 05:21 -------- d-----w- c:\program files\NETGEAR
2011-09-10 04:01 . 2011-09-10 05:28 6672 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-09-10 03:18 . 2011-09-10 03:18 -------- d-----w- c:\documents and settings\Kevin McG\Application Data\Malwarebytes
2011-09-10 03:18 . 2011-09-10 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-04 14:15 . 2011-09-04 14:15 -------- d-----w- c:\documents and settings\Kevin McG\Application Data\Amazon
2011-09-04 14:14 . 2011-09-04 14:14 -------- d-----w- c:\program files\Amazon
2011-09-01 00:08 . 2009-11-06 12:26 642432 ----a-w- c:\windows\system32\drivers\bcmwlhigh5.sys
2011-08-30 19:02 . 2011-08-30 19:02 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-30 15:59 . 2011-09-06 00:26 -------- d-----w- c:\documents and settings\Kevin McG\Local Settings\Application Data\Thunderbird
2011-08-30 15:59 . 2011-08-30 15:59 -------- d-----w- c:\documents and settings\Kevin McG\Application Data\Thunderbird
2011-08-30 15:58 . 2011-09-06 00:26 -------- d-----w- c:\program files\Mozilla Thunderbird
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-13 01:37 . 2008-04-14 00:45 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-09-10 05:48 . 2011-02-21 17:04 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-09-08 11:06 . 2011-05-16 01:47 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2010-08-24 2264336]
"TivoTransfer"="c:\program files\TiVo\Desktop\TiVoTransfer.exe" [2010-08-24 608528]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2010-08-24 437520]
"TranscodingService"="c:\program files\TiVo\Desktop\Plus\\TranscodingService.exe" [2010-08-24 856336]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-07-16 1044480]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-16 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-16 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-16 141848]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\Kevin McG\Start Menu\Programs\Startup\
YellowJacket.lnk - c:\program files\YellowJacket Software\YJ Energy\YJ.Energy.exe [2010-4-22 36864]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WNA3100 Smart Wizard.lnk - c:\program files\NETGEAR\WNA3100\WNA3100.exe [2011-8-31 4577760]
WinZip Quick Pick.lnk - c:\documents and settings\Kevin McG\Desktop\OldCompFiles\WinZip\WZQKPICK.EXE [2009-4-6 106560]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\mozilla.org\\Mozilla\\mozilla.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Hitman Pro 3.5\\HitmanPro35(1).exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\agent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\TiVo\\Desktop\\TiVoAutoUpdate.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Windows Live\\Toolbar\\wltuser.exe"=
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2/17/2009 3:41 PM 24064]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/13/2011 9:05 PM 136360]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/12/2011 9:59 PM 366152]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [8/31/2011 8:08 PM 642432]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2/17/2009 3:41 PM 176640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/12/2011 9:59 PM 22216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 WSWNA3100;WSWNA3100;c:\program files\NETGEAR\WNA3100\WifiSvc.exe [9/10/2011 12:17 AM 285152]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [3/21/2009 4:46 PM 22136]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2/21/2011 1:04 PM 23624]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 TivoBeacon2;TiVo Beacon Service;c:\program files\TiVo\Desktop\TiVoBeacon.exe [8/24/2010 5:02 PM 1104656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = https://login.yahoo.com/config/mail?.intl=us
uInternet Settings,ProxyOverride = 10.*.*.*;192.168.*.*;;;<local>;*.local
uInternet Settings,ProxyServer = cwpisav01:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: hp.com\www
Trusted Zone: meetthematts.com
TCP: DhcpNameServer = 192.168.1.1
DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} - hxxps://vpn-chi.mfglobal.com/CACHE/webvpn/stc/1/binaries/stcweb.cab
FF - ProfilePath - c:\documents and settings\Kevin McG\Application Data\Mozilla\Firefox\Profiles\jtll9b8w.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/mail?.intl=us
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
Notify-avgrsstarter - (no file)
SafeBoot-60779943.sys
AddRemove-com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 - c:\program files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-14 22:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\1263082771:3974280884.exe 816 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.cdrom]
"ImagePath"="\*"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\08\06\08\14\1b\13?"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(804)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\TiVo\Desktop\Plus\TranscodingService.exe
.
**************************************************************************
.
Completion time: 2011-09-14 22:20:26 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-15 02:20
.
Pre-Run: 245,049,856,000 bytes free
Post-Run: 248,269,004,800 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 8EAFB15FFD81A60E000C343A53D1F40C

C:\TDSSKiller_Quarantine\12.09.2011_21.36.36\susp0000\svc0000\tsk0000.dta Win32/Sirefef.CT trojan
C:\WINDOWS\system32\c_53095.nl_ a variant of Win32/Sirefef.CR trojan


