TechSpot

Google redirect virus etc.

By dixonhand
Sep 13, 2011
  1. Hi,

    As is the case with many people in this forum I have had my google searches redirected. It seems to be much worse than that because when I tried to run hijackthis it blocked the results so I had to run in safe mode. I think my computer is seriously comprimised and fear my information is vulnerable. I cannot use AVG anti virus either since it blocks that as well. I used hitman anti virus but that didn't cure the issue and now I have tons of messages coming up from windows saying "sites are blocked" or "continue to block" so and so's site. I have downloaded malwarebytes recently but haven't run yet as I'm awaiting instructions to my hijackthis post. Here is the text. Thanks in advance to anyone who helps.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:59:58 PM, on 9/12/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Safe mode

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\userinit.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trend Micro\HijackThis\Crusty.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/mail?.intl=us
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USREL/1
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cwpisav01:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*.*.*;192.168.*.*;;;<local>;*.local
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [cdoosoft] C:\DOCUME~1\KEVINM~1\LOCALS~1\Temp\herss.exe
    O4 - HKCU\..\Run: [TivoServer] C:\Program Files\TiVo\Desktop\TiVoServer.exe /service /registry /auto:TivoServer
    O4 - HKCU\..\Run: [TivoTransfer] C:\Program Files\TiVo\Desktop\TiVoTransfer.exe
    O4 - HKCU\..\Run: [TivoNotify] C:\Program Files\TiVo\Desktop\TiVoNotify.exe /service /registry /auto:TivoNotify
    O4 - HKCU\..\Run: [TranscodingService] C:\Program Files\TiVo\Desktop\Plus\\TranscodingService.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: YellowJacket.lnk = C:\Program Files\YellowJacket Software\YJ Energy\YJ.Energy.exe
    O4 - Global Startup: NETGEAR WNA3100 Smart Wizard.lnk = C:\Program Files\NETGEAR\WNA3100\WNA3100.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Documents and Settings\Kevin McG\Desktop\OldCompFiles\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.meetthematts.com
    O16 - DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} (STCWeb Control) - https://vpn-chi.mfglobal.com/CACHE/webvpn/stc/1/binaries/stcweb.cab
    O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444552440000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (file missing)
    O23 - Service: AVG Free WatchDog (avg9wd) - Unknown owner - C:\Program Files\AVG\AVG9\avgwdsvc.exe (file missing)
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: SeaPort - Unknown owner - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (file missing)
    O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Unknown owner - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe (file missing)
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Synergy Server - Unknown owner - C:\Program Files\Synergy\synergys.exe (file missing)
    O23 - Service: WSWNA3100 - Unknown owner - C:\Program Files\NETGEAR\WNA3100\WifiSvc.exe

    --
    End of file - 7889 bytes
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help with the redirect and although we don't use HijackThis to 'screen' for malware, I will tell you that you do have this Worm- at least>

    W32.SillyFDC.BCT removable media worm. . So if your are using a flash drive, it will need to be disinfected>

    Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    ========================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
     
  3. dixonhand

    dixonhand TS Rookie Topic Starter

    Log results:

    Thanks so much. Here are the three logs

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 7707

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    9/13/2011 9:29:18 PM
    mbam-log-2011-09-13 (21-29-18).txt

    Scan type: Quick scan
    Objects scanned: 192870
    Time elapsed: 11 minute(s), 48 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 1
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\MADOWN (Worm.Magania) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdoosoft (Spyware.OnlineGames) -> Value: cdoosoft -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (PUM.Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-09-14 05:49:46
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HDP725032GLA360 rev.GM3OA5BA
    Running: 2sw9ohch.exe; Driver: C:\DOCUME~1\KEVINM~1\LOCALS~1\Temp\fxriikob.sys


    ---- System - GMER 1.0.15 ----

    SSDT BA6FF944 ZwClose
    SSDT BA6FF8FE ZwCreateKey
    SSDT BA6FF94E ZwCreateSection
    SSDT BA6FF8F4 ZwCreateThread
    SSDT BA6FF903 ZwDeleteKey
    SSDT BA6FF90D ZwDeleteValueKey
    SSDT BA6FF93F ZwDuplicateObject
    SSDT BA6FF912 ZwLoadKey
    SSDT BA6FF8E0 ZwOpenProcess
    SSDT BA6FF8E5 ZwOpenThread
    SSDT BA6FF91C ZwReplaceKey
    SSDT BA6FF917 ZwRestoreKey
    SSDT BA6FF953 ZwSetContextThread
    SSDT BA6FF908 ZwSetValueKey
    SSDT BA6FF8EF ZwTerminateProcess

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD145 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB44 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254696 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4FEF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F21 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4F8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4DF2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5052 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EB6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[428] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBA0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[428] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E5370 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3476] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3476] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3476] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD145 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3476] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB44 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3476] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254696 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3476] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4FEF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3476] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F21 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3476] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4F8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3476] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4DF2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3476] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3476] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5052 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3476] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EB6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3476] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBA0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3476] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E5370 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3784] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3784] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB44 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3784] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4FEF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3784] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F21 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3784] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4F8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3784] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4DF2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3784] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3784] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5052 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3784] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EB6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Internet Explorer\iexplore.exe[428] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
    IAT C:\Program Files\Internet Explorer\iexplore.exe[3476] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \Driver\00000435 \GLOBAL??\ACPI#PNP0303#2&da1a3ff&0 89C115F0

    ---- Files - GMER 1.0.15 ----

    ADS C:\WINDOWS\1263082771:3974280884.exe 816 bytes executable <-- ROOTKIT !!!
    File C:\WINDOWS\$NtUninstallKB42409$\2414888853 0 bytes
    File C:\WINDOWS\$NtUninstallKB42409$\320686411 0 bytes
    File C:\WINDOWS\$NtUninstallKB42409$\320686411\L 0 bytes
    File C:\WINDOWS\$NtUninstallKB42409$\320686411\U 0 bytes

    ---- Services - GMER 1.0.15 ----

    Service C:\WINDOWS\1263082771:3974280884.exe [MANUAL] 131d494b <-- ROOTKIT !!!

    ---- EOF - GMER 1.0.15 ----


    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
    Run by Kevin McG at 5:56:19 on 2011-09-14
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1250 [GMT -4:00]
    .
    AV: AVG Anti-Virus Free *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\NETGEAR\WNA3100\WifiSvc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\TiVo\Desktop\TiVoServer.exe
    C:\Program Files\TiVo\Desktop\TiVoTransfer.exe
    C:\Program Files\TiVo\Desktop\TiVoNotify.exe
    C:\Program Files\TiVo\Desktop\Plus\TranscodingService.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Documents and Settings\Kevin McG\Desktop\OldCompFiles\WinZip\WZQKPICK.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Windows Live\Toolbar\wltuser.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\NETGEAR\WNA3100\WNA3100.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = https://login.yahoo.com/config/mail?.intl=us
    uSearch Page = hxxp://www.live.com
    uInternet Settings,ProxyOverride = 10.*.*.*;192.168.*.*;;;<local>;*.local
    uInternet Settings,ProxyServer = cwpisav01:8080
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [TivoServer] c:\program files\tivo\desktop\TiVoServer.exe /service /registry /auto:TivoServer
    uRun: [TivoTransfer] c:\program files\tivo\desktop\TiVoTransfer.exe
    uRun: [TivoNotify] c:\program files\tivo\desktop\TiVoNotify.exe /service /registry /auto:TivoNotify
    uRun: [TranscodingService] c:\program files\tivo\desktop\plus\\TranscodingService.exe
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    dRunOnce: [RunNarrator] Narrator.exe
    StartupFolder: c:\docume~1\kevinm~1\startm~1\programs\startup\yellow~1.lnk - c:\program files\yellowjacket software\yj energy\YJ.Energy.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wna3100\WNA3100.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\documents and settings\kevin mcg\desktop\oldcompfiles\winzip\WZQKPICK.EXE
    IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
    LSP: mswsock.dll
    Trusted Zone: hp.com\www
    Trusted Zone: meetthematts.com
    DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} - hxxps://vpn-chi.mfglobal.com/CACHE/webvpn/stc/1/binaries/stcweb.cab
    DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444552440000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{CD6F39E5-031C-4535-9F51-3471D4653453} : DhcpNameServer = 192.168.1.1
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: avgrsstarter - avgrsstx.dll
    Notify: igfxcui - igfxdev.dll
    Hosts: 10.65.10.130 mcocap4
    Hosts: 10.65.10.132 mcocap5
    Hosts: 10.65.10.131 mcocap6
    Hosts: 10.65.10.133 mcocap7
    Hosts: 10.65.10.134 mcocap8
    .
    Note: multiple HOSTS entries found. Please refer to Attach.txt
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\kevin mcg\application data\mozilla\firefox\profiles\jtll9b8w.default\
    FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/mail?.intl=us
    FF - prefs.js: network.proxy.type - 0
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\2.0.31005.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    ============= SERVICES / DRIVERS ===============
    .
    R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2009-2-17 24064]
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-9-13 11608]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-5 216200]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-5 29512]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-5 242896]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-9-13 136360]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-9-13 269480]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-9-13 66616]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-12 366152]
    R2 WSWNA3100;WSWNA3100;c:\program files\netgear\wna3100\WifiSvc.exe [2011-9-10 285152]
    R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [2011-8-31 642432]
    R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2009-2-17 176640]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-12 22216]
    R3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2011-8-31 50704]
    S2 avg9wd;AVG Free WatchDog;"c:\program files\avg\avg9\avgwdsvc.exe" --> c:\program files\avg\avg9\avgwdsvc.exe [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 Synergy Server;Synergy Server;c:\program files\synergy\synergys.exe --> c:\program files\synergy\synergys.exe [?]
    S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [2009-3-21 22136]
    S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-2-21 23624]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S4 TivoBeacon2;TiVo Beacon Service;c:\program files\tivo\desktop\TiVoBeacon.exe [2010-8-24 1104656]
    .
    =============== Created Last 30 ================
    .
    2011-09-14 01:08:33 -------- d-----w- c:\windows\system32\NtmsData
    2011-09-14 01:05:27 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-09-14 01:05:27 -------- d-----w- c:\program files\Avira
    2011-09-14 01:05:27 -------- d-----w- c:\documents and settings\all users\application data\Avira
    2011-09-13 02:57:39 -------- d-----w- c:\program files\Trend Micro
    2011-09-13 01:59:52 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-09-13 01:59:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-09-13 01:37:23 -------- d-----w- C:\TDSSKiller_Quarantine
    2011-09-11 02:17:07 -------- d-----w- c:\program files\TiVo
    2011-09-11 02:17:07 -------- d-----w- c:\documents and settings\all users\application data\TiVo
    2011-09-10 05:48:55 50112 --sha-w- c:\windows\system32\c_53095.nl_
    2011-09-10 05:21:48 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-09-10 05:21:48 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-09-10 05:21:33 -------- d-----w- c:\program files\NETGEAR
    2011-09-10 05:09:18 -------- d-----w- c:\program files\NETGEAR(2)
    2011-09-10 04:01:53 6672 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2011-09-10 03:18:15 -------- d-----w- c:\documents and settings\kevin mcg\application data\Malwarebytes
    2011-09-10 03:18:09 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-09-04 14:14:58 -------- d-----w- c:\program files\Amazon
    2011-09-01 00:08:35 642432 ----a-w- c:\windows\system32\drivers\bcmwlhigh5.sys
    2011-09-01 00:08:34 53299 ----a-w- c:\windows\system32\pthreadVC.dll
    2011-09-01 00:08:34 50704 ----a-w- c:\windows\system32\drivers\npf.sys
    2011-09-01 00:08:34 281104 ----a-w- c:\windows\system32\wpcap.dll
    2011-09-01 00:08:34 100880 ----a-w- c:\windows\system32\Packet.dll
    2011-08-30 19:02:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-08-30 15:59:13 -------- d-----w- c:\documents and settings\kevin mcg\local settings\application data\Thunderbird
    .
    ==================== Find3M ====================
    .
    2011-09-13 01:37:57 64512 ----a-w- c:\windows\system32\drivers\serial.sys
    2011-09-10 05:48:55 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    .
    ============= FINISH: 5:56:35.17 ===============
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    There is another log from DDS named Attach.txt that is missing. Please paste it into your next reply>> don't zip it.

