TechSpot

Hijack utility reports infections not found by AV Scanners

By GSteve
Sep 25, 2010
  1. Not sure if I should name names, but a Hijack utility I recently installed from a reputable website reports several 'infections' in startup 'programs' on both of my computers. I routinely use reputable Anti-malware protection (a different one on each of the two machines), and neither one has detected the reported infections. Additionally, I have completed the 8-step cleaning procedure specifed by TechSpot (on the machine I am writing this from) without any infection being reported. Can you help me determine the truth here?
    Thanks.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help with the problems, but you have to give me something to work with!

    While having good security lessens the chance of malware getting on a system, there is nothing that guarantees you will never get malware. There is no need to be secretive and when you're giving us information- the more we have, the better to help you..

    1. What 'hijack utility?
    2. Is it on your system?
    3. Did you do an online scan with a program?
    4. Where are the logs from Malwarebytes, GMER and the 2 from DDS?
    Please paste them in to your next reply for my review.
    5. "installed from a reputable website" What site?
    6. Did you install the program just to add to your security-or-was there some reason you thought you needed more or a program of different type?

    What is your operating system? Is it 32 or 64 bit?

    Important!
    Once you have posted the logs:
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. GSteve

    GSteve TS Rookie Topic Starter Posts: 24

    Hello, and thank you for your reply and offer of assistance. I will do my best to provide whatever info you need.
    1) The Hijack utility I referred to is called Emsisoft HijackFree, and the setup filename is A2HighJackFree.exe.
    2) Yes, it is installed on my computer.
    3) Not sure I understand the question so I'll answer two ways. If the question pertains to the HijackFree utility: it is installed in one's computer and after a scan it compares its scan findings to an on-line database and produces a report. It has no repair/removal function and offers none. The report (for both of my computers) shows multiple infections in some startup 'programs' such as java update scheduler and nvcpl.dll. If the question pertains to follow-up AV scans, yes, in addition to my installed AVG AV program scan and the Malwarebytes scan, I did an online scan using Trend Micro Housecall. Nothing but HijackFree reported any infections.
    4) I have the logs from MBAM and GMER and (2) from DDS. Should I submit them all in one reply or in separate replies (The extended guidelines for the 8-step process says "Repeat if there are multiple logs").
    5) I installed Emsisoft HijackFree from the CNET Downloads website at http://download.cnet.com/Emsisoft-HiJackFree/3000-8022_4-10719194.html .
    6) I installed HijackFree to achieve additional security.
    7) My Operating System is Windows 7 Pro, 32-bit.
    I am pastiing the Malwarebytes scan log below my sig. I will submit the other three logs in one or more subsequent, whichever you desire.

    Regards,
    GSteve

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4692

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    9/25/2010 5:07:17 PM
    mbam-log-2010-09-25 (17-07-17).txt

    Scan type: Quick scan
    Objects scanned: 144858
    Time elapsed: 5 minute(s), 11 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  4. GSteve

    GSteve TS Rookie Topic Starter Posts: 24

    As you no doubt noticed, I misspelled 'HiJackFree' at least once in my earlier post. The correct name of the setup file is a2HiJackFreeSetup.exe.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If I had known you were using an automated scan program like this, I would have told you not to waste your time.

    If you want to do this right and have me help you look for malware, please give me the result of these programs: GMER and (2) from DDS.

    Get rid of "HijackThis Free." As you have so readily seen, although the original HijackThis is a free program, it is better that it's used with a knowledgeable helper who can tell you which-if any-entries need to be removed! I have you run it at the end of cleaning, not the beginning. And this program isn't used for 'screening.'

    FYI> I tried copying HJT logs info in automated data bases just to see what kind of information would be given. It is not likely that the average user would have understood the significance of it and actually been able to tell if entries should be removed!

    Most of the entries in a HijackThis log are normal and legitimate.
     
  6. GSteve

    GSteve TS Rookie Topic Starter Posts: 24

    Thanks.........
    You instructed me to paste my logs into my reply. When I attempted to copy/paste and submit my GMER log, I got a screen message saying it had too many characters (137,244) and that I should reduce it to not more than 20,000 characters.
    Please advise me how to proceed.
     