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 2/23/2009 8:41:30 PM
System Uptime: 9/14/2011 10:30:24 PM (8 hours ago)
.
Motherboard: Dell Inc. | | 0T656F
Processor: Intel(R) Core(TM)2 Duo CPU E7200 @ 2.53GHz | CPU | 2526/1066mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 298 GiB total, 231.163 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems SSL VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems SSL VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CSVirtA
.
==== System Restore Points ===================
.
RP438: 6/17/2011 6:25:34 PM - System Checkpoint
RP439: 6/18/2011 9:33:43 PM - System Checkpoint
RP440: 6/20/2011 4:32:09 PM - System Checkpoint
RP441: 6/22/2011 8:04:41 PM - System Checkpoint
RP442: 6/30/2011 8:54:27 PM - System Checkpoint
RP443: 7/6/2011 3:55:34 PM - System Checkpoint
RP444: 7/7/2011 6:47:59 PM - System Checkpoint
RP445: 7/8/2011 6:50:47 PM - System Checkpoint
RP446: 7/9/2011 7:43:15 PM - System Checkpoint
RP447: 7/15/2011 7:34:02 PM - System Checkpoint
RP448: 7/16/2011 8:17:52 PM - System Checkpoint
RP449: 7/18/2011 12:33:27 PM - System Checkpoint
RP450: 7/19/2011 1:04:00 PM - System Checkpoint
RP451: 7/20/2011 1:09:51 PM - System Checkpoint
RP452: 7/21/2011 6:49:31 PM - System Checkpoint
RP453: 7/23/2011 11:52:11 AM - System Checkpoint
RP454: 7/24/2011 12:10:36 PM - System Checkpoint
RP455: 7/25/2011 9:19:10 PM - System Checkpoint
RP456: 7/27/2011 10:19:02 AM - System Checkpoint
RP457: 7/28/2011 5:59:04 PM - System Checkpoint
RP458: 7/30/2011 9:17:33 AM - System Checkpoint
RP459: 7/31/2011 12:15:38 PM - System Checkpoint
RP460: 8/1/2011 1:03:01 PM - System Checkpoint
RP461: 8/2/2011 2:33:39 PM - System Checkpoint
RP462: 8/3/2011 2:38:18 PM - System Checkpoint
RP463: 8/4/2011 3:39:25 PM - System Checkpoint
RP464: 8/5/2011 4:17:56 PM - System Checkpoint
RP465: 8/6/2011 4:26:58 PM - System Checkpoint
RP466: 8/7/2011 4:58:18 PM - System Checkpoint
RP467: 8/8/2011 5:03:16 PM - System Checkpoint
RP468: 8/9/2011 5:35:02 PM - System Checkpoint
RP469: 8/10/2011 6:30:54 PM - System Checkpoint
RP470: 8/11/2011 6:35:17 PM - System Checkpoint
RP471: 8/12/2011 6:36:30 PM - System Checkpoint
RP472: 8/13/2011 6:45:22 PM - System Checkpoint
RP473: 8/14/2011 6:53:55 PM - System Checkpoint
RP474: 8/15/2011 6:58:42 PM - System Checkpoint
RP475: 8/16/2011 7:34:58 PM - System Checkpoint
RP476: 8/17/2011 8:59:27 PM - System Checkpoint
RP477: 8/22/2011 1:14:12 PM - System Checkpoint
RP478: 8/23/2011 2:13:39 PM - System Checkpoint
RP479: 8/24/2011 2:29:50 PM - System Checkpoint
RP480: 8/27/2011 5:43:11 PM - System Checkpoint
RP481: 8/28/2011 8:40:26 PM - System Checkpoint
RP482: 8/30/2011 8:05:22 AM - System Checkpoint
RP483: 8/31/2011 8:06:27 AM - System Checkpoint
RP484: 8/31/2011 8:08:30 PM - Installed NETGEAR WNA3100 wireless USB 2.0 adapter
RP485: 9/1/2011 8:24:19 PM - System Checkpoint
RP486: 9/2/2011 8:29:26 PM - System Checkpoint
RP487: 9/3/2011 8:33:47 PM - System Checkpoint
RP488: 9/5/2011 9:49:30 AM - System Checkpoint
RP489: 9/6/2011 9:52:02 AM - System Checkpoint
RP490: 9/7/2011 10:17:46 AM - System Checkpoint
RP491: 9/8/2011 11:09:39 AM - System Checkpoint
RP492: 9/9/2011 12:02:20 PM - System Checkpoint
RP493: 9/9/2011 11:26:48 PM - Restore Operation
RP494: 9/10/2011 12:17:02 AM - Installed NETGEAR WNA3100 wireless USB 2.0 adapter
RP495: 9/10/2011 12:18:38 AM - Installed NETGEAR WNA3100 wireless USB 2.0 driver
RP496: 9/10/2011 12:36:34 AM - Installed NETGEAR WNA3100 wireless USB 2.0 adapter
RP497: 9/10/2011 12:38:05 AM - Installed NETGEAR WNA3100 wireless USB 2.0 driver
RP498: 9/10/2011 12:47:48 AM - Installed NETGEAR WNA3100 wireless USB 2.0 adapter
RP499: 9/10/2011 1:05:05 AM - Installed NETGEAR WNA3100 wireless USB 2.0 driver
RP500: 9/10/2011 1:09:17 AM - Installed NETGEAR WNA3100 wireless USB 2.0 adapter
RP501: 9/10/2011 1:14:25 AM - Installed NETGEAR WNA3100 wireless USB 2.0 adapter
RP502: 9/10/2011 1:19:15 AM - Installed NETGEAR WNA3100 wireless USB 2.0 adapter
RP503: 9/10/2011 1:21:13 AM - Restore Operation
RP504: 9/10/2011 1:26:59 AM - Installed NETGEAR WNA3100 wireless USB 2.0 adapter
RP505: 9/10/2011 1:29:06 AM - Installed NETGEAR WNA3100 wireless USB 2.0 driver
RP506: 9/10/2011 10:15:53 PM - Removed TiVo Desktop 2.8
RP507: 9/10/2011 10:17:06 PM - Installed TiVo Desktop 2.8.2
RP508: 9/12/2011 9:52:28 AM - System Checkpoint
RP509: 9/13/2011 6:40:22 PM - System Checkpoint
RP510: 9/14/2011 10:35:44 PM - Installed NETGEAR WNA3100 wireless USB 2.0 adapter
.

 

[dixonhand]