    Question Why do you have this on Startup?
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\documents and settings\kevin mcg\desktop\oldcompfiles\winzip\WZQKPICK.EXE
    =====================================
    AVG is outdated> Since you put Avira on the system and since Combofix won't tun with AVG, you can remove it as below:
    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.
    =============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ==============================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ================================
    I strongly recommends that you uninstall Hitman> It is just a bundle of free programs, all available on the internet. But the scam is that Hitman will only remove bad entries for free during the trial period. After that, you have to buy the program. But if you use the same separate files in the bundle, they are fully functional- free.
    ================================
    I notice that you ran the TDSS Killer. If you still have the log, please include it in the next reply.

    Logs to be pasted into next reply:
    Attach.txt from DDS
    Combofix
    Eset online virus scan
    TDSSKiller
     
  5. dixonhand

    dixonhand TS Rookie Topic Starter

    Hi. I don't know why I have StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\documents and settings\kevin mcg\desktop\oldcompfiles\winzip\WZQKPICK.EXE at startup. Tell me how to stop it and I will delete it from startup.

    I also noticed when I held the ctrl button down when clicking on the eset link that the browser said go.eset.com and I know the virus previous that I had would take me to go.google.com so I'm a tad concerned about that. Also Avira keeps popping up with Malware found that I just keep Xing out of. The latest is 'TR/Crypt.ZPACK.Gen was found in file 'C:\Documents and Settings\...\inetnopro.exe'.

    I didn't have the attach.txt file on my computer so at the very end I reran it to get it for you. Hope that was ok. I also cant find the TDSSKiller file. Also at the end is the latest DDS.txt file that was generated.

    ComboFix 11-09-14.02 - Kevin McG 09/14/2011 22:09:05.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1614 [GMT -4:00]
    Running from: c:\documents and settings\Kevin McG\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
    c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\LnkFileRename.exe.db6f4065.ini
    c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
    c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL34.tmp.57a113aa.ini
    c:\documents and settings\Kevin McG\Local Settings\Application Data\ApplicationHistory
    c:\documents and settings\Kevin McG\Local Settings\Application Data\ApplicationHistory\LnkFileRename.exe.db6f4065.ini
    c:\documents and settings\Kevin McG\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
    c:\documents and settings\Kevin McG\Local Settings\Application Data\ApplicationHistory\SL34.tmp.57a113aa.ini
    c:\windows\$NtUninstallKB42409$
    c:\windows\$NtUninstallKB42409$\2414888853
    c:\windows\system32\c_53095.nls
    c:\windows\system32\drivers\npf.sys
    c:\windows\system32\Packet.dll
    c:\windows\system32\pthreadVC.dll
    c:\windows\system32\wpcap.dll
    .
    Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
    Restored copy from - The cat found it :)
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_NPF
    -------\Service_131d494b
    -------\Service_NPF
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-08-15 to 2011-09-15 )))))))))))))))))))))))))))))))
    .
    .
    2011-09-15 02:06 . 2008-04-14 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
    2011-09-15 01:50 . 2011-09-15 01:50 -------- d-----w- c:\documents and settings\Kevin McG\Application Data\Avira
    2011-09-14 01:08 . 2011-09-14 01:08 -------- d-----w- c:\windows\system32\NtmsData
    2011-09-14 01:05 . 2011-09-14 01:05 -------- d-----w- c:\program files\Avira
    2011-09-14 01:05 . 2011-09-14 01:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-09-14 01:05 . 2011-07-21 16:15 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-09-14 01:05 . 2011-07-21 16:15 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-09-14 01:05 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-09-14 01:05 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-09-13 02:57 . 2011-09-13 02:57 -------- d-----w- c:\program files\Trend Micro
    2011-09-13 01:59 . 2011-09-13 02:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-09-13 01:59 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-09-13 01:37 . 2011-09-13 01:37 -------- d-----w- C:\TDSSKiller_Quarantine
    2011-09-11 02:17 . 2011-09-11 02:17 -------- d-----w- c:\program files\TiVo
    2011-09-11 02:17 . 2011-09-11 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\TiVo
    2011-09-10 05:48 . 2011-09-13 02:47 50112 --sha-w- c:\windows\system32\c_53095.nl_
    2011-09-10 05:21 . 2011-09-10 05:21 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-09-10 05:21 . 2011-09-10 05:21 -------- d-----w- c:\program files\NETGEAR
    2011-09-10 04:01 . 2011-09-10 05:28 6672 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2011-09-10 03:18 . 2011-09-10 03:18 -------- d-----w- c:\documents and settings\Kevin McG\Application Data\Malwarebytes
    2011-09-10 03:18 . 2011-09-10 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-09-04 14:15 . 2011-09-04 14:15 -------- d-----w- c:\documents and settings\Kevin McG\Application Data\Amazon
    2011-09-04 14:14 . 2011-09-04 14:14 -------- d-----w- c:\program files\Amazon
    2011-09-01 00:08 . 2009-11-06 12:26 642432 ----a-w- c:\windows\system32\drivers\bcmwlhigh5.sys
    2011-08-30 19:02 . 2011-08-30 19:02 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-08-30 15:59 . 2011-09-06 00:26 -------- d-----w- c:\documents and settings\Kevin McG\Local Settings\Application Data\Thunderbird
    2011-08-30 15:59 . 2011-08-30 15:59 -------- d-----w- c:\documents and settings\Kevin McG\Application Data\Thunderbird
    2011-08-30 15:58 . 2011-09-06 00:26 -------- d-----w- c:\program files\Mozilla Thunderbird
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-09-13 01:37 . 2008-04-14 00:45 64512 ----a-w- c:\windows\system32\drivers\serial.sys
    2011-09-10 05:48 . 2011-02-21 17:04 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-09-08 11:06 . 2011-05-16 01:47 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
    "TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2010-08-24 2264336]
    "TivoTransfer"="c:\program files\TiVo\Desktop\TiVoTransfer.exe" [2010-08-24 608528]
    "TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2010-08-24 437520]
    "TranscodingService"="c:\program files\TiVo\Desktop\Plus\\TranscodingService.exe" [2010-08-24 856336]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-07-16 1044480]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-16 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-16 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-16 141848]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    .
    c:\documents and settings\Kevin McG\Start Menu\Programs\Startup\
    YellowJacket.lnk - c:\program files\YellowJacket Software\YJ Energy\YJ.Energy.exe [2010-4-22 36864]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    NETGEAR WNA3100 Smart Wizard.lnk - c:\program files\NETGEAR\WNA3100\WNA3100.exe [2011-8-31 4577760]
    WinZip Quick Pick.lnk - c:\documents and settings\Kevin McG\Desktop\OldCompFiles\WinZip\WZQKPICK.EXE [2009-4-6 106560]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
    "c:\\WINDOWS\\system32\\ftp.exe"=
    "c:\\Program Files\\mozilla.org\\Mozilla\\mozilla.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\AIM\\aim.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Hitman Pro 3.5\\HitmanPro35(1).exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\WINDOWS\\system32\\msiexec.exe"=
    "c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\agent.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\TiVo\\Desktop\\TiVoAutoUpdate.exe"=
    "c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
    "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
    "c:\\Program Files\\Windows Live\\Toolbar\\wltuser.exe"=
    .
    R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2/17/2009 3:41 PM 24064]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/13/2011 9:05 PM 136360]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/12/2011 9:59 PM 366152]
    R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [8/31/2011 8:08 PM 642432]
    R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2/17/2009 3:41 PM 176640]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/12/2011 9:59 PM 22216]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 WSWNA3100;WSWNA3100;c:\program files\NETGEAR\WNA3100\WifiSvc.exe [9/10/2011 12:17 AM 285152]
    S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [3/21/2009 4:46 PM 22136]
    S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2/21/2011 1:04 PM 23624]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    S4 TivoBeacon2;TiVo Beacon Service;c:\program files\TiVo\Desktop\TiVoBeacon.exe [8/24/2010 5:02 PM 1104656]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = https://login.yahoo.com/config/mail?.intl=us
    uInternet Settings,ProxyOverride = 10.*.*.*;192.168.*.*;;;<local>;*.local
    uInternet Settings,ProxyServer = cwpisav01:8080
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: hp.com\www
    Trusted Zone: meetthematts.com
    TCP: DhcpNameServer = 192.168.1.1
    DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} - hxxps://vpn-chi.mfglobal.com/CACHE/webvpn/stc/1/binaries/stcweb.cab
    FF - ProfilePath - c:\documents and settings\Kevin McG\Application Data\Mozilla\Firefox\Profiles\jtll9b8w.default\
    FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/mail?.intl=us
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
    HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    Notify-avgrsstarter - (no file)
    SafeBoot-60779943.sys
    AddRemove-com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 - c:\program files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe
    AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-09-14 22:17
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    c:\windows\1263082771:3974280884.exe 816 bytes executable
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.cdrom]
    "ImagePath"="\*"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
    "value"="?\08\06\08\14\1b\13?"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(804)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\TiVo\Desktop\Plus\TranscodingService.exe
    .
    **************************************************************************
    .
    Completion time: 2011-09-14 22:20:26 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-09-15 02:20
    .
    Pre-Run: 245,049,856,000 bytes free
    Post-Run: 248,269,004,800 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 8EAFB15FFD81A60E000C343A53D1F40C