  7. GSteve

    GSteve TS Rookie Topic Starter Posts: 24

    I uninstalled HiJackFree.
    In the interest of saving you time, I am attaching my GMER and (2) DDS log files in the hope you can use them in that format.
    (These log files were created before I uninstalled HijackFree. Please tell me if I need to start over and create new logs.)
    Thanks.
     

    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You should probably check this out: Hopefully you will know what is being referred to.
    9/25/2010 6:08:32 PM, Error: Microsoft-Windows-Kernel-Processor-Power [6] - Some processor performance power management features have been disabled due to a known firmware problem. Check with the computer manufacturer for updated firmware.

    Questions/Comments:
    1. You have CinemaNow.com in the Trusted Zone but the drivers indicate this Service us no longer running. The security in the Trusted Zone is lower than internet zone and I wouldn't advise putting a movie site in trusted.
    2. Do you intentionally have any Group Policy restrictions in place. There is a Storage Service; LocalSystemNetworkRestricted Stopped, on Demand>> Google, Amazon, HP?
    3. There is also a SessionLauncher: Related to DirectX An installation component related to the DirectX installation process of Roxio that does not always correctly remove itself after installation. It is in the Temp files and shows. Stopped, on Auto. Since the Roxio Share Service is not being used, this may have been related to that.
    ========================================
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    =====================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    You can use multiple posts if neded to paste these 2 logs in.
     
  9. GSteve

    GSteve TS Rookie Topic Starter Posts: 24

    > Combofix and NOD-32 online AV Scan logs are pasted below....
    > Please note that NOD-32 didn't give me an option to 'Scan Unwanted Applications'. I unchecked 'Remove Found Threats' and checked 'Scan Archives'.
    >NOD-32 reported that Zone Alarm and Windows Defender were detected and that they might affect the performance and quality of the scan; however, I double-checked and they were both disabled (along with AVG AV).
    >I am sorry to say I don't know what the Microsoft-Windows-Kernel-Processor-Power (6) error message means. I noticed that the computer was extremely slow to start up and shut down yesterday, but it started up normally today.
    >I also don't know about 'Group Policy Restrictions' or 'Session Launcher'. I will research all three of those 'unknown-to-me' issues later after I get the machine cleaned up......
    >I don't remember ever using CinemaNow.com and wasn't aware it was in the IE trusted zone. I removed it. (Thanks).
    ------------------------------------------------------
    ComboFix 10-09-27.03 - GHS 09/27/2010 18:48:06.1.2 - x86
    Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3071.1983 [GMT -5:00]
    Running from: c:\users\GHS\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\users\GHS\GoToAssistDownloadHelper.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-08-27 to 2010-09-27 )))))))))))))))))))))))))))))))
    .