==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Acrobat.com
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
AIM 7
Amazon MP3 Downloader 1.0.12
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal - Free Antivirus
Bonjour
Broadcom Management Programs
BufferChm
Choice Guard
Cisco SSL VPN Client
DJ_AIO_03_F4200_Software
DJ_AIO_03_F4200_Software_Min
DJ_AIO_03_F4220_ProductContext
ESET Online Scanner v3
F4200
F4210_Help
Hitman Pro 3.5
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB953955)
Hotfix for Windows XP (KB954434)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB958347)
Hotfix for Windows XP (KB959252)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Deskjet F4200 All-In-One Driver Software 11.0 Rel .3
HPSSupply
Intel(R) Graphics Media Accelerator Driver
iPhone Configuration Utility
iTunes
Java Auto Updater
Java(TM) 6 Update 16
Java(TM) 6 Update 20
Java(TM) 6 Update 7
Junk Mail filter update
Lager
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla (1.7.13)
Mozilla Firefox 6.0.2 (x86 en-US)
Mozilla Thunderbird (6.0)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB927977)
NETGEAR WNA3100 wireless USB 2.0 adapter
PowerDVD
QuickTime
RiskManager
Roxio Activation Module
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler 3
Roxio Update Manager
Safari
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
Shop for HP Supplies
Skype web features
Skype™ 4.1
Sonic CinePlayer Decoder Pack
Spelling Dictionaries Support For Adobe Reader 9
Synergy
Tax Forms Helper 2009 9.0
TiVo Desktop 2.8.2
Toolbox
Trader Studio
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB898461)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
WebICE
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Photo Gallery
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Presentation Foundation
XML Paper Specification Shared Components Pack 1.0
YellowJacket
.
==== Event Viewer Messages From Past Week ========
.
9/9/2011 11:59:38 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
9/9/2011 11:50:48 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
9/9/2011 11:39:40 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm
9/9/2011 11:21:09 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
9/9/2011 11:12:23 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'cdrom.sys' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
9/13/2011 9:12:52 PM, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: Access is denied.
9/13/2011 9:12:52 PM, error: DCOM [10005] - DCOM got error "%5" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
9/12/2011 9:38:27 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
9/12/2011 7:49:29 PM, error: DCOM [10005] - DCOM got error "%3" attempting to start the service SeaPort with arguments "-Service" in order to run the server: {D6381B4A-D254-46EB-9018-A62E0F4BA6BA}
9/12/2011 11:00:48 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
9/12/2011 11:00:48 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
9/12/2011 11:00:48 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/12/2011 11:00:48 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
9/12/2011 11:00:48 PM, error: Service Control Manager [7001] - The Cisco Systems, Inc. STC Agent service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/12/2011 11:00:48 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/12/2011 11:00:48 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/10/2011 5:15:34 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'serial.sys' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
9/10/2011 12:57:44 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
9/10/2011 12:56:45 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm Tcpip
9/10/2011 12:46:31 AM, error: Service Control Manager [7001] - The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: The system cannot find the file specified.
9/10/2011 12:46:31 AM, error: Service Control Manager [7000] - The TCP/IP Protocol Driver service failed to start due to the following error: The system cannot find the file specified.
9/10/2011 12:46:30 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgTdiX Tcpip
9/10/2011 12:46:30 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The system cannot find the file specified.
9/10/2011 12:46:30 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/10/2011 12:46:30 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/10/2011 12:46:30 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/10/2011 12:44:26 AM, error: NetBT [4311] - Initialization failed because the driver device could not be created.
9/10/2011 12:32:48 AM, error: Service Control Manager [7024] - The Hitman Pro 3.5 Crusader (Boot) service terminated with service-specific error 0 (0x0).
9/10/2011 12:29:43 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/10/2011 12:10:02 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the WSWNA3100 service, but this action failed with the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
9/10/2011 12:09:57 AM, error: Service Control Manager [7034] - The Synergy Server service terminated unexpectedly. It has done this 1 time(s).
9/10/2011 12:09:57 AM, error: Service Control Manager [7034] - The SeaPort service terminated unexpectedly. It has done this 1 time(s).
9/10/2011 12:09:57 AM, error: Service Control Manager [7031] - The WSWNA3100 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
9/10/2011 12:09:56 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
9/10/2011 12:09:56 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
9/10/2011 12:09:56 AM, error: Service Control Manager [7034] - The Cisco Systems, Inc. STC Agent service terminated unexpectedly. It has done this 1 time(s).
9/10/2011 12:09:56 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/10/2011 12:09:55 AM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
9/10/2011 12:09:54 AM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
9/10/2011 12:04:07 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
9/10/2011 1:23:21 AM, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The system cannot find the file specified.
9/10/2011 1:23:21 AM, error: DCOM [10005] - DCOM got error "%2" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
9/10/2011 1:22:43 AM, error: Service Control Manager [7000] - The Synergy Server service failed to start due to the following error: The system cannot find the file specified.
9/10/2011 1:22:43 AM, error: Service Control Manager [7000] - The SeaPort service failed to start due to the following error: The system cannot find the path specified.
9/10/2011 1:22:43 AM, error: Service Control Manager [7000] - The Java Quick Starter service failed to start due to the following error: The system cannot find the file specified.
9/10/2011 1:22:43 AM, error: Service Control Manager [7000] - The Cisco Systems, Inc. STC Agent service failed to start due to the following error: The system cannot find the file specified.
9/10/2011 1:22:43 AM, error: Service Control Manager [7000] - The Bonjour Service service failed to start due to the following error: The system cannot find the file specified.
9/10/2011 1:22:43 AM, error: Service Control Manager [7000] - The AVG Free WatchDog service failed to start due to the following error: The system cannot find the file specified.
9/10/2011 1:22:43 AM, error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: The system cannot find the file specified.
9/10/2011 1:08:26 AM, error: Service Control Manager [7000] - The WSWNA3100 service failed to start due to the following error: The system cannot find the file specified.
.
==== End Of File ===========================


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by Kevin McG at 6:09:28 on 2011-09-15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1149 [GMT -4:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\TiVo\Desktop\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\Plus\TranscodingService.exe
C:\Documents and Settings\Kevin McG\Desktop\OldCompFiles\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\NETGEAR\WNA3100\WifiSvc.exe
C:\Program Files\NETGEAR\WNA3100\WNA3100.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\NOTEPAD.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = https://login.yahoo.com/config/mail?.intl=us
uInternet Settings,ProxyOverride = 10.*.*.*;192.168.*.*;;;<local>;*.local
uInternet Settings,ProxyServer = cwpisav01:8080
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [TivoServer] c:\program files\tivo\desktop\TiVoServer.exe /service /registry /auto:TivoServer
uRun: [TivoTransfer] c:\program files\tivo\desktop\TiVoTransfer.exe
uRun: [TivoNotify] c:\program files\tivo\desktop\TiVoNotify.exe /service /registry /auto:TivoNotify
uRun: [TranscodingService] c:\program files\tivo\desktop\plus\\TranscodingService.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\kevinm~1\startm~1\programs\startup\yellow~1.lnk - c:\program files\yellowjacket software\yj energy\YJ.Energy.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wna3100\WNA3100.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\documents and settings\kevin mcg\desktop\oldcompfiles\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: hp.com\www
Trusted Zone: meetthematts.com
DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} - hxxps://vpn-chi.mfglobal.com/CACHE/webvpn/stc/1/binaries/stcweb.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444552440000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{CD6F39E5-031C-4535-9F51-3471D4653453} : DhcpNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\kevin mcg\application data\mozilla\firefox\profiles\jtll9b8w.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/mail?.intl=us
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\2.0.31005.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
============= SERVICES / DRIVERS ===============
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2009-2-17 24064]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-9-13 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-9-13 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-9-13 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-9-13 66616]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-12 366152]
R2 WSWNA3100;WSWNA3100;c:\program files\netgear\wna3100\WifiSvc.exe [2011-9-10 285152]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [2011-8-31 642432]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2009-2-17 176640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-12 22216]
R3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2011-9-14 50704]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Synergy Server;Synergy Server;c:\program files\synergy\synergys.exe --> c:\program files\synergy\synergys.exe [?]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [2009-3-21 22136]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-2-21 23624]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 TivoBeacon2;TiVo Beacon Service;c:\program files\tivo\desktop\TiVoBeacon.exe [2010-8-24 1104656]
.
=============== Created Last 30 ================
.
2011-09-15 02:46:55 -------- d-----w- c:\program files\ESET
2011-09-15 02:35:50 53299 ----a-w- c:\windows\system32\pthreadVC.dll
2011-09-15 02:35:50 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2011-09-15 02:35:50 281104 ----a-w- c:\windows\system32\wpcap.dll
2011-09-15 02:35:50 100880 ----a-w- c:\windows\system32\Packet.dll
2011-09-15 02:06:51 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-09-15 02:03:57 -------- d-sha-r- C:\cmdcons
2011-09-15 02:02:34 98816 ----a-w- c:\windows\sed.exe
2011-09-15 02:02:34 518144 ----a-w- c:\windows\SWREG.exe
2011-09-15 02:02:34 256000 ----a-w- c:\windows\PEV.exe
2011-09-15 02:02:34 208896 ----a-w- c:\windows\MBR.exe
2011-09-15 01:50:54 -------- d-----w- c:\documents and settings\kevin mcg\application data\Avira
2011-09-14 01:08:33 -------- d-----w- c:\windows\system32\NtmsData
2011-09-14 01:05:27 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-09-14 01:05:27 -------- d-----w- c:\program files\Avira
2011-09-14 01:05:27 -------- d-----w- c:\documents and settings\all users\application data\Avira
2011-09-13 02:57:39 -------- d-----w- c:\program files\Trend Micro
2011-09-13 01:59:52 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-13 01:59:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-13 01:37:23 -------- d-----w- C:\TDSSKiller_Quarantine
2011-09-11 02:17:07 -------- d-----w- c:\program files\TiVo
2011-09-11 02:17:07 -------- d-----w- c:\documents and settings\all users\application data\TiVo
2011-09-10 05:48:55 50112 --sha-w- c:\windows\system32\c_53095.nl_
2011-09-10 05:21:48 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-09-10 05:21:48 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-10 05:21:33 -------- d-----w- c:\program files\NETGEAR
2011-09-10 05:09:18 -------- d-----w- c:\program files\NETGEAR(2)
2011-09-10 04:01:53 6672 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-09-10 03:18:15 -------- d-----w- c:\documents and settings\kevin mcg\application data\Malwarebytes
2011-09-10 03:18:09 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-09-04 14:14:58 -------- d-----w- c:\program files\Amazon
2011-09-01 00:08:35 642432 ----a-w- c:\windows\system32\drivers\bcmwlhigh5.sys
2011-08-30 19:02:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-30 15:59:13 -------- d-----w- c:\documents and settings\kevin mcg\local settings\application data\Thunderbird
.
==================== Find3M ====================
.
2011-09-13 01:37:57 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-09-10 05:48:55 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
.
============= FINISH: 6:09:49.68 ===============