    C:\TDSSKiller_Quarantine\12.09.2011_21.36.36\susp0000\svc0000\tsk0000.dta Win32/Sirefef.CT trojan
    C:\WINDOWS\system32\c_53095.nl_ a variant of Win32/Sirefef.CR trojan


    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 2/23/2009 8:41:30 PM
    System Uptime: 9/14/2011 10:30:24 PM (8 hours ago)
    .
    Motherboard: Dell Inc. | | 0T656F
    Processor: Intel(R) Core(TM)2 Duo CPU E7200 @ 2.53GHz | CPU | 2526/1066mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 298 GiB total, 231.163 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Cisco Systems SSL VPN Adapter
    Device ID: ROOT\NET\0000
    Manufacturer: Cisco Systems
    Name: Cisco Systems SSL VPN Adapter
    PNP Device ID: ROOT\NET\0000
    Service: CSVirtA
    .
    ==== System Restore Points ===================
    .
    RP438: 6/17/2011 6:25:34 PM - System Checkpoint
    RP439: 6/18/2011 9:33:43 PM - System Checkpoint
    RP440: 6/20/2011 4:32:09 PM - System Checkpoint
    RP441: 6/22/2011 8:04:41 PM - System Checkpoint
    RP442: 6/30/2011 8:54:27 PM - System Checkpoint
    RP443: 7/6/2011 3:55:34 PM - System Checkpoint
    RP444: 7/7/2011 6:47:59 PM - System Checkpoint
    RP445: 7/8/2011 6:50:47 PM - System Checkpoint
    RP446: 7/9/2011 7:43:15 PM - System Checkpoint
    RP447: 7/15/2011 7:34:02 PM - System Checkpoint
    RP448: 7/16/2011 8:17:52 PM - System Checkpoint
    RP449: 7/18/2011 12:33:27 PM - System Checkpoint
    RP450: 7/19/2011 1:04:00 PM - System Checkpoint
    RP451: 7/20/2011 1:09:51 PM - System Checkpoint
    RP452: 7/21/2011 6:49:31 PM - System Checkpoint
    RP453: 7/23/2011 11:52:11 AM - System Checkpoint
    RP454: 7/24/2011 12:10:36 PM - System Checkpoint
    RP455: 7/25/2011 9:19:10 PM - System Checkpoint
    RP456: 7/27/2011 10:19:02 AM - System Checkpoint
    RP457: 7/28/2011 5:59:04 PM - System Checkpoint
    RP458: 7/30/2011 9:17:33 AM - System Checkpoint
    RP459: 7/31/2011 12:15:38 PM - System Checkpoint
    RP460: 8/1/2011 1:03:01 PM - System Checkpoint
    RP461: 8/2/2011 2:33:39 PM - System Checkpoint
    RP462: 8/3/2011 2:38:18 PM - System Checkpoint
    RP463: 8/4/2011 3:39:25 PM - System Checkpoint
    RP464: 8/5/2011 4:17:56 PM - System Checkpoint
    RP465: 8/6/2011 4:26:58 PM - System Checkpoint
    RP466: 8/7/2011 4:58:18 PM - System Checkpoint
    RP467: 8/8/2011 5:03:16 PM - System Checkpoint
    RP468: 8/9/2011 5:35:02 PM - System Checkpoint
    RP469: 8/10/2011 6:30:54 PM - System Checkpoint
    RP470: 8/11/2011 6:35:17 PM - System Checkpoint
    RP471: 8/12/2011 6:36:30 PM - System Checkpoint
    RP472: 8/13/2011 6:45:22 PM - System Checkpoint
    RP473: 8/14/2011 6:53:55 PM - System Checkpoint
    RP474: 8/15/2011 6:58:42 PM - System Checkpoint
    RP475: 8/16/2011 7:34:58 PM - System Checkpoint
    RP476: 8/17/2011 8:59:27 PM - System Checkpoint
    RP477: 8/22/2011 1:14:12 PM - System Checkpoint
    RP478: 8/23/2011 2:13:39 PM - System Checkpoint
    RP479: 8/24/2011 2:29:50 PM - System Checkpoint
    RP480: 8/27/2011 5:43:11 PM - System Checkpoint
    RP481: 8/28/2011 8:40:26 PM - System Checkpoint
    RP482: 8/30/2011 8:05:22 AM - System Checkpoint
    RP483: 8/31/2011 8:06:27 AM - System Checkpoint
    RP484: 8/31/2011 8:08:30 PM - Installed NETGEAR WNA3100 wireless USB 2.0 adapter
    RP485: 9/1/2011 8:24:19 PM - System Checkpoint
    RP486: 9/2/2011 8:29:26 PM - System Checkpoint
    RP487: 9/3/2011 8:33:47 PM - System Checkpoint
    RP488: 9/5/2011 9:49:30 AM - System Checkpoint
    RP489: 9/6/2011 9:52:02 AM - System Checkpoint
    RP490: 9/7/2011 10:17:46 AM - System Checkpoint
    RP491: 9/8/2011 11:09:39 AM - System Checkpoint
    RP492: 9/9/2011 12:02:20 PM - System Checkpoint
    RP493: 9/9/2011 11:26:48 PM - Restore Operation
    RP494: 9/10/2011 12:17:02 AM - Installed NETGEAR WNA3100 wireless USB 2.0 adapter
    RP495: 9/10/2011 12:18:38 AM - Installed NETGEAR WNA3100 wireless USB 2.0 driver
    RP496: 9/10/2011 12:36:34 AM - Installed NETGEAR WNA3100 wireless USB 2.0 adapter
    RP497: 9/10/2011 12:38:05 AM - Installed NETGEAR WNA3100 wireless USB 2.0 driver
    RP498: 9/10/2011 12:47:48 AM - Installed NETGEAR WNA3100 wireless USB 2.0 adapter
    RP499: 9/10/2011 1:05:05 AM - Installed NETGEAR WNA3100 wireless USB 2.0 driver
    RP500: 9/10/2011 1:09:17 AM - Installed NETGEAR WNA3100 wireless USB 2.0 adapter
    RP501: 9/10/2011 1:14:25 AM - Installed NETGEAR WNA3100 wireless USB 2.0 adapter
    RP502: 9/10/2011 1:19:15 AM - Installed NETGEAR WNA3100 wireless USB 2.0 adapter
    RP503: 9/10/2011 1:21:13 AM - Restore Operation
    RP504: 9/10/2011 1:26:59 AM - Installed NETGEAR WNA3100 wireless USB 2.0 adapter
    RP505: 9/10/2011 1:29:06 AM - Installed NETGEAR WNA3100 wireless USB 2.0 driver
    RP506: 9/10/2011 10:15:53 PM - Removed TiVo Desktop 2.8
    RP507: 9/10/2011 10:17:06 PM - Installed TiVo Desktop 2.8.2
    RP508: 9/12/2011 9:52:28 AM - System Checkpoint
    RP509: 9/13/2011 6:40:22 PM - System Checkpoint
    RP510: 9/14/2011 10:35:44 PM - Installed NETGEAR WNA3100 wireless USB 2.0 adapter
    .
     