    2010-09-27 23:52 . 2010-09-27 23:52 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-09-25 16:46 . 2010-09-25 16:46 -------- d-----w- c:\users\GHS\AppData\Roaming\Malwarebytes
    2010-09-25 16:45 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-25 16:45 . 2010-09-25 16:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-25 16:45 . 2010-09-25 16:45 -------- d-----w- c:\programdata\Malwarebytes
    2010-09-25 16:45 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-25 14:54 . 2010-09-09 01:45 615568 ----a-w- c:\users\GHS\AppData\Roaming\Mozilla\Firefox\Profiles\ydw13vwr.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
    2010-09-25 14:54 . 2010-09-09 01:45 640264 ----a-w- c:\users\GHS\AppData\Roaming\Mozilla\Firefox\Profiles\ydw13vwr.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
    2010-09-24 23:03 . 2010-09-24 23:03 -------- d-----w- c:\program files\Common Files\Java
    2010-09-24 22:29 . 2010-09-24 22:29 4093792 ----a-w- c:\programdata\avg9\update\backup\avgui.exe
    2010-09-24 22:29 . 2010-09-24 22:29 3586912 ----a-w- c:\programdata\avg9\update\backup\setup.exe
    2010-09-24 22:29 . 2010-09-24 22:29 942432 ----a-w- c:\programdata\avg9\update\backup\avgcfgx.dll
    2010-09-24 22:29 . 2010-09-24 22:29 620896 ----a-w- c:\programdata\avg9\update\backup\avgnsx.exe
    2010-09-24 22:29 . 2010-09-24 22:29 598368 ----a-w- c:\programdata\avg9\update\backup\avgsrmx.dll
    2010-09-24 22:29 . 2010-09-24 22:29 4371296 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
    2010-09-24 22:29 . 2010-09-24 22:29 1619296 ----a-w- c:\programdata\avg9\update\backup\avgssie.dll
    2010-09-24 22:29 . 2010-09-24 22:29 1377632 ----a-w- c:\programdata\avg9\update\backup\avgssff.dll
    2010-09-24 22:28 . 2010-09-24 22:28 300896 ----a-w- c:\programdata\avg9\update\backup\avgchclx.dll
    2010-09-24 22:27 . 2010-09-24 22:27 1690952 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
    2010-09-24 22:24 . 2010-06-19 06:33 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-09-24 22:24 . 2010-06-19 06:33 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-09-24 22:24 . 2010-06-16 05:48 224256 ----a-w- c:\windows\system32\schannel.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-27 23:32 . 2010-07-02 02:51 0 ----a-w- c:\users\GHS\AppData\Local\prvlcl.dat
    2010-09-26 22:17 . 2010-09-26 22:17 95443 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_09_26_17_12_43_small.dmp.zip
    2010-09-26 22:03 . 2010-01-09 23:02 -------- d-----w- c:\programdata\Microsoft Help
    2010-09-25 23:20 . 2010-09-25 23:20 19921 ----a-w- c:\windows\Internet Logs\zlclient_2nd_2010_09_25_17_59_06_small.dmp.zip
    2010-09-25 16:39 . 2010-07-19 02:29 -------- d-----w- c:\users\GHS\AppData\Roaming\QuickScan
    2010-09-25 16:18 . 2010-09-25 16:18 94449 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_09_25_11_13_31_small.dmp.zip
    2010-09-25 16:13 . 2010-09-25 16:13 18944 ----a-w- c:\windows\Internet Logs\xDBB600.tmp
    2010-09-25 16:13 . 2010-09-25 16:13 1756672 ----a-w- c:\windows\Internet Logs\xDBB65F.tmp
    2010-09-25 15:30 . 2010-09-25 15:51 1756160 ----a-w- c:\windows\Internet Logs\xDB6FF1.tmp
    2010-09-25 15:30 . 2010-09-25 15:51 1415168 ----a-w- c:\windows\Internet Logs\xDB6EE6.tmp
    2010-09-24 23:02 . 2010-02-04 17:02 -------- d-----w- c:\program files\Java
    2010-08-21 05:32 . 2010-09-24 22:25 316928 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-01 02:44 . 2010-07-30 19:53 -------- d-----w- c:\users\GHS\AppData\Roaming\DVD Flick
    2010-07-30 19:53 . 2010-07-30 19:52 -------- d-----w- c:\program files\DVD Flick
    2010-07-30 18:28 . 2009-12-11 06:06 -------- d-----w- c:\program files\McAfee
    2010-07-29 06:30 . 2010-09-24 22:25 197632 ----a-w- c:\windows\system32\ir32_32.dll
    2010-07-29 06:30 . 2010-09-24 22:25 82944 ----a-w- c:\windows\system32\iccvid.dll
    2010-07-17 18:31 . 2009-12-01 21:29 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-07-17 18:31 . 2010-07-17 18:31 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-07-17 18:31 . 2009-12-01 21:29 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-07-17 10:00 . 2010-04-22 01:32 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-06-30 06:25 . 2010-09-24 22:25 978432 ----a-w- c:\windows\system32\wininet.dll
    2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
    2010-01-10 00:56 . 2010-01-10 00:56 23 --sha-w- c:\windows\System32\edacded0.dat
    2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZone.dll" [2010-05-09 2517088]

    [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]
    2010-05-09 16:50 2517088 ----a-w- c:\program files\ZoneAlarm\tbZone.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZone.dll" [2010-05-09 2517088]