 

[Bobbye]

Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

File::
c:\windows\system32\c_53095.nl_
c:\windows\system32\PerfStringBackup.TMP
c:\windows\system32\drivers\hitmanpro35.sys
Folder::
C:\TDSSKiller_Quarantine
FileLook::
c:\windows\1263082771:3974280884.exe
DDS::
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\documents and settings\kevin mcg\desktop\oldcompfiles\winzip\WZQKPICK.EXE
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hitman Pro 3.5\\HitmanPro35(1).exe"=-
RegNull::
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files  
  C:\TDSSKiller_Quarantine\12.09.2011_21.36.36\susp0000\svc0000\tsk0000.dta 
  C:\WINDOWS\system32\c_53095.nl_ 
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===============================================
You have multiple outdated versions of Java> These are vulnerabilities. Please run the following to remove all:
You have multiple old versions of Java and do not have the current version. The best way to handle that is to run the following: Note: I do not want this log!

Please download JavaRa and unzip it to your desktop.

Important!***Please close any instances of Internet Explorer before continuing!***

• Double-click on JavaRa.exe to start the program.
• From the drop-down menu, choose English and click on Select.
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
• Click Yes when prompted. When JavaRa is done, a notice will appear that
  a logfile has been produced. Click OK.
• A logfile will pop up. Please save it to a convenient location.Note: Do not leave this log.

Download and install then most current version and update of Java RuntimeEnvironment (JRE)HERE.
Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
===========================================
To remove malware in the Java cache:
To clear the Java Plug-in cache:

• 
  [1]. Click Start > Control Panel.
  [2]. Double-click the Java icon in the control panel.
  
  The Java Control Panel appears.
  
  
  
  [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
  
  
  
  [4] Click Delete Files.The Delete Temporary Files dialog box appears.
  
  
  
  [5]. Click OK on Delete Temporary Files window.
  Note: This deletes all the Downloaded Applications and Applets from the cache.
  [6]. Click Apply> OK on Temporary Files Settings window.

Images courtesy java.com

 

[dixonhand]

Thanks again for all the help. Below are the logs you requested but I have a few questions too. I am running a wireless connection using Netgear wna3100 and sometimes when I do these scans I come back with no internet connection and I have to reinstall using the netgear CD to get back on the internet. Wanted to make sure this was ok. Also you say in your java instructions to "Please save it to a convenient location.Note: Do not leave this log" I don't know what you mean by this. I saved it on the desktop but what does "do not leave this log" mean? Do you now want me to delete it? Please let me know. Also still not sure what you want me to do about the:
Question Why do you have this on Startup?
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\documents and settings\kevin mcg\desktop\oldcompfiles\winzip\WZQKPICK.EXE

Not sure if it is still there but I haven't done anything about this yet unless you have.

All processes killed
========== FILES ==========
File/Folder C:\TDSSKiller_Quarantine\12.09.2011_21.36.36\susp0000\svc0000\tsk0000.dta not found.
File/Folder C:\WINDOWS\system32\c_53095.nl_ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 3964868 bytes
->Flash cache emptied: 405 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Kevin McG
->Temp folder emptied: 44829 bytes
->Temporary Internet Files folder emptied: 1490356 bytes
->Java cache emptied: 117880732 bytes
->FireFox cache emptied: 556216878 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 336734 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 483 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 649.00 mb


OTM by OldTimer - Version 3.1.18.0 log created on 09152011_210437

Files moved on Reboot...

Registry entries deleted on Reboot...