  6. dixonhand

    dixonhand TS Rookie Topic Starter

    ==== Installed Programs ======================
    .
    32 Bit HP CIO Components Installer
    Acrobat.com
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.1
    AIM 7
    Amazon MP3 Downloader 1.0.12
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Avira AntiVir Personal - Free Antivirus
    Bonjour
    Broadcom Management Programs
    BufferChm
    Choice Guard
    Cisco SSL VPN Client
    DJ_AIO_03_F4200_Software
    DJ_AIO_03_F4200_Software_Min
    DJ_AIO_03_F4220_ProductContext
    ESET Online Scanner v3
    F4200
    F4210_Help
    Hitman Pro 3.5
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB953955)
    Hotfix for Windows XP (KB954434)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB954708)
    Hotfix for Windows XP (KB958347)
    Hotfix for Windows XP (KB959252)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Deskjet F4200 All-In-One Driver Software 11.0 Rel .3
    HPSSupply
    Intel(R) Graphics Media Accelerator Driver
    iPhone Configuration Utility
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 16
    Java(TM) 6 Update 20
    Java(TM) 6 Update 7
    Junk Mail filter update
    Lager
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Application Error Reporting
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Professional Edition 2003
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Mozilla (1.7.13)
    Mozilla Firefox 6.0.2 (x86 en-US)
    Mozilla Thunderbird (6.0)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser (KB927977)
    NETGEAR WNA3100 wireless USB 2.0 adapter
    PowerDVD
    QuickTime
    RiskManager
    Roxio Activation Module
    Roxio Creator Audio
    Roxio Creator BDAV Plugin
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Drag-to-Disc
    Roxio Express Labeler 3
    Roxio Update Manager
    Safari
    Scan
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Segoe UI
    Shop for HP Supplies
    Skype web features
    Skype™ 4.1
    Sonic CinePlayer Decoder Pack
    Spelling Dictionaries Support For Adobe Reader 9
    Synergy
    Tax Forms Helper 2009 9.0
    TiVo Desktop 2.8.2
    Toolbox
    Trader Studio
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB973874)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951618-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    WebFldrs XP
    WebICE
    WebReg
    Windows Genuine Advantage Notifications (KB905474)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Photo Gallery
    Windows Live Sync
    Windows Live Toolbar
    Windows Live Upload Tool
    Windows Live Writer
    Windows Presentation Foundation
    XML Paper Specification Shared Components Pack 1.0
    YellowJacket
    .
    ==== Event Viewer Messages From Past Week ========
    .
    9/9/2011 11:59:38 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    9/9/2011 11:50:48 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    9/9/2011 11:39:40 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm
    9/9/2011 11:21:09 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    9/9/2011 11:12:23 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'cdrom.sys' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    9/13/2011 9:12:52 PM, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: Access is denied.
    9/13/2011 9:12:52 PM, error: DCOM [10005] - DCOM got error "%5" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
    9/12/2011 9:38:27 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    9/12/2011 7:49:29 PM, error: DCOM [10005] - DCOM got error "%3" attempting to start the service SeaPort with arguments "-Service" in order to run the server: {D6381B4A-D254-46EB-9018-A62E0F4BA6BA}
    9/12/2011 11:00:48 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
    9/12/2011 11:00:48 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    9/12/2011 11:00:48 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/12/2011 11:00:48 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    9/12/2011 11:00:48 PM, error: Service Control Manager [7001] - The Cisco Systems, Inc. STC Agent service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/12/2011 11:00:48 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/12/2011 11:00:48 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/10/2011 5:15:34 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'serial.sys' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    9/10/2011 12:57:44 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
    9/10/2011 12:56:45 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm Tcpip
    9/10/2011 12:46:31 AM, error: Service Control Manager [7001] - The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: The system cannot find the file specified.
    9/10/2011 12:46:31 AM, error: Service Control Manager [7000] - The TCP/IP Protocol Driver service failed to start due to the following error: The system cannot find the file specified.
    9/10/2011 12:46:30 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgTdiX Tcpip
    9/10/2011 12:46:30 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The system cannot find the file specified.
    9/10/2011 12:46:30 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/10/2011 12:46:30 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/10/2011 12:46:30 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/10/2011 12:44:26 AM, error: NetBT [4311] - Initialization failed because the driver device could not be created.
    9/10/2011 12:32:48 AM, error: Service Control Manager [7024] - The Hitman Pro 3.5 Crusader (Boot) service terminated with service-specific error 0 (0x0).
    9/10/2011 12:29:43 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    9/10/2011 12:10:02 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the WSWNA3100 service, but this action failed with the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    9/10/2011 12:09:57 AM, error: Service Control Manager [7034] - The Synergy Server service terminated unexpectedly. It has done this 1 time(s).
    9/10/2011 12:09:57 AM, error: Service Control Manager [7034] - The SeaPort service terminated unexpectedly. It has done this 1 time(s).
    9/10/2011 12:09:57 AM, error: Service Control Manager [7031] - The WSWNA3100 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
    9/10/2011 12:09:56 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    9/10/2011 12:09:56 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    9/10/2011 12:09:56 AM, error: Service Control Manager [7034] - The Cisco Systems, Inc. STC Agent service terminated unexpectedly. It has done this 1 time(s).
    9/10/2011 12:09:56 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    9/10/2011 12:09:55 AM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    9/10/2011 12:09:54 AM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    9/10/2011 12:04:07 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
    9/10/2011 1:23:21 AM, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The system cannot find the file specified.
    9/10/2011 1:23:21 AM, error: DCOM [10005] - DCOM got error "%2" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
    9/10/2011 1:22:43 AM, error: Service Control Manager [7000] - The Synergy Server service failed to start due to the following error: The system cannot find the file specified.
    9/10/2011 1:22:43 AM, error: Service Control Manager [7000] - The SeaPort service failed to start due to the following error: The system cannot find the path specified.
    9/10/2011 1:22:43 AM, error: Service Control Manager [7000] - The Java Quick Starter service failed to start due to the following error: The system cannot find the file specified.
    9/10/2011 1:22:43 AM, error: Service Control Manager [7000] - The Cisco Systems, Inc. STC Agent service failed to start due to the following error: The system cannot find the file specified.
    9/10/2011 1:22:43 AM, error: Service Control Manager [7000] - The Bonjour Service service failed to start due to the following error: The system cannot find the file specified.
    9/10/2011 1:22:43 AM, error: Service Control Manager [7000] - The AVG Free WatchDog service failed to start due to the following error: The system cannot find the file specified.
    9/10/2011 1:22:43 AM, error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: The system cannot find the file specified.
    9/10/2011 1:08:26 AM, error: Service Control Manager [7000] - The WSWNA3100 service failed to start due to the following error: The system cannot find the file specified.
    .
    ==== End Of File ===========================