    [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{66F2E20D-0DA8-4C11-A9C8-DD8477B88ACD}"= "c:\program files\ZoneAlarm\tbZone.dll" [2010-05-09 2517088]

    [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
    "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-04-24 160328]
    "Copernic Desktop Search - Home"="c:\program files\Copernic Desktop Search - Home\DesktopSearchService.exe" [2010-06-15 1611264]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-17 2065760]
    "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-05-14 30248]
    "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-05-14 46632]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-05-26 1043968]
    "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600]
    "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-04-24 160328]

    c:\users\GHS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
    2009-06-15 00:24 307200 ----a-r- c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CinemaNowMediaManagerApp]
    2008-10-06 21:07 2022248 ----a-w- c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowShell.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 17:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2008-10-24 15:14 79136 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPort11reminder]
    2007-02-01 19:46 255528 ----a-w- c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScanSoft OmniPage 16-reminder]
    2007-07-20 15:50 328992 ----a-w- c:\program files\ScanSoft\OmniPage16\Ereg\Ereg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
    2009-04-14 13:43 604704 ----a-w- c:\windows\SOUNDMAN.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
    2006-10-25 15:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
    2009-11-25 03:24 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

    R2 CinemaNow Service;CinemaNow Service; [x]
    R2 RoxLiveShare10;LiveShare P2P Server 10; [x]
    R2 SessionLauncher;SessionLauncher;c:\users\GHS\AppData\Local\Temp\DX9\SessionLauncher.exe [x]
    R3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [2010-04-10 266544]
    R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-09-09 1120752]
    S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-07-17 216400]
    S1 AvgTdiX;AVG Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-07-17 243024]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-25 172032]
    S2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-07-28 921952]
    S2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-17 308136]
    S2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2010-05-26 26352]
    S2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [2010-05-26 493032]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2010-05-20 88176]
    S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-05-28 14896]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]

    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.techspot.com/
    IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    FF - ProfilePath - c:\users\GHS\AppData\Roaming\Mozilla\Firefox\Profiles\ydw13vwr.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.techspot.com/
    FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
    FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
    FF - component: c:\program files\Copernic Desktop Search - Home\Firefox36Connector\components\CSPXPCOMBridge.dll
    FF - component: c:\program files\Copernic Desktop Search - Home\Toolbar\FirefoxContainer\components\CCLCXPCOMBridge.dll
    FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
    FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
    FF - component: c:\users\GHS\AppData\Roaming\Mozilla\Firefox\Profiles\ydw13vwr.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
    FF - plugin: c:\program files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll
    FF - plugin: c:\program files\Common Files\fluxDVD\APIX\NPAPIX.dll
    FF - plugin: c:\program files\Common Files\fluxDVD\BrowserIntegration\NPFluxBrowserHelper.dll
    FF - plugin: c:\program files\Common Files\mpDRM\NPMPDRM.dll
    FF - plugin: c:\program files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de680400}\plugins\npCinemaNowPlugin.dll
    FF - plugin: c:\users\GHS\AppData\Roaming\Mozilla\Firefox\Profiles\ydw13vwr.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    MSConfigStartUp-OpAgent - OpAgent.exe


    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,17,33,8e,de,33,28,75,42,88,be,b4,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,17,33,8e,de,33,28,75,42,88,be,b4,\

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'lsass.exe'(540)
    c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
    .
    Completion time: 2010-09-27 18:54:58
    ComboFix-quarantined-files.txt 2010-09-27 23:54

    Pre-Run: 436,197,138,432 bytes free
    Post-Run: 436,116,828,160 bytes free

    - - End Of File - - 53AF9591C22BB73808B0210DD98D9A8D
    ------------------------------------------------------------------------------------

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=51f8264870d44840ac6c68316cfd1d0b
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-09-28 01:00:08
    # local_time=2010-09-27 08:00:08 (-0600, Central Daylight Time)
    # country="United States"
    # lang=9
    # osver=6.1.7600 NT
    # compatibility_mode=1024 16777215 100 0 25847085 25847085 0 0
    # compatibility_mode=5893 16776574 100 94 25145909 37177638 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # compatibility_mode=9217 16777214 75 70 8346751 9815557 0 0
    # scanned=87429
    # found=0
    # cleaned=0
    # scan_time=2781
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, good job! There are some files and folders that need to be moved- numerous CinemaNow entries, by the way. I'll set up some script in the morning for you to run through Combofix- I'm just getting ready to shut down for the night.