ComboFix 11-09-14.02 - Kevin McG 09/15/2011 19:49:25.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1448 [GMT -4:00]
Running from: c:\documents and settings\Kevin McG\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kevin McG\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
FILE ::
"c:\windows\system32\c_53095.nl_"
"c:\windows\system32\drivers\hitmanpro35.sys"
"c:\windows\system32\PerfStringBackup.TMP"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk
c:\documents and settings\kevin mcg\desktop\oldcompfiles\winzip\WZQKPICK.EXE
c:\program files\common files\installshield\updateservice\ISUSPM.exe
C:\TDSSKiller_Quarantine
c:\tdsskiller_quarantine\12.09.2011_21.36.36\susp0000\object.ini
c:\tdsskiller_quarantine\12.09.2011_21.36.36\susp0000\svc0000\object.ini
c:\tdsskiller_quarantine\12.09.2011_21.36.36\susp0000\svc0000\tsk0000.dta
c:\tdsskiller_quarantine\12.09.2011_21.36.36\susp0000\svc0000\tsk0000.ini
c:\windows\system32\c_53095.nl_
c:\windows\system32\drivers\hitmanpro35.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\PerfStringBackup.TMP
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wpcap.dll
.
Infected copy of c:\program files\Bonjour\mDNSResponder.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP507\A0034201.exe
.
Infected copy of c:\program files\iPod\bin\iPodService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP507\A0034176.exe
.
Infected copy of c:\program files\TiVo\Desktop\TiVoBeacon.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP507\A0034177.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
-------\Legacy_hitmanpro35
-------\Service_hitmanpro35
.
.
((((((((((((((((((((((((( Files Created from 2011-08-15 to 2011-09-15 )))))))))))))))))))))))))))))))
.
.
2011-09-15 02:46 . 2011-09-15 02:46 -------- d-----w- c:\program files\ESET
2011-09-15 02:06 . 2008-04-14 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-09-15 01:50 . 2011-09-15 01:50 -------- d-----w- c:\documents and settings\Kevin McG\Application Data\Avira
2011-09-14 01:08 . 2011-09-15 02:37 -------- d-----w- c:\windows\system32\NtmsData
2011-09-14 01:05 . 2011-09-14 01:05 -------- d-----w- c:\program files\Avira
2011-09-14 01:05 . 2011-09-14 01:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-09-14 01:05 . 2011-07-21 16:15 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-09-14 01:05 . 2011-07-21 16:15 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-09-14 01:05 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-09-14 01:05 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-09-13 02:57 . 2011-09-13 02:57 -------- d-----w- c:\program files\Trend Micro
2011-09-13 01:59 . 2011-09-13 02:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-13 01:59 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-11 02:17 . 2011-09-11 02:17 -------- d-----w- c:\program files\TiVo
2011-09-11 02:17 . 2011-09-11 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\TiVo
2011-09-10 05:21 . 2011-09-10 05:21 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-10 05:21 . 2011-09-10 05:21 -------- d-----w- c:\program files\NETGEAR
2011-09-10 03:18 . 2011-09-10 03:18 -------- d-----w- c:\documents and settings\Kevin McG\Application Data\Malwarebytes
2011-09-10 03:18 . 2011-09-10 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-04 14:15 . 2011-09-04 14:15 -------- d-----w- c:\documents and settings\Kevin McG\Application Data\Amazon
2011-09-04 14:14 . 2011-09-04 14:14 -------- d-----w- c:\program files\Amazon
2011-09-01 00:08 . 2009-11-06 12:26 642432 ----a-w- c:\windows\system32\drivers\bcmwlhigh5.sys
2011-08-30 19:02 . 2011-08-30 19:02 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-30 15:59 . 2011-09-06 00:26 -------- d-----w- c:\documents and settings\Kevin McG\Local Settings\Application Data\Thunderbird
2011-08-30 15:59 . 2011-08-30 15:59 -------- d-----w- c:\documents and settings\Kevin McG\Application Data\Thunderbird
2011-08-30 15:58 . 2011-09-06 00:26 -------- d-----w- c:\program files\Mozilla Thunderbird
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-13 01:37 . 2008-04-14 00:45 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-09-08 11:06 . 2011-05-16 01:47 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--- c:\windows\1263082771:3974280884.exe ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 816
Created time: 2011-09-10 03:01
Modified time: 2011-09-13 01:38
MD5: !HASH: COULD NOT OPEN FILE !!!!!
SHA1: !HASH: COULD NOT OPEN FILE !!!!!
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-15_02.17.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-15 02:36 . 2009-11-06 12:26 642432 c:\windows\system32\ReinstallBackups\0014\DriverFiles\bcmwlhigh5.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2010-08-24 2264336]
"TivoTransfer"="c:\program files\TiVo\Desktop\TiVoTransfer.exe" [2010-08-24 608528]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2010-08-24 437520]
"TranscodingService"="c:\program files\TiVo\Desktop\Plus\\TranscodingService.exe" [2010-08-24 856336]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-07-16 1044480]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-16 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-16 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-16 141848]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\Kevin McG\Start Menu\Programs\Startup\
YellowJacket.lnk - c:\program files\YellowJacket Software\YJ Energy\YJ.Energy.exe [2010-4-22 36864]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WNA3100 Smart Wizard.lnk - c:\program files\NETGEAR\WNA3100\WNA3100.exe [2011-8-31 4577760]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\mozilla.org\\Mozilla\\mozilla.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Hitman Pro 3.5\\HitmanPro35(1).exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\agent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\TiVo\\Desktop\\TiVoAutoUpdate.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Windows Live\\Toolbar\\wltuser.exe"=
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2/17/2009 3:41 PM 24064]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/13/2011 9:05 PM 136360]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/12/2011 9:59 PM 366152]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [8/31/2011 8:08 PM 642432]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2/17/2009 3:41 PM 176640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/12/2011 9:59 PM 22216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 WSWNA3100;WSWNA3100;c:\program files\NETGEAR\WNA3100\WifiSvc.exe [9/10/2011 12:17 AM 285152]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [3/21/2009 4:46 PM 22136]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 TivoBeacon2;TiVo Beacon Service;c:\program files\TiVo\Desktop\TiVoBeacon.exe [8/24/2010 5:02 PM 1104656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = https://login.yahoo.com/config/mail?.intl=us
uInternet Settings,ProxyOverride = 10.*.*.*;192.168.*.*;;;<local>;*.local
uInternet Settings,ProxyServer = cwpisav01:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: hp.com\www
Trusted Zone: meetthematts.com
TCP: DhcpNameServer = 192.168.1.1
DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} - hxxps://vpn-chi.mfglobal.com/CACHE/webvpn/stc/1/binaries/stcweb.cab
FF - ProfilePath - c:\documents and settings\Kevin McG\Application Data\Mozilla\Firefox\Profiles\jtll9b8w.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/mail?.intl=us
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-15 19:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\1263082771:3974280884.exe 816 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.cdrom]
"ImagePath"="\*"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1728)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\TiVo\Desktop\Plus\TranscodingService.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-09-15 19:58:53 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-15 23:58
ComboFix2.txt 2011-09-15 02:20
.
Pre-Run: 248,188,960,768 bytes free
Post-Run: 248,184,061,952 bytes free
.
- - End Of File - - 384892B2A9CD62DF4062443EFAF04700

 

[Bobbye]

What source are you using for these downloads?
Infected copy of c:\program files\Bonjour\mDNSResponder.exe
.
Infected copy of c:\program files\iPod\bin\iPodService.exe
.
Infected copy of c:\program files\TiVo\Desktop\TiVoBeacon.exe
==============================
Are you using a flash drive?
Infected copy of c:\windows\system32\drivers\cdrom.sys
==============================
About the Java Ra log: It is a very lengthy log- the more versions, the longer the log. I don't need to see the contents. I'm not sure why the directions even tell you to save it. Delete it if you want.
===============================
The only scan that "might" affect the connection is Combofix

Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

It's important that you follow the order I give you for the scans. However, what you describe with the adapter sound very much like it either isn't configured correctly or may be going bad.
=================================
Download CKScanner[/url and save to the desktop.

• Doubleclick CKScanner.exe and click Search For Files.
• When the cursor hourglass disappears, click Save List To File.
• A message box will verify the file saved.
• Double-click the CKFiles.txt[/] icon on your desktop and copy/paste the contents in your next reply.

 

[dixonhand]

Q: What source are you using for these downloads?
Infected copy of c:\program files\Bonjour\mDNSResponder.exe
Infected copy of c:\program files\iPod\bin\iPodService.exe
Infected copy of c:\program files\TiVo\Desktop\TiVoBeacon.exe

A: I don't know of the source other than they were downloaded when I installed iTunes and Tivo desktop. Actually the Tivo desktop was from the Tivo site but they might have been corrupted recently. This 'Bonjour' service I don't even know what program downloaded it but it seems that Tivo and iTunes both need it to function.
==============================
Q: Are you using a flash drive?
Infected copy of c:\windows\system32\drivers\cdrom.sys

A: I haven't had a flash drive in the computer since before the begining of this thread (probably a few weeks ago). but I realized the wireless netgear CD was in the drive when I was doing these tasks (since I had to reinstall for wireless to work) and the attachment that allows the Netgear to work is plugged into a USB port.