    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
    Run by Kevin McG at 6:09:28 on 2011-09-15
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1149 [GMT -4:00]
    .
    AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\TiVo\Desktop\TiVoServer.exe
    C:\Program Files\TiVo\Desktop\TiVoTransfer.exe
    C:\Program Files\TiVo\Desktop\TiVoNotify.exe
    C:\Program Files\TiVo\Desktop\Plus\TranscodingService.exe
    C:\Documents and Settings\Kevin McG\Desktop\OldCompFiles\WinZip\WZQKPICK.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\NETGEAR\WNA3100\WifiSvc.exe
    C:\Program Files\NETGEAR\WNA3100\WNA3100.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Live\Toolbar\wltuser.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = https://login.yahoo.com/config/mail?.intl=us
    uInternet Settings,ProxyOverride = 10.*.*.*;192.168.*.*;;;<local>;*.local
    uInternet Settings,ProxyServer = cwpisav01:8080
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
    uRun: [TivoServer] c:\program files\tivo\desktop\TiVoServer.exe /service /registry /auto:TivoServer
    uRun: [TivoTransfer] c:\program files\tivo\desktop\TiVoTransfer.exe
    uRun: [TivoNotify] c:\program files\tivo\desktop\TiVoNotify.exe /service /registry /auto:TivoNotify
    uRun: [TranscodingService] c:\program files\tivo\desktop\plus\\TranscodingService.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    dRunOnce: [RunNarrator] Narrator.exe
    StartupFolder: c:\docume~1\kevinm~1\startm~1\programs\startup\yellow~1.lnk - c:\program files\yellowjacket software\yj energy\YJ.Energy.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wna3100\WNA3100.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\documents and settings\kevin mcg\desktop\oldcompfiles\winzip\WZQKPICK.EXE
    IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
    Trusted Zone: hp.com\www
    Trusted Zone: meetthematts.com
    DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} - hxxps://vpn-chi.mfglobal.com/CACHE/webvpn/stc/1/binaries/stcweb.cab
    DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444552440000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{CD6F39E5-031C-4535-9F51-3471D4653453} : DhcpNameServer = 192.168.1.1
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\kevin mcg\application data\mozilla\firefox\profiles\jtll9b8w.default\
    FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/mail?.intl=us
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\2.0.31005.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2009-2-17 24064]
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-9-13 11608]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-9-13 136360]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-9-13 269480]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-9-13 66616]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-12 366152]
    R2 WSWNA3100;WSWNA3100;c:\program files\netgear\wna3100\WifiSvc.exe [2011-9-10 285152]
    R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [2011-8-31 642432]
    R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2009-2-17 176640]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-12 22216]
    R3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2011-9-14 50704]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 Synergy Server;Synergy Server;c:\program files\synergy\synergys.exe --> c:\program files\synergy\synergys.exe [?]
    S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [2009-3-21 22136]
    S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-2-21 23624]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S4 TivoBeacon2;TiVo Beacon Service;c:\program files\tivo\desktop\TiVoBeacon.exe [2010-8-24 1104656]
    .
    =============== Created Last 30 ================
    .
    2011-09-15 02:46:55 -------- d-----w- c:\program files\ESET
    2011-09-15 02:35:50 53299 ----a-w- c:\windows\system32\pthreadVC.dll
    2011-09-15 02:35:50 50704 ----a-w- c:\windows\system32\drivers\npf.sys
    2011-09-15 02:35:50 281104 ----a-w- c:\windows\system32\wpcap.dll
    2011-09-15 02:35:50 100880 ----a-w- c:\windows\system32\Packet.dll
    2011-09-15 02:06:51 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
    2011-09-15 02:03:57 -------- d-sha-r- C:\cmdcons
    2011-09-15 02:02:34 98816 ----a-w- c:\windows\sed.exe
    2011-09-15 02:02:34 518144 ----a-w- c:\windows\SWREG.exe
    2011-09-15 02:02:34 256000 ----a-w- c:\windows\PEV.exe
    2011-09-15 02:02:34 208896 ----a-w- c:\windows\MBR.exe
    2011-09-15 01:50:54 -------- d-----w- c:\documents and settings\kevin mcg\application data\Avira
    2011-09-14 01:08:33 -------- d-----w- c:\windows\system32\NtmsData
    2011-09-14 01:05:27 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-09-14 01:05:27 -------- d-----w- c:\program files\Avira
    2011-09-14 01:05:27 -------- d-----w- c:\documents and settings\all users\application data\Avira
    2011-09-13 02:57:39 -------- d-----w- c:\program files\Trend Micro
    2011-09-13 01:59:52 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-09-13 01:59:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-09-13 01:37:23 -------- d-----w- C:\TDSSKiller_Quarantine
    2011-09-11 02:17:07 -------- d-----w- c:\program files\TiVo
    2011-09-11 02:17:07 -------- d-----w- c:\documents and settings\all users\application data\TiVo
    2011-09-10 05:48:55 50112 --sha-w- c:\windows\system32\c_53095.nl_
    2011-09-10 05:21:48 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-09-10 05:21:48 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-09-10 05:21:33 -------- d-----w- c:\program files\NETGEAR
    2011-09-10 05:09:18 -------- d-----w- c:\program files\NETGEAR(2)
    2011-09-10 04:01:53 6672 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2011-09-10 03:18:15 -------- d-----w- c:\documents and settings\kevin mcg\application data\Malwarebytes
    2011-09-10 03:18:09 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-09-04 14:14:58 -------- d-----w- c:\program files\Amazon
    2011-09-01 00:08:35 642432 ----a-w- c:\windows\system32\drivers\bcmwlhigh5.sys
    2011-08-30 19:02:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-08-30 15:59:13 -------- d-----w- c:\documents and settings\kevin mcg\local settings\application data\Thunderbird
    .
    ==================== Find3M ====================
    .
    2011-09-13 01:37:57 64512 ----a-w- c:\windows\system32\drivers\serial.sys
    2011-09-10 05:48:55 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    .
    ============= FINISH: 6:09:49.68 ===============
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\system32\c_53095.nl_
    c:\windows\system32\PerfStringBackup.TMP
    c:\windows\system32\drivers\hitmanpro35.sys
    Folder::
    C:\TDSSKiller_Quarantine
    FileLook::
    c:\windows\1263082771:3974280884.exe
    DDS::
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\documents and settings\kevin mcg\desktop\oldcompfiles\winzip\WZQKPICK.EXE
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Hitman Pro 3.5\\HitmanPro35(1).exe"=-
    RegNull::
    [HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files  
      C:\TDSSKiller_Quarantine\12.09.2011_21.36.36\susp0000\svc0000\tsk0000.dta 
      C:\WINDOWS\system32\c_53095.nl_ 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ===============================================
    You have multiple outdated versions of Java> These are vulnerabilities. Please run the following to remove all:
    You have multiple old versions of Java and do not have the current version. The best way to handle that is to run the following: Note: I do not want this log!

    Please download JavaRa and unzip it to your desktop.

    Important!***Please close any instances of Internet Explorer before continuing!***
    • Double-click on JavaRa.exe to start the program.
    • From the drop-down menu, choose English and click on Select.
    • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted. When JavaRa is done, a notice will appear that
      a logfile has been produced. Click OK.
    • A logfile will pop up. Please save it to a convenient location.Note: Do not leave this log.
    Download and install then most current version and update of Java RuntimeEnvironment (JRE)HERE.
    Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
    ===========================================
    To remove malware in the Java cache:
    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. [​IMG] The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com
     
  8. dixonhand

    dixonhand TS Rookie Topic Starter

    Thanks again for all the help. Below are the logs you requested but I have a few questions too. I am running a wireless connection using Netgear wna3100 and sometimes when I do these scans I come back with no internet connection and I have to reinstall using the netgear CD to get back on the internet. Wanted to make sure this was ok. Also you say in your java instructions to "Please save it to a convenient location.Note: Do not leave this log" I don't know what you mean by this. I saved it on the desktop but what does "do not leave this log" mean? Do you now want me to delete it? Please let me know. Also still not sure what you want me to do about the:
    Question Why do you have this on Startup?
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\documents and settings\kevin mcg\desktop\oldcompfiles\winzip\WZQKPICK.EXE

    Not sure if it is still there but I haven't done anything about this yet unless you have.

    All processes killed
    ========== FILES ==========
    File/Folder C:\TDSSKiller_Quarantine\12.09.2011_21.36.36\susp0000\svc0000\tsk0000.dta not found.
    File/Folder C:\WINDOWS\system32\c_53095.nl_ not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->FireFox cache emptied: 3964868 bytes
    ->Flash cache emptied: 405 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: Kevin McG
    ->Temp folder emptied: 44829 bytes
    ->Temporary Internet Files folder emptied: 1490356 bytes
    ->Java cache emptied: 117880732 bytes
    ->FireFox cache emptied: 556216878 bytes
    ->Apple Safari cache emptied: 0 bytes
    ->Flash cache emptied: 336734 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32835 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 483 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 649.00 mb


    OTM by OldTimer - Version 3.1.18.0 log created on 09152011_210437

    Files moved on Reboot...

    Registry entries deleted on Reboot...