    Don't make any changes. See you in the AM.
     
  11. GSteve

    GSteve TS Rookie Topic Starter Posts: 24

    AVG wanted to do a scheduled scan when I started up the computer, and a notification popped up saying an update is available. In the interest of not changing anything, I stopped the AV scan and am ignoring the Windows update for now.
     
  12. GSteve

    GSteve TS Rookie Topic Starter Posts: 24

    I have to shut down for the night. I'll check again tomorrow for the script.............
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\Internet Logs\vsmon_2nd_2010_09_26_17_12_43_small.dmp.zip
    c:\windows\Internet Logs\zlclient_2nd_2010_09_25_17_59_06_small.dmp.zip
    c\windows\Internet Logs\vsmon_2nd_2010_09_25_11_13_31_small.dmp.zip
    c:\windows\Internet Logs\xDBB600.tmp
    c:\windows\Internet Logs\xDBB65F.tmp
    c:\windows\Internet Logs\xDB6FF1.tmp
    c:\windows\Internet Logs\xDB6EE6.tmp
    c:\windows\System32\edacded0.dat
    c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowShell.exe
    c:\program files\ScanSoft\OmniPage16\Ereg\Ereg.exe
    c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
    c:\users\GHS\AppData\Local\Temp\DX9\Session Launcher.exe 
    
    Folder::
    c:\program files\McAfee
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CinemaNowMediaManagerApp]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScanSoft OmniPage 16-reminder]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
    RegLock::
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    
    Driver::
    CinemaNow Service
    RoxLiveShare10
    SessionLauncher
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ================================
    Download the HijackThis Installer and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required
     
  14. GSteve

    GSteve TS Rookie Topic Starter Posts: 24

    >Ran CFScript with ComboFix. Kind of a nightmare. Disabled AVG Resident Shield, but a scheduled scan started up anyway just after I launched ComboFix. ComboFix paused until I got the AVG scan stopped, then it ran. ComboFix rebooted machine and a screen msg popped up saying a 'boot' file was missing and asked if I wanted to restore it. I said yes. Then a screen message popped up asking for the installation CD for PaperPort 11. I wasn't prepared for that and haven't yet located the CD. (I may have installed it from a download - don't remember.) AVG user interface wouldn't open to allow me to reactivate antivirus resident shield, so I had to reboot to make that work. On reboot, PaperPort11 again asked for installation CD. I cancelled that out. Looks like I lost my McAfee Site Advisor in the process.
    > I have not yet done HiJack This. Do I need AV deactivated during HJT installation/scan?
    > ComboFix log reported to be too large to copy/paste, so I am attaching it.
    > Thanks.
     

    Attached Files:

  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry you had so much problem! I have no idea why you got message about Paper Port. There is no connection to Combofix.

    The McAfee loss is my fault. I didn't see any references to the Site Advisor running, but did see C:\Programs\McAfee. Thinking it was a left-over program folder from prior McAfee program, I removed it. It is very unusual that all the SiteAdvisor files were also removed because that would have required the 'KillAll' switch which I didn't use! Please download the Site Advisor again and my apology for the inconvenience.

    I remove 2 processes related to OmniPage/Scan Soft: one named Ereg.exe was a Registration reminder for OmniPage Pro 12 from ScanSoft and SSBkgdUpdate.exe which was an auto-updated for the scanner. They were moved from the startup menu. This should not have caused any problem with the scanner. If you want to put it back on startup, please use the msconfig utility to recheck the 2 entries .Neither of these should have cause a request for the CD. Scanners, printers, cameras, media players don't need to start on boot and run in the background.

    It is possible that something was done when you ran the automated scan. On a properly configured system, these should have been uneventful removals.