I have followed the order - the only time I did extra scans was to find that one log you requested that I hadn't originally pasted and had to rerun it. In fact that might have been Combofix and that was when I lost the wireless again so that makes sense. All other times wireless has stayed up - only lost twice probably due to the Combofix runs. Here are the results of the CKScanner.

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\kevin mcg\desktop\ladderdatainfo\crackbackmomar.txt
c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l.xls
c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l324.xls
c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l325.xls
c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l418.xls
c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l422.xls
c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l424.xls
c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l425.xls
c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l501.xls
c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l502.xls
c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l512.xls
c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l520.xls
c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l521.xls
c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l528.xls
c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l606.xls
c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l610.xls
c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l618.xls
c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l619.xls
c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l620.xls
c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l625.xls
c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l707.xls
c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l715.xls
c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l821.xls
c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegsheet318.xls
c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\crackbackmomar.txt
c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l.xls
c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l324.xls
c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l325.xls
c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l418.xls
c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l422.xls
c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l424.xls
c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l425.xls
c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l501.xls
c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l502.xls
c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l512.xls
c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l520.xls
c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l521.xls
c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l528.xls
c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l606.xls
c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l610.xls
c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l618.xls
c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l619.xls
c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l620.xls
c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l625.xls
c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l707.xls
c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l715.xls
c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l821.xls
c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegsheet318.xls
scanner sequence 3.ZZ.11.TTAPMS
----- EOF -----

 

[Bobbye]

I asked about those programs because Combofix found them all infected. Combofix fixed the files. Sometimes it's not the program you download, but where it's downloaded from. It can be a bad site. In the case of file sharing, you also 'share' malware the other person has.

About Netgear

I come back with no internet connection and I have to reinstall using the netgear CD to get back on the internet.

1. When you lost the connection< did you try just rebooting to restore the connection first. Or did you go right into a reinstall?
2. It is possible that the CD you use for Netgear is not corrupt since the Cdrom drive was infected.
3. Check the Device Manager (Control Panel> System. Hardware tab)> expand the Network Adapters> Look for Error icon

If any are present> double click to open and look for description.

I also noticed that you have the following on the Startup menu:

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WNA3100 Smart Wizard.lnk - c:\program files\NETGEAR\WNA3100\WNA3100.exe [2011-8-31 4577760]

Per Netgear Support:

The NETGEAR Smart Wizard utility (or Windows Zero Config, Vista’s Auto Config, Windows 7 WCN) will allow you to configure the wireless adapter once the product is installed on your computer.

Please check the usage of the Netgear Smart Wizard on Netgear Support.

It seems to me that you are forcing the adapter to re-configure every time you boot and that it is not configured correctly..
=====================================
You're going to have to help me with these:

c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegsheet318.xls
c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\crackbackmomar.txt

I restrained myself from making a silly comment that I was glad you got the cracked legs on the ladder fixed!

I haven't had a flash drive in the computer since before the begining of this thread (probably a few weeks ago).

About travel drive 1.0: This is a USB device> If you used it during this problem, you will need to disinfect it:
Can you help me out with this?

 

[dixonhand]

Hi Bobbye thanks for the followup. Here are some answers to your questions but the netgear thing has me a bit confused as you can see below. Before I answer your questions I would like to know at what point should I run the Avira Antivir because it keeps popping up with some infected files but I haven't had any instructions to run it yet to clean them up from my computer.

Quote:
c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegsheet318.xls
c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\crackbackmomar.txt

These were files on my desktop that I just now deleted and emptied from recycle bin.

Quote:
I haven't had a flash drive in the computer since before the begining of this thread (probably a few weeks ago).

About travel drive 1.0: This is a USB device> If you used it during this problem, you will need to disinfect it:

The traveldrive 1.0 that you ask about is a folder on my computer that contains the data I have on my travel usb drive. The usb drive may be infected for sure. I can have someone at work clean it for me unless you want to give me instructions.


Netgear has been coming up without a problem but I haven't run any more aDon't know if this interests you but here is what I get from my netgear system status:

Edit: Personal router information deleted by Bobbye.

---System Information---

 

[Bobbye]

Please don't leave log information unless I ask for it. There was nothing I needed in the Netgear log and posting it was a vulnerability t the system.

Yes, you should disinfect the flash drive:These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

Please disinfect all movable drives

1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
   Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
4. Wait until it has finished scanning and then exit the program.
5. Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
=================
Please repeat the Eset Scam- update before running and make sure Avira is disabled.
==========================================
I need an update on the system- the Netgear problem has been resolved, hasn't it? But the AV is notifying you of malware. Are you still being redirected?

Please understand that an AV program will list malware no matter what it's location is: If in Qoobox this which is where Combofix sends the quarantined files and System Volume which are restore points. If entries are only listed in those 2 locations< they are no longer active and will be removed at the end of cleaning.

The resident AV program doesn't "read" those locations.

 

[dixonhand]

I cleaned up the flash drives with the application you suggested and all seemed to work well. In addition I am no longer being redirected on google so that is great. I ran the ESET and I saved the log. If you need to see it let me know. All seems to be running well now. Let me know if there is anything else you need me to do. Thank you very much for your help.

 

[Bobbye]

Thank you for your ptience. I'm glad to hear that the initial problems have been resolved.. If anything was found in the Eset log, I need to see it.

Since these programs were infected with malware, I encourage you to uninstall the present one, then download and install clean copies. Remember to use a good site:

c:\program files\Bonjour\mDNSResponder.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\TiVo\Desktop\TiVoBeacon.exe

The first 2 are installed by Apple when you get iTunes. After uninstlling above in Add/Remove Programs, delete the program folders using Windows Explorer:
Right click on Start> Explore> My Computer> double click on Local Drive (C)> Programs> find folder for each of the above and do a right click> Delete.
Exit Explorer.
========================================
We need to remove just a couple of entries. I'll take a quick look at the log the script generates and if there's nothing new, I'll have you remove the cleaning tools:
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

File::

ADS::
C:\WINDOWS\1263082771:3974280884.exe
RegNull::
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================

 

[dixonhand]

Thanks again. Sorry about the delay but here are the details of the file:

ComboFix 11-10-01.03 - Kevin McG 10/01/2011 22:35:04.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1475 [GMT -4:00]
Running from: c:\documents and settings\Kevin McG\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kevin McG\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((( Files Created from 2011-09-02 to 2011-10-02 )))))))))))))))))))))))))))))))
.
.
2011-09-25 17:26 . 2011-09-25 17:26 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2011-09-25 17:23 . 2011-09-25 17:23 -------- d-----w- c:\program files\iPod
2011-09-25 17:23 . 2011-09-25 17:23 -------- d-----w- c:\program files\iTunes
2011-09-25 17:21 . 2011-09-25 17:23 -------- d-----w- c:\program files\Common Files\Apple
2011-09-25 01:28 . 2011-09-25 01:28 -------- d-sh--w- c:\documents and settings\Kevin McG\UserData
2011-09-18 22:35 . 2011-09-18 22:35 -------- d-----w- c:\documents and settings\Kevin McG\Application Data\BACS.exe
2011-09-16 01:04 . 2011-09-16 01:04 -------- d-----w- C:\_OTM
2011-09-16 00:57 . 2009-11-06 12:26 642432 ----a-w- c:\windows\system32\drivers\bcmwlhigh5.sys
2011-09-16 00:57 . 2011-09-16 00:57 -------- d-----w- c:\program files\NETGEAR
2011-09-15 02:46 . 2011-09-15 02:46 -------- d-----w- c:\program files\ESET
2011-09-15 02:06 . 2008-04-14 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-09-15 01:50 . 2011-09-15 01:50 -------- d-----w- c:\documents and settings\Kevin McG\Application Data\Avira
2011-09-14 01:08 . 2011-09-24 19:07 -------- d-----w- c:\windows\system32\NtmsData
2011-09-14 01:05 . 2011-09-14 01:05 -------- d-----w- c:\program files\Avira
2011-09-14 01:05 . 2011-09-14 01:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-09-14 01:05 . 2011-07-21 16:15 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-09-14 01:05 . 2011-07-21 16:15 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-09-14 01:05 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-09-14 01:05 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-09-13 02:57 . 2011-09-13 02:57 -------- d-----w- c:\program files\Trend Micro
2011-09-13 01:59 . 2011-09-13 02:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-13 01:59 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-11 02:17 . 2011-09-11 02:17 -------- d-----w- c:\program files\TiVo
2011-09-11 02:17 . 2011-09-11 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\TiVo
2011-09-10 05:21 . 2011-09-10 05:21 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-10 03:18 . 2011-09-10 03:18 -------- d-----w- c:\documents and settings\Kevin McG\Application Data\Malwarebytes
2011-09-10 03:18 . 2011-09-10 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-04 14:15 . 2011-09-04 14:15 -------- d-----w- c:\documents and settings\Kevin McG\Application Data\Amazon
2011-09-04 14:14 . 2011-09-04 14:14 -------- d-----w- c:\program files\Amazon
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-13 01:37 . 2008-04-14 00:45 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-08-30 19:02 . 2011-08-30 19:02 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-19 09:05 . 2010-08-16 13:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-19 06:40 . 2009-02-17 16:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20 . 2011-07-12 15:20 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 15:20 . 2011-07-12 15:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-05 22:37 . 2011-07-05 22:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 22:37 . 2011-07-05 22:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-09-28 11:49 . 2011-05-16 01:47 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-15_02.17.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-25 17:22 . 2011-05-10 12:06 42496 c:\windows\system32\DRVSTORE\usbaapl_5CBB3A09528F68FC4AD2F36E43C028E7E6F20400\usbaapl.sys
+ 2011-09-25 17:22 . 2011-05-10 12:06 18432 c:\windows\system32\DRVSTORE\netaapl_B71F8545DA20A81C41BFD744E8D7D9784787E916\netaapl.sys
+ 2011-09-25 17:22 . 2011-05-10 12:06 42496 c:\windows\system32\drivers\usbaapl.sys
+ 2011-09-25 17:00 . 2011-09-25 17:00 27136 c:\windows\Installer\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}\AppleSoftwareUpdateIco.exe
+ 2011-09-15 02:36 . 2009-11-06 12:26 642432 c:\windows\system32\ReinstallBackups\0014\DriverFiles\bcmwlhigh5.sys
+ 2011-09-16 01:21 . 2011-07-19 09:05 157472 c:\windows\system32\javaws.exe
- 2010-12-28 12:26 . 2010-08-16 13:23 145184 c:\windows\system32\javaw.exe
+ 2011-09-16 01:21 . 2011-07-19 09:05 145184 c:\windows\system32\javaw.exe
+ 2011-09-16 01:21 . 2011-07-19 09:05 145184 c:\windows\system32\java.exe
- 2010-12-28 12:26 . 2010-08-16 13:23 145184 c:\windows\system32\java.exe
+ 2009-02-24 01:41 . 2011-09-16 01:21 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
- 2009-02-24 01:41 . 2009-02-17 17:08 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2011-09-16 01:21 . 2011-09-16 01:21 203776 c:\windows\Installer\ba559.msi
+ 2011-09-25 17:21 . 2011-09-25 17:21 811520 c:\windows\Installer\562dc.msi
+ 2011-09-25 17:24 . 2011-09-25 17:24 380928 c:\windows\Installer\{69995C7A-062A-4A90-A4DF-8C22895DF522}\iTunesIco.exe
+ 2011-09-25 17:22 . 2011-05-10 12:06 4517664 c:\windows\system32\usbaaplrc.dll
+ 2011-09-25 17:22 . 2011-05-10 12:06 4517664 c:\windows\system32\DRVSTORE\usbaapl_5CBB3A09528F68FC4AD2F36E43C028E7E6F20400\usbaaplrc.dll
+ 2011-09-25 17:22 . 2011-04-08 18:59 1461992 c:\windows\system32\DRVSTORE\netaapl_B71F8545DA20A81C41BFD744E8D7D9784787E916\wdfcoinstaller01009.dll
+ 2011-09-25 17:00 . 2011-09-25 17:00 1769984 c:\windows\Installer\7d6bfa.msi
+ 2011-09-25 16:59 . 2011-09-25 16:59 1710592 c:\windows\Installer\7d6b9e.msi
+ 2011-09-25 17:24 . 2011-09-25 17:24 5467136 c:\windows\Installer\562f0.msi
+ 2011-09-25 17:22 . 2011-09-25 17:22 9474048 c:\windows\Installer\562ec.msi
+ 2011-09-25 17:22 . 2011-09-25 17:22 3085312 c:\windows\Installer\562e7.msi
+ 2011-09-25 17:22 . 2011-09-25 17:22 1984512 c:\windows\Installer\562e2.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2010-08-24 2264336]
"TivoTransfer"="c:\program files\TiVo\Desktop\TiVoTransfer.exe" [2010-08-24 608528]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2010-08-24 437520]
"TranscodingService"="c:\program files\TiVo\Desktop\Plus\\TranscodingService.exe" [2010-08-24 856336]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-07-16 1044480]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-16 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-16 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-16 141848]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\Kevin McG\Start Menu\Programs\Startup\
YellowJacket.lnk - c:\program files\YellowJacket Software\YJ Energy\YJ.Energy.exe [2010-4-22 36864]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WNA3100 Smart Wizard.lnk - c:\program files\NETGEAR\WNA3100\WNA3100.exe [2011-9-15 4577760]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\mozilla.org\\Mozilla\\mozilla.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Hitman Pro 3.5\\HitmanPro35(1).exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\agent.exe"=
"c:\\Program Files\\TiVo\\Desktop\\TiVoAutoUpdate.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Windows Live\\Toolbar\\wltuser.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2/17/2009 3:41 PM 24064]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/13/2011 9:05 PM 136360]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/12/2011 9:59 PM 366152]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [9/15/2011 8:57 PM 642432]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2/17/2009 3:41 PM 176640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/12/2011 9:59 PM 22216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 WSWNA3100;WSWNA3100;c:\program files\NETGEAR\WNA3100\WifiSvc.exe [9/15/2011 8:57 PM 285152]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [3/21/2009 4:46 PM 22136]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 TivoBeacon2;TiVo Beacon Service;c:\program files\TiVo\Desktop\TiVoBeacon.exe [8/24/2010 5:02 PM 1104656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = https://login.yahoo.com/config/mail?.intl=us
uInternet Settings,ProxyOverride = 10.*.*.*;192.168.*.*;<local>;*.local
uInternet Settings,ProxyServer = cwpisav01:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: hp.com\www
Trusted Zone: meetthematts.com
TCP: DhcpNameServer = 192.168.1.1
DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} - hxxps://vpn-chi.mfglobal.com/CACHE/webvpn/stc/1/binaries/stcweb.cab
FF - ProfilePath - c:\documents and settings\Kevin McG\Application Data\Mozilla\Firefox\Profiles\jtll9b8w.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/mail?.intl=us
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-01 22:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.cdrom]
"ImagePath"="\*"
.
Completion time: 2011-10-01 22:40:07
ComboFix-quarantined-files.txt 2011-10-02 02:40
ComboFix2.txt 2011-10-02 02:31
ComboFix3.txt 2011-09-15 23:58
ComboFix4.txt 2011-09-15 02:20
.
Pre-Run: 247,959,220,224 bytes free
Post-Run: 247,945,723,904 bytes free
.
- - End Of File - - 240194DBF31D2A240596D838622B872B