    ComboFix 11-09-14.02 - Kevin McG 09/15/2011 19:49:25.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1448 [GMT -4:00]
    Running from: c:\documents and settings\Kevin McG\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Kevin McG\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    FILE ::
    "c:\windows\system32\c_53095.nl_"
    "c:\windows\system32\drivers\hitmanpro35.sys"
    "c:\windows\system32\PerfStringBackup.TMP"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk
    c:\documents and settings\kevin mcg\desktop\oldcompfiles\winzip\WZQKPICK.EXE
    c:\program files\common files\installshield\updateservice\ISUSPM.exe
    C:\TDSSKiller_Quarantine
    c:\tdsskiller_quarantine\12.09.2011_21.36.36\susp0000\object.ini
    c:\tdsskiller_quarantine\12.09.2011_21.36.36\susp0000\svc0000\object.ini
    c:\tdsskiller_quarantine\12.09.2011_21.36.36\susp0000\svc0000\tsk0000.dta
    c:\tdsskiller_quarantine\12.09.2011_21.36.36\susp0000\svc0000\tsk0000.ini
    c:\windows\system32\c_53095.nl_
    c:\windows\system32\drivers\hitmanpro35.sys
    c:\windows\system32\drivers\npf.sys
    c:\windows\system32\Packet.dll
    c:\windows\system32\PerfStringBackup.TMP
    c:\windows\system32\pthreadVC.dll
    c:\windows\system32\wpcap.dll
    .
    Infected copy of c:\program files\Bonjour\mDNSResponder.exe was found and disinfected
    Restored copy from - c:\system volume information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP507\A0034201.exe
    .
    Infected copy of c:\program files\iPod\bin\iPodService.exe was found and disinfected
    Restored copy from - c:\system volume information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP507\A0034176.exe
    .
    Infected copy of c:\program files\TiVo\Desktop\TiVoBeacon.exe was found and disinfected
    Restored copy from - c:\system volume information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP507\A0034177.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_NPF
    -------\Service_NPF
    -------\Legacy_hitmanpro35
    -------\Service_hitmanpro35
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-08-15 to 2011-09-15 )))))))))))))))))))))))))))))))
    .
    .
    2011-09-15 02:46 . 2011-09-15 02:46 -------- d-----w- c:\program files\ESET
    2011-09-15 02:06 . 2008-04-14 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
    2011-09-15 01:50 . 2011-09-15 01:50 -------- d-----w- c:\documents and settings\Kevin McG\Application Data\Avira
    2011-09-14 01:08 . 2011-09-15 02:37 -------- d-----w- c:\windows\system32\NtmsData
    2011-09-14 01:05 . 2011-09-14 01:05 -------- d-----w- c:\program files\Avira
    2011-09-14 01:05 . 2011-09-14 01:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-09-14 01:05 . 2011-07-21 16:15 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-09-14 01:05 . 2011-07-21 16:15 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-09-14 01:05 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-09-14 01:05 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-09-13 02:57 . 2011-09-13 02:57 -------- d-----w- c:\program files\Trend Micro
    2011-09-13 01:59 . 2011-09-13 02:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-09-13 01:59 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-09-11 02:17 . 2011-09-11 02:17 -------- d-----w- c:\program files\TiVo
    2011-09-11 02:17 . 2011-09-11 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\TiVo
    2011-09-10 05:21 . 2011-09-10 05:21 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-09-10 05:21 . 2011-09-10 05:21 -------- d-----w- c:\program files\NETGEAR
    2011-09-10 03:18 . 2011-09-10 03:18 -------- d-----w- c:\documents and settings\Kevin McG\Application Data\Malwarebytes
    2011-09-10 03:18 . 2011-09-10 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-09-04 14:15 . 2011-09-04 14:15 -------- d-----w- c:\documents and settings\Kevin McG\Application Data\Amazon
    2011-09-04 14:14 . 2011-09-04 14:14 -------- d-----w- c:\program files\Amazon
    2011-09-01 00:08 . 2009-11-06 12:26 642432 ----a-w- c:\windows\system32\drivers\bcmwlhigh5.sys
    2011-08-30 19:02 . 2011-08-30 19:02 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-08-30 15:59 . 2011-09-06 00:26 -------- d-----w- c:\documents and settings\Kevin McG\Local Settings\Application Data\Thunderbird
    2011-08-30 15:59 . 2011-08-30 15:59 -------- d-----w- c:\documents and settings\Kevin McG\Application Data\Thunderbird
    2011-08-30 15:58 . 2011-09-06 00:26 -------- d-----w- c:\program files\Mozilla Thunderbird
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-09-13 01:37 . 2008-04-14 00:45 64512 ----a-w- c:\windows\system32\drivers\serial.sys
    2011-09-08 11:06 . 2011-05-16 01:47 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    --- c:\windows\1263082771:3974280884.exe ---
    Company: ------
    File Description: ------
    File Version: ------
    Product Name: ------
    Copyright: ------
    Original Filename: ------
    File size: 816
    Created time: 2011-09-10 03:01
    Modified time: 2011-09-13 01:38
    MD5: !HASH: COULD NOT OPEN FILE !!!!!
    SHA1: !HASH: COULD NOT OPEN FILE !!!!!
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-09-15_02.17.26 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-09-15 02:36 . 2009-11-06 12:26 642432 c:\windows\system32\ReinstallBackups\0014\DriverFiles\bcmwlhigh5.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2010-08-24 2264336]
    "TivoTransfer"="c:\program files\TiVo\Desktop\TiVoTransfer.exe" [2010-08-24 608528]
    "TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2010-08-24 437520]
    "TranscodingService"="c:\program files\TiVo\Desktop\Plus\\TranscodingService.exe" [2010-08-24 856336]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-07-16 1044480]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-16 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-16 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-16 141848]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    .
    c:\documents and settings\Kevin McG\Start Menu\Programs\Startup\
    YellowJacket.lnk - c:\program files\YellowJacket Software\YJ Energy\YJ.Energy.exe [2010-4-22 36864]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    NETGEAR WNA3100 Smart Wizard.lnk - c:\program files\NETGEAR\WNA3100\WNA3100.exe [2011-8-31 4577760]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
    "c:\\WINDOWS\\system32\\ftp.exe"=
    "c:\\Program Files\\mozilla.org\\Mozilla\\mozilla.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\AIM\\aim.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Hitman Pro 3.5\\HitmanPro35(1).exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\WINDOWS\\system32\\msiexec.exe"=
    "c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\agent.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\TiVo\\Desktop\\TiVoAutoUpdate.exe"=
    "c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
    "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
    "c:\\Program Files\\Windows Live\\Toolbar\\wltuser.exe"=
    .
    R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2/17/2009 3:41 PM 24064]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/13/2011 9:05 PM 136360]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/12/2011 9:59 PM 366152]
    R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [8/31/2011 8:08 PM 642432]
    R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2/17/2009 3:41 PM 176640]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/12/2011 9:59 PM 22216]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 WSWNA3100;WSWNA3100;c:\program files\NETGEAR\WNA3100\WifiSvc.exe [9/10/2011 12:17 AM 285152]
    S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [3/21/2009 4:46 PM 22136]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    S4 TivoBeacon2;TiVo Beacon Service;c:\program files\TiVo\Desktop\TiVoBeacon.exe [8/24/2010 5:02 PM 1104656]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = https://login.yahoo.com/config/mail?.intl=us
    uInternet Settings,ProxyOverride = 10.*.*.*;192.168.*.*;;;<local>;*.local
    uInternet Settings,ProxyServer = cwpisav01:8080
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: hp.com\www
    Trusted Zone: meetthematts.com
    TCP: DhcpNameServer = 192.168.1.1
    DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} - hxxps://vpn-chi.mfglobal.com/CACHE/webvpn/stc/1/binaries/stcweb.cab
    FF - ProfilePath - c:\documents and settings\Kevin McG\Application Data\Mozilla\Firefox\Profiles\jtll9b8w.default\
    FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/mail?.intl=us
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-09-15 19:56
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    c:\windows\1263082771:3974280884.exe 816 bytes executable
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.cdrom]
    "ImagePath"="\*"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(1728)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\TiVo\Desktop\Plus\TranscodingService.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2011-09-15 19:58:53 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-09-15 23:58
    ComboFix2.txt 2011-09-15 02:20
    .
    Pre-Run: 248,188,960,768 bytes free
    Post-Run: 248,184,061,952 bytes free
    .
    - - End Of File - - 384892B2A9CD62DF4062443EFAF04700
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    What source are you using for these downloads?
    Infected copy of c:\program files\Bonjour\mDNSResponder.exe
    .
    Infected copy of c:\program files\iPod\bin\iPodService.exe
    .
    Infected copy of c:\program files\TiVo\Desktop\TiVoBeacon.exe
    ==============================
    Are you using a flash drive?
    Infected copy of c:\windows\system32\drivers\cdrom.sys
    ==============================
    About the Java Ra log: It is a very lengthy log- the more versions, the longer the log. I don't need to see the contents. I'm not sure why the directions even tell you to save it. Delete it if you want.
    ===============================
    The only scan that "might" affect the connection is Combofix
    It's important that you follow the order I give you for the scans. However, what you describe with the adapter sound very much like it either isn't configured correctly or may be going bad.
    =================================
    Download CKScanner[/url and save to the desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify the file saved.
    • Double-click the CKFiles.txt[/] icon on your desktop and copy/paste the contents in your next reply.
     
  10. dixonhand

    dixonhand TS Rookie Topic Starter

    Q: What source are you using for these downloads?
    Infected copy of c:\program files\Bonjour\mDNSResponder.exe
    Infected copy of c:\program files\iPod\bin\iPodService.exe
    Infected copy of c:\program files\TiVo\Desktop\TiVoBeacon.exe

    A: I don't know of the source other than they were downloaded when I installed iTunes and Tivo desktop. Actually the Tivo desktop was from the Tivo site but they might have been corrupted recently. This 'Bonjour' service I don't even know what program downloaded it but it seems that Tivo and iTunes both need it to function.
    ==============================
    Q: Are you using a flash drive?
    Infected copy of c:\windows\system32\drivers\cdrom.sys

    A: I haven't had a flash drive in the computer since before the begining of this thread (probably a few weeks ago). but I realized the wireless netgear CD was in the drive when I was doing these tasks (since I had to reinstall for wireless to work) and the attachment that allows the Netgear to work is plugged into a USB port.

    I have followed the order - the only time I did extra scans was to find that one log you requested that I hadn't originally pasted and had to rerun it. In fact that might have been Combofix and that was when I lost the wireless again so that makes sense. All other times wireless has stayed up - only lost twice probably due to the Combofix runs. Here are the results of the CKScanner.

    CKScanner - Additional Security Risks - These are not necessarily bad
    c:\documents and settings\kevin mcg\desktop\ladderdatainfo\crackbackmomar.txt
    c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l.xls
    c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l324.xls
    c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l325.xls
    c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l418.xls
    c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l422.xls
    c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l424.xls
    c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l425.xls
    c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l501.xls
    c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l502.xls
    c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l512.xls
    c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l520.xls
    c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l521.xls
    c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l528.xls
    c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l606.xls
    c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l610.xls
    c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l618.xls
    c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l619.xls
    c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l620.xls
    c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l625.xls
    c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l707.xls
    c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l715.xls
    c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegp&l821.xls
    c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegsheet318.xls
    c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\crackbackmomar.txt
    c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l.xls
    c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l324.xls
    c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l325.xls
    c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l418.xls
    c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l422.xls
    c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l424.xls
    c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l425.xls
    c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l501.xls
    c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l502.xls
    c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l512.xls
    c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l520.xls
    c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l521.xls
    c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l528.xls
    c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l606.xls
    c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l610.xls
    c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l618.xls
    c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l619.xls
    c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l620.xls
    c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l625.xls
    c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l707.xls
    c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l715.xls
    c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegp&l821.xls
    c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\cracklegsheet318.xls
    scanner sequence 3.ZZ.11.TTAPMS
    ----- EOF -----
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I asked about those programs because Combofix found them all infected. Combofix fixed the files. Sometimes it's not the program you download, but where it's downloaded from. It can be a bad site. In the case of file sharing, you also 'share' malware the other person has.

    About Netgear
    1. When you lost the connection< did you try just rebooting to restore the connection first. Or did you go right into a reinstall?
    2. It is possible that the CD you use for Netgear is not corrupt since the Cdrom drive was infected.
    3. Check the Device Manager (Control Panel> System. Hardware tab)> expand the Network Adapters> Look for Error icon [​IMG]
    If any are present> double click to open and look for description.

    I also noticed that you have the following on the Startup menu:
    Per Netgear Support:
    Please check the usage of the Netgear Smart Wizard on Netgear Support.