    You do not need to disable your security for HijackThis. It is only a tool that shows me what is running at the time and should not have any problems with security programs.
     
  16. GSteve

    GSteve TS Rookie Topic Starter Posts: 24

    >Not to worry about Site Advisor - I will reinstall that later unless you recommend against it.
    >Neither do I understand what's going on with PaperPort. It's a Scansoft/Nuance.com product as is Omnipage, so it may have been 'wrapped-up' in the Omnipage registration reminder (if that is possible). The PaperPort shortcut is still on my desktop, and I noticed in the HJT report that PaperPort is running (although I probably don't know what I'm talking about re the HJT report); nevertheless, when I click the shortcut it asks for the PaperPort 11 CD like it does on computer startup. I'll uninstall it later as I never used it much anyway.
    >I ran HiJackThis and am pasting the log below.
    >I deeply appreciate your help.

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 5:08:17 PM, on 9/29/2010
    Platform: Windows 7 (WinNT 6.00.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\AVG\AVG9\avgtray.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
    C:\Program Files\Copernic Desktop Search - Home\DesktopSearchService.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Secunia\PSI\psi.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.techspot.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (file missing)
    R3 - URLSearchHook: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files\ZoneAlarm\tbZone.dll
    O2 - BHO: Download Manager Browser Helper Object - {19C8E43B-07B3-49CB-BFFC-6777B593E6F8} - C:\PROGRA~1\COMMON~1\fluxDVD\DOWNLO~1\XEBDLH~1.DLL
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
    O2 - BHO: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files\ZoneAlarm\tbZone.dll
    O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (file missing)
    O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (file missing)
    O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O3 - Toolbar: Copernic Desktop Search - Home Toolbar - {4A1C6093-14F9-44D7-860E-5D265CFCA9D9} - C:\Program Files\Copernic Desktop Search - Home\Toolbar\ToolbarContainer101000318.dll
    O3 - Toolbar: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files\ZoneAlarm\tbZone.dll
    O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
    O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
    O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
    O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
    O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [Copernic Desktop Search - Home] "C:\Program Files\Copernic Desktop Search - Home\DesktopSearchService.exe" /tray
    O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (file missing)
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (file missing)
    O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
    O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
    O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
    O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
    O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
    O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
    O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

    --
    End of file - 9370 bytes
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The messages from Paper Port should stop when you remove it from the Startup Menu> whether you uninstall it or not- you should uninstall if not using-it doesn't need to start on boot> it can be started by clicking on the program when needed:

    To remove entries from Startup using the msconfig utility:
    • Click on Start> Run> type in msconfig> enter>
    • Click on Selective Startup
    • Choose the Startup tab:
      This is where you UNCHECK the Startup items. This does not remove the item or uninstall anything> it just stops it from starting on boot. It can be rechecked at any time if wanted.
    • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
      Uncheck any processes related to PaperPort, OmniScan, ScanSoft:
      [o]IndexSearch.exe
      [o]pptd40nt.exe
      and any others if found
      [*] Click on Apply> OK when finished.

    NOTE:
    When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.'
    Once you make changes to the Startup menu, you must remain in Selective Startup to retain those changed. If you go back to Normal Startup, everything you unchecked will be checked again and start on boot.
    ======================================
    Please reopen HijackThis to 'do system scan only.' Check each of the following, if present: (there were still some processes from McAfee, so I have included them below so that when you reinstall the Site Advisor you won't get message about it already being on the system> NOTE: when you do the rescan, these entries may not show. Not too worry- it means they've gone:

    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (file missing)
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (file missing)
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (file missing)
    O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
    O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (file missing)"
    O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (file missing)
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (file missing)


    Close all Windows except HijackThis and click on "Fix Checked."

    Are there any remaining problems?
     