 

[Bobbye]

No problem with delay- I am always running behind! Log is looking good. Has redirect been resolved? Any related problems?

Have you been able to resolve the Netgear problem? I notice this is still being loaded on startup:
Product contains: WNA3100 Application
File name contains: \Program Files\NETGEAR\WNA3100\WNA3100.exe
This is the Smart Wizard which is usually used to configure.
=================================
The original HijackThis you ran is outdated,- v2.0.2, so I'd like you to uninstall it, then run the following current version:

Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.

• Extract it to a directory on your hard drive called c:\HijackThis.
• Then navigate to that directory and double-click on the hijackthis.exe file.
• When started click on the Scan button and then the Save Log button to create a log of your information.
• The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

 

[dixonhand]

Thanks Again. I don't know what to do about the netgear - that is how it installed originally when I followed the directions. This netgear is a wireless usb adapter connected to my computer that allows me to wirelessly connect to my netgear router and am not sure how to stop it from starting at start up (or if it will work properly if I don't have it run at start up). Please advise on this.

Here is the HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:09:45 PM, on 10/4/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\NETGEAR\WNA3100\WifiSvc.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\TiVo\Desktop\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\Plus\TranscodingService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WNA3100\WNA3100.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\KEVINM~1\DESKTOP\OLDCOM~1\WINZIP\winzip32.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/mail?.intl=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USREL/1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cwpisav01:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*.*.*;192.168.*.*;<local>;*.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [TivoServer] C:\Program Files\TiVo\Desktop\TiVoServer.exe /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [TivoTransfer] C:\Program Files\TiVo\Desktop\TiVoTransfer.exe
O4 - HKCU\..\Run: [TivoNotify] C:\Program Files\TiVo\Desktop\TiVoNotify.exe /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TranscodingService] C:\Program Files\TiVo\Desktop\Plus\\TranscodingService.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: YellowJacket.lnk = C:\Program Files\YellowJacket Software\YJ Energy\YJ.Energy.exe
O4 - Global Startup: NETGEAR WNA3100 Smart Wizard.lnk = C:\Program Files\NETGEAR\WNA3100\WNA3100.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: .meetthematts.com[/url]
O16 - DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} (STCWeb Control) - https://vpn-chi.mfglobal.com/CACHE/webvpn/stc/1/binaries/stcweb.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444552440000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: SeaPort - Unknown owner - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (file missing)
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Unknown owner - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Synergy Server - Unknown owner - C:\Program Files\Synergy\synergys.exe (file missing)
O23 - Service: WSWNA3100 - Unknown owner - C:\Program Files\NETGEAR\WNA3100\WifiSvc.exe

--
End of file - 8898 bytes

 

[Bobbye]

Questions about some Services> these are showing 'file missing' in HJT, but that does not mean the file is missing:

1. O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)
2. O23 - Service: SeaPort - Unknown owner - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (file missing)
3. O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Unknown owner - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe (file missing)
4. O23 - Service: Synergy Server - Unknown owner - C:\Program Files\Synergy\synergys.exe (file missing)

-----------------------------------

1. Java Quick Starter can be disabled. It's a convenience but doesn't need to run
2. The Microsoft SeaPort Search Enhancement Process seemingly comes bundled with the Windows Live Suite regardless of what options are chosen by the user during installation.-"“Enables the detection, download and installation of up-to-date configuration files for Microsoft Search Enhancement applications"
   
   seaport.exe runs automatically and continuously upon startup regardless of whether any searches have been performed or browser windows opened. Indeed, the SeaPort service is set to Automatic. That means that it adds additional time to the boot-up process and that its resource usage starts immediately. It uses about 4.5MB of RAM.
   
3. STCagent is a SSL VPN client from cicso systems
4. Synergy Server allows for multiple monitors using only 1 keyboard and mouse.

The above are all legitimate programs. It's just a concern about the showing 'file missing.'
=================================
Regarding Netgear:
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WNA3100 Smart Wizard.lnk - c:\program files\NETGEAR\WNA3100\WNA3100.exe [2011-9-15 4577760]
I suggest you go on the home site, support, tell them what you are experiencing and ask them if this registry entry for shortcut needs to be running.
===================================
Okay- Combofix is good. HJT is good- just wanted you to check those Services.

How is system doing now? Have redirects stopped?

 

[dixonhand]

Redirect problem is fixed. I will look into the other programs you mentioned. Synergy I used to use with another computer but no longer do. STCagent is for a work vpn I use. I also use a java quick start for work so that much be why that is on there. I have no idea about seaport and will disable if you tell me how if you think that is best. I will also talk to netgear but haven't been able to get anyone yet and will keep you posted on that. Otherwise all is well. Is there anything else I should do or am I all set?

 

[Bobbye]

To finish up:

Click on Start> Run> type in services,msc> enter> double click on each pf the following and set as directed:
SeaPort> Disable> Stop Service
Synergy Server > Disable> Stop Service
=========================================
Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

-----
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

 

[dixonhand]

All done everything seems good. Just to say I do still have Malwarebytes anti-malware and avira antivir still installed on my computer. Should I delete these and download new versions?

 

[Bobbye]

"Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually."

Yes.