    It seems to me that you are forcing the adapter to re-configure every time you boot and that it is not configured correctly..
    =====================================
    You're going to have to help me with these:
    I restrained myself from making a silly comment that I was glad you got the cracked legs on the ladder fixed!
    About travel drive 1.0: This is a USB device> If you used it during this problem, you will need to disinfect it:
    Can you help me out with this?
     
  12. dixonhand

    dixonhand TS Rookie Topic Starter

    Hi Bobbye thanks for the followup. Here are some answers to your questions but the netgear thing has me a bit confused as you can see below. Before I answer your questions I would like to know at what point should I run the Avira Antivir because it keeps popping up with some infected files but I haven't had any instructions to run it yet to clean them up from my computer.

    Quote:
    c:\documents and settings\kevin mcg\desktop\ladderdatainfo\cracklegsheet318.xls
    c:\documents and settings\kevin mcg\desktop\traveldrive 1.0\ladderdatainfo\crackbackmomar.txt

    These were files on my desktop that I just now deleted and emptied from recycle bin.

    Quote:
    I haven't had a flash drive in the computer since before the begining of this thread (probably a few weeks ago).

    About travel drive 1.0: This is a USB device> If you used it during this problem, you will need to disinfect it:

    The traveldrive 1.0 that you ask about is a folder on my computer that contains the data I have on my travel usb drive. The usb drive may be infected for sure. I can have someone at work clean it for me unless you want to give me instructions.


    Netgear has been coming up without a problem but I haven't run any more aDon't know if this interests you but here is what I get from my netgear system status:

    Edit: Personal router information deleted by Bobbye.

    ---System Information---
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please don't leave log information unless I ask for it. There was nothing I needed in the Netgear log and posting it was a vulnerability t the system.

    Yes, you should disinfect the flash drive:These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =================
    Please repeat the Eset Scam- update before running and make sure Avira is disabled.
    ==========================================
    I need an update on the system- the Netgear problem has been resolved, hasn't it? But the AV is notifying you of malware. Are you still being redirected?

    Please understand that an AV program will list malware no matter what it's location is: If in Qoobox this which is where Combofix sends the quarantined files and System Volume which are restore points. If entries are only listed in those 2 locations< they are no longer active and will be removed at the end of cleaning.

    The resident AV program doesn't "read" those locations.
     
  14. dixonhand

    dixonhand TS Rookie Topic Starter

    I cleaned up the flash drives with the application you suggested and all seemed to work well. In addition I am no longer being redirected on google so that is great. I ran the ESET and I saved the log. If you need to see it let me know. All seems to be running well now. Let me know if there is anything else you need me to do. Thank you very much for your help.
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you for your ptience. I'm glad to hear that the initial problems have been resolved.. If anything was found in the Eset log, I need to see it.

    Since these programs were infected with malware, I encourage you to uninstall the present one, then download and install clean copies. Remember to use a good site:
    The first 2 are installed by Apple when you get iTunes. After uninstlling above in Add/Remove Programs, delete the program folders using Windows Explorer:
    Right click on Start> Explore> My Computer> double click on Local Drive (C)> Programs> find folder for each of the above and do a right click> Delete.
    Exit Explorer.
    ========================================
    We need to remove just a couple of entries. I'll take a quick look at the log the script generates and if there's nothing new, I'll have you remove the cleaning tools:
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    
    ADS::
    C:\WINDOWS\1263082771:3974280884.exe
    RegNull::
    [HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
     
  16. dixonhand

    dixonhand TS Rookie Topic Starter

    Thanks again. Sorry about the delay but here are the details of the file:

    ComboFix 11-10-01.03 - Kevin McG 10/01/2011 22:35:04.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1475 [GMT -4:00]
    Running from: c:\documents and settings\Kevin McG\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Kevin McG\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-09-02 to 2011-10-02 )))))))))))))))))))))))))))))))
    .
    .
    2011-09-25 17:26 . 2011-09-25 17:26 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
    2011-09-25 17:23 . 2011-09-25 17:23 -------- d-----w- c:\program files\iPod
    2011-09-25 17:23 . 2011-09-25 17:23 -------- d-----w- c:\program files\iTunes
    2011-09-25 17:21 . 2011-09-25 17:23 -------- d-----w- c:\program files\Common Files\Apple
    2011-09-25 01:28 . 2011-09-25 01:28 -------- d-sh--w- c:\documents and settings\Kevin McG\UserData
    2011-09-18 22:35 . 2011-09-18 22:35 -------- d-----w- c:\documents and settings\Kevin McG\Application Data\BACS.exe
    2011-09-16 01:04 . 2011-09-16 01:04 -------- d-----w- C:\_OTM
    2011-09-16 00:57 . 2009-11-06 12:26 642432 ----a-w- c:\windows\system32\drivers\bcmwlhigh5.sys
    2011-09-16 00:57 . 2011-09-16 00:57 -------- d-----w- c:\program files\NETGEAR
    2011-09-15 02:46 . 2011-09-15 02:46 -------- d-----w- c:\program files\ESET
    2011-09-15 02:06 . 2008-04-14 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
    2011-09-15 01:50 . 2011-09-15 01:50 -------- d-----w- c:\documents and settings\Kevin McG\Application Data\Avira
    2011-09-14 01:08 . 2011-09-24 19:07 -------- d-----w- c:\windows\system32\NtmsData
    2011-09-14 01:05 . 2011-09-14 01:05 -------- d-----w- c:\program files\Avira
    2011-09-14 01:05 . 2011-09-14 01:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-09-14 01:05 . 2011-07-21 16:15 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-09-14 01:05 . 2011-07-21 16:15 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-09-14 01:05 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-09-14 01:05 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-09-13 02:57 . 2011-09-13 02:57 -------- d-----w- c:\program files\Trend Micro
    2011-09-13 01:59 . 2011-09-13 02:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-09-13 01:59 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-09-11 02:17 . 2011-09-11 02:17 -------- d-----w- c:\program files\TiVo
    2011-09-11 02:17 . 2011-09-11 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\TiVo
    2011-09-10 05:21 . 2011-09-10 05:21 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-09-10 03:18 . 2011-09-10 03:18 -------- d-----w- c:\documents and settings\Kevin McG\Application Data\Malwarebytes
    2011-09-10 03:18 . 2011-09-10 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-09-04 14:15 . 2011-09-04 14:15 -------- d-----w- c:\documents and settings\Kevin McG\Application Data\Amazon
    2011-09-04 14:14 . 2011-09-04 14:14 -------- d-----w- c:\program files\Amazon
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-09-13 01:37 . 2008-04-14 00:45 64512 ----a-w- c:\windows\system32\drivers\serial.sys
    2011-08-30 19:02 . 2011-08-30 19:02 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-19 09:05 . 2010-08-16 13:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-07-19 06:40 . 2009-02-17 16:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
    2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll
    2011-07-12 15:20 . 2011-07-12 15:20 50536 ----a-w- c:\windows\system32\jdns_sd.dll
    2011-07-12 15:20 . 2011-07-12 15:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
    2011-07-05 22:37 . 2011-07-05 22:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-07-05 22:37 . 2011-07-05 22:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-09-28 11:49 . 2011-05-16 01:47 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-09-15_02.17.26 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-09-25 17:22 . 2011-05-10 12:06 42496 c:\windows\system32\DRVSTORE\usbaapl_5CBB3A09528F68FC4AD2F36E43C028E7E6F20400\usbaapl.sys
    + 2011-09-25 17:22 . 2011-05-10 12:06 18432 c:\windows\system32\DRVSTORE\netaapl_B71F8545DA20A81C41BFD744E8D7D9784787E916\netaapl.sys
    + 2011-09-25 17:22 . 2011-05-10 12:06 42496 c:\windows\system32\drivers\usbaapl.sys
    + 2011-09-25 17:00 . 2011-09-25 17:00 27136 c:\windows\Installer\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}\AppleSoftwareUpdateIco.exe
    + 2011-09-15 02:36 . 2009-11-06 12:26 642432 c:\windows\system32\ReinstallBackups\0014\DriverFiles\bcmwlhigh5.sys
    + 2011-09-16 01:21 . 2011-07-19 09:05 157472 c:\windows\system32\javaws.exe
    - 2010-12-28 12:26 . 2010-08-16 13:23 145184 c:\windows\system32\javaw.exe
    + 2011-09-16 01:21 . 2011-07-19 09:05 145184 c:\windows\system32\javaw.exe
    + 2011-09-16 01:21 . 2011-07-19 09:05 145184 c:\windows\system32\java.exe
    - 2010-12-28 12:26 . 2010-08-16 13:23 145184 c:\windows\system32\java.exe
    + 2009-02-24 01:41 . 2011-09-16 01:21 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
    - 2009-02-24 01:41 . 2009-02-17 17:08 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
    + 2011-09-16 01:21 . 2011-09-16 01:21 203776 c:\windows\Installer\ba559.msi
    + 2011-09-25 17:21 . 2011-09-25 17:21 811520 c:\windows\Installer\562dc.msi
    + 2011-09-25 17:24 . 2011-09-25 17:24 380928 c:\windows\Installer\{69995C7A-062A-4A90-A4DF-8C22895DF522}\iTunesIco.exe
    + 2011-09-25 17:22 . 2011-05-10 12:06 4517664 c:\windows\system32\usbaaplrc.dll
    + 2011-09-25 17:22 . 2011-05-10 12:06 4517664 c:\windows\system32\DRVSTORE\usbaapl_5CBB3A09528F68FC4AD2F36E43C028E7E6F20400\usbaaplrc.dll
    + 2011-09-25 17:22 . 2011-04-08 18:59 1461992 c:\windows\system32\DRVSTORE\netaapl_B71F8545DA20A81C41BFD744E8D7D9784787E916\wdfcoinstaller01009.dll
    + 2011-09-25 17:00 . 2011-09-25 17:00 1769984 c:\windows\Installer\7d6bfa.msi
    + 2011-09-25 16:59 . 2011-09-25 16:59 1710592 c:\windows\Installer\7d6b9e.msi
    + 2011-09-25 17:24 . 2011-09-25 17:24 5467136 c:\windows\Installer\562f0.msi
    + 2011-09-25 17:22 . 2011-09-25 17:22 9474048 c:\windows\Installer\562ec.msi
    + 2011-09-25 17:22 . 2011-09-25 17:22 3085312 c:\windows\Installer\562e7.msi
    + 2011-09-25 17:22 . 2011-09-25 17:22 1984512 c:\windows\Installer\562e2.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2010-08-24 2264336]
    "TivoTransfer"="c:\program files\TiVo\Desktop\TiVoTransfer.exe" [2010-08-24 608528]
    "TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2010-08-24 437520]
    "TranscodingService"="c:\program files\TiVo\Desktop\Plus\\TranscodingService.exe" [2010-08-24 856336]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-07-16 1044480]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-16 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-16 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-16 141848]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    .
    c:\documents and settings\Kevin McG\Start Menu\Programs\Startup\
    YellowJacket.lnk - c:\program files\YellowJacket Software\YJ Energy\YJ.Energy.exe [2010-4-22 36864]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    NETGEAR WNA3100 Smart Wizard.lnk - c:\program files\NETGEAR\WNA3100\WNA3100.exe [2011-9-15 4577760]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
    "c:\\WINDOWS\\system32\\ftp.exe"=
    "c:\\Program Files\\mozilla.org\\Mozilla\\mozilla.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\AIM\\aim.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Hitman Pro 3.5\\HitmanPro35(1).exe"=
    "c:\\WINDOWS\\system32\\msiexec.exe"=
    "c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\agent.exe"=
    "c:\\Program Files\\TiVo\\Desktop\\TiVoAutoUpdate.exe"=
    "c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
    "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
    "c:\\Program Files\\Windows Live\\Toolbar\\wltuser.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2/17/2009 3:41 PM 24064]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/13/2011 9:05 PM 136360]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/12/2011 9:59 PM 366152]
    R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [9/15/2011 8:57 PM 642432]
    R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2/17/2009 3:41 PM 176640]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/12/2011 9:59 PM 22216]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 WSWNA3100;WSWNA3100;c:\program files\NETGEAR\WNA3100\WifiSvc.exe [9/15/2011 8:57 PM 285152]
    S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [3/21/2009 4:46 PM 22136]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    S4 TivoBeacon2;TiVo Beacon Service;c:\program files\TiVo\Desktop\TiVoBeacon.exe [8/24/2010 5:02 PM 1104656]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-09-30 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = https://login.yahoo.com/config/mail?.intl=us
    uInternet Settings,ProxyOverride = 10.*.*.*;192.168.*.*;<local>;*.local
    uInternet Settings,ProxyServer = cwpisav01:8080
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: hp.com\www
    Trusted Zone: meetthematts.com
    TCP: DhcpNameServer = 192.168.1.1
    DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} - hxxps://vpn-chi.mfglobal.com/CACHE/webvpn/stc/1/binaries/stcweb.cab
    FF - ProfilePath - c:\documents and settings\Kevin McG\Application Data\Mozilla\Firefox\Profiles\jtll9b8w.default\
    FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/mail?.intl=us
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-10-01 22:39
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.cdrom]
    "ImagePath"="\*"
    .
    Completion time: 2011-10-01 22:40:07
    ComboFix-quarantined-files.txt 2011-10-02 02:40
    ComboFix2.txt 2011-10-02 02:31
    ComboFix3.txt 2011-09-15 23:58
    ComboFix4.txt 2011-09-15 02:20
    .
    Pre-Run: 247,959,220,224 bytes free
    Post-Run: 247,945,723,904 bytes free
    .
    - - End Of File - - 240194DBF31D2A240596D838622B872B
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    No problem with delay- I am always running behind! Log is looking good. Has redirect been resolved? Any related problems?