  18. GSteve

    GSteve TS Rookie Topic Starter Posts: 24

    >Removed items you specified from Startup.
    >Rebooted
    >Ran HiJackThis in Scan Only. Removed items you specified (three having to with PaperPort/Index Search/were not listed).
    >Ran another HIJ scan just for the heck of it - items removed in previous step are no longer listed!
    >Rebooted.
    >NO OTHER PROBLEMS NOTED !!! YEAH!!!
    > But I do have an XP machine I need to clean up at some time in the future.
    >Thank you so much for your help.
    >Is there a way I could buy you a 'cup of coffee'?
    G.H.S.
     
  19. GSteve

    GSteve TS Rookie Topic Starter Posts: 24

    >Additional info: I went to 'User Accounts' to create myself a 'working' account (as I've heard it's best not to routinely work from my 'Admin' account) and found an account present named "ASP.NET MACHINE". I had no idea that was there. I Googled the name an found that it is installed with/by Microsoft's ".Net Framework 1.1". Could this be related to the 'Group Policy Restrictions' you commented on early in our 'conversation'?
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Microsoft puts that account on. There is one listed as 'Limited User' also. I deleted mine. I don't think that would be a source for policy settings.

    Okay- so we're good now> No mystery entries? Let's remove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    I'll be glad to help with the other system. Just start a new thread for it. Go ahead with the steps and leave the new logs. There are 3 of us working. Either one of us will pick it up or you can direct it to me.
    ===============================
    Tips for added security and safer browsing:
    (Note: all of these programs might not work on Windows 7 or 64bit systems)
    1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
      This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
    2. Have layered Security:
      • Antivirus Software(only one):Both of the following programs are free and known to be good:
        [o]Avira Free
        [o]Avast Home
      • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
        [o]Comodo
        [o]Zone Alarm
      • Antispyware: I recommend all of the following:
        [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
    3. Stay current on updates:
      [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
      [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
      [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
    4. Reset Cookies to prevent Tracking Cookies:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
    5. Do regular Maintenance
      Remove Temporary Internet Files regularly:
      [o]ATF Cleaner by Atribune
      OR
      [o]TFC
      Disable and Enable System Restore:
      [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
    6. Practice Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
     
  21. GSteve

    GSteve TS Rookie Topic Starter Posts: 24

    >Uninstalled Combofix.
    >Downloaded/Ran OTCleanIt.
    >Deleted all restore points and created a new one (didn't find Create option under Accessories / System Tools / System Restore but found it under Control Panel / System / System Protection).
    >Emptied Recycle Bin.
    >Downloaded Avast Free - - will replace AVG Free with Avast Free later.
    >Downloaded and installed Spyware Blaster.
    >Looked at Bleeping Computers IE/Spyad, but website says it only works with IE6 and below. I have IE8.
    >Considering MVPS Host Files.
    >Downloaded and installed Google Toolbar (both browsers).
    >Updates: Windows' Automatic Updates is set to notify. Don't use Adobe Reader. Java control panel is set to check for updates automatically. Secunia PSI notifies me of 'insecure' and/or 'end of life' installed software.
    >Reset cookie controls in IE and Firefox per your recommendation.
    >Roger the routine maintenance and safe email handling practices.
    >I did not notice any mysterious entries in the last HJT log, and everything is working fine now.
    >I admire your knowledge and skills and sincerely appreciate your help.
    GHS
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you for reminding me that I need to update the tips!

    [o]Download ZonedOut and save to your desktop. This replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.
    IE/Spyad is not longer being supported. If you have this on your system, you should replace it with the following program. Make sure your IE8 is Up-to-date before adding sites to your restricted zone.
    Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...

    Creating a Restore Point in Windows 7:
    • Click on Start> right click on Computer> Properties
    • Select System Protection
    • Click on the Create button (near bottom)
    • Type a name for the Restore Point
    • Click on Create again to save the restore point.

    Deleting all but the most recent System Protection point in Windows
    • Click Start, type Cleanmgr.exe and press ENTER
    • Select the drive-letter from the list and click OK
    • Click Clean up system files
      This restarts Disk Cleanup to run in elevated mode.
    • Select the drive-letter from the list and click OK
    • Click the More Options tab
      [​IMG]
    • Click the Clean up… button under System Restore and Shadow Copies.
    • Click OK.

    Glad to help! I'll close this thread but let me know if you have anymore questions.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...