    Have you been able to resolve the Netgear problem? I notice this is still being loaded on startup:
    Product contains: WNA3100 Application
    File name contains: \Program Files\NETGEAR\WNA3100\WNA3100.exe
    This is the Smart Wizard which is usually used to configure.
    =================================
    The original HijackThis you ran is outdated,- v2.0.2, so I'd like you to uninstall it, then run the following current version:

    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  18. dixonhand

    dixonhand TS Rookie Topic Starter

    Thanks Again. I don't know what to do about the netgear - that is how it installed originally when I followed the directions. This netgear is a wireless usb adapter connected to my computer that allows me to wirelessly connect to my netgear router and am not sure how to stop it from starting at start up (or if it will work properly if I don't have it run at start up). Please advise on this.

    Here is the HiJackThis log:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 10:09:45 PM, on 10/4/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\NETGEAR\WNA3100\WifiSvc.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\TiVo\Desktop\TiVoServer.exe
    C:\Program Files\TiVo\Desktop\TiVoTransfer.exe
    C:\Program Files\TiVo\Desktop\TiVoNotify.exe
    C:\Program Files\TiVo\Desktop\Plus\TranscodingService.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\NETGEAR\WNA3100\WNA3100.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Windows Live\Toolbar\wltuser.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\DOCUME~1\KEVINM~1\DESKTOP\OLDCOM~1\WINZIP\winzip32.exe
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/mail?.intl=us
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USREL/1
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cwpisav01:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*.*.*;192.168.*.*;<local>;*.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [TivoServer] C:\Program Files\TiVo\Desktop\TiVoServer.exe /service /registry /auto:TivoServer
    O4 - HKCU\..\Run: [TivoTransfer] C:\Program Files\TiVo\Desktop\TiVoTransfer.exe
    O4 - HKCU\..\Run: [TivoNotify] C:\Program Files\TiVo\Desktop\TiVoNotify.exe /service /registry /auto:TivoNotify
    O4 - HKCU\..\Run: [TranscodingService] C:\Program Files\TiVo\Desktop\Plus\\TranscodingService.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: YellowJacket.lnk = C:\Program Files\YellowJacket Software\YJ Energy\YJ.Energy.exe
    O4 - Global Startup: NETGEAR WNA3100 Smart Wizard.lnk = C:\Program Files\NETGEAR\WNA3100\WNA3100.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.meetthematts.com
    O16 - DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} (STCWeb Control) - https://vpn-chi.mfglobal.com/CACHE/webvpn/stc/1/binaries/stcweb.cab
    O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444552440000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: SeaPort - Unknown owner - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (file missing)
    O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Unknown owner - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe (file missing)
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Synergy Server - Unknown owner - C:\Program Files\Synergy\synergys.exe (file missing)
    O23 - Service: WSWNA3100 - Unknown owner - C:\Program Files\NETGEAR\WNA3100\WifiSvc.exe

    --
    End of file - 8898 bytes
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Questions about some Services> these are showing 'file missing' in HJT, but that does not mean the file is missing:
    1. O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)
    2. O23 - Service: SeaPort - Unknown owner - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (file missing)
    3. O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Unknown owner - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe (file missing)
    4. O23 - Service: Synergy Server - Unknown owner - C:\Program Files\Synergy\synergys.exe (file missing)
    -----------------------------------
    1. Java Quick Starter can be disabled. It's a convenience but doesn't need to run
    2. The Microsoft SeaPort Search Enhancement Process seemingly comes bundled with the Windows Live Suite regardless of what options are chosen by the user during installation.-"“Enables the detection, download and installation of up-to-date configuration files for Microsoft Search Enhancement applications"

      seaport.exe runs automatically and continuously upon startup regardless of whether any searches have been performed or browser windows opened. Indeed, the SeaPort service is set to Automatic. That means that it adds additional time to the boot-up process and that its resource usage starts immediately. It uses about 4.5MB of RAM.
    3. STCagent is a SSL VPN client from cicso systems
    4. Synergy Server allows for multiple monitors using only 1 keyboard and mouse.
    The above are all legitimate programs. It's just a concern about the showing 'file missing.'
    =================================
    Regarding Netgear:
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    NETGEAR WNA3100 Smart Wizard.lnk - c:\program files\NETGEAR\WNA3100\WNA3100.exe [2011-9-15 4577760]
    I suggest you go on the home site, support, tell them what you are experiencing and ask them if this registry entry for shortcut needs to be running.
    ===================================
    Okay- Combofix is good. HJT is good- just wanted you to check those Services.

    How is system doing now? Have redirects stopped?
     
  20. dixonhand

    dixonhand TS Rookie Topic Starter

    Redirect problem is fixed. I will look into the other programs you mentioned. Synergy I used to use with another computer but no longer do. STCagent is for a work vpn I use. I also use a java quick start for work so that much be why that is on there. I have no idea about seaport and will disable if you tell me how if you think that is best. I will also talk to netgear but haven't been able to get anyone yet and will keep you posted on that. Otherwise all is well. Is there anything else I should do or am I all set?
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    To finish up:

    Click on Start> Run> type in services,msc> enter> double click on each pf the following and set as directed:
    SeaPort> Disable> Stop Service
    Synergy Server > Disable> Stop Service
    =========================================
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
     
  22. dixonhand

    dixonhand TS Rookie Topic Starter

    All done everything seems good. Just to say I do still have Malwarebytes anti-malware and avira antivir still installed on my computer. Should I delete these and download new versions?
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    "Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually."

    Yes.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...