TechSpot

Need help removing Incredibar

Inactive
By Cloudnine
Feb 12, 2012
  1. Hi,
    Need assistance to remove "Incredibar" please.

    Logs:

    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.02.11.03

    Windows XP Service Pack 2 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Administrator :: IBM-4E642AA635C [administrator]

    2/11/2012 10:55:47 PM
    mbam-log-2012-02-11 (22-55-47).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 186124
    Time elapsed: 11 minute(s), 23 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\Documents and Settings\Administrator\Desktop\DownloadSetup.exe (Affiliate.Downloader) -> Quarantined and deleted successfully.

    (end)


    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-02-13 15:30:32
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HTS548040M9AT00 rev.MG2OA5BA
    Running: 2drordz9.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwxiikob.sys


    ---- System - GMER 1.0.15 ----

    SSDT F8BB9114 ZwClose
    SSDT F8BB90CE ZwCreateKey
    SSDT F8BB911E ZwCreateSection
    SSDT F8BB90C4 ZwCreateThread
    SSDT F8BB90D3 ZwDeleteKey
    SSDT F8BB90DD ZwDeleteValueKey
    SSDT F8BB910F ZwDuplicateObject
    SSDT F8BB90E2 ZwLoadKey
    SSDT F8BB90B0 ZwOpenProcess
    SSDT F8BB90B5 ZwOpenThread
    SSDT F8BB90EC ZwReplaceKey
    SSDT F8BB90E7 ZwRestoreKey
    SSDT F8BB9123 ZwSetContextThread
    SSDT F8BB90D8 ZwSetValueKey
    SSDT F8BB90BF ZwTerminateProcess

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [00407760] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [00407980] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [00407960] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [00407760] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [00407980] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [00407960] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [00407760] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [00407960] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [00407980] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\RPCRT4.dll [ADVAPI32.dll!RegCreateKeyExA] [00408A00] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\RPCRT4.dll [ADVAPI32.dll!RegOpenKeyExA] [00408D70] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\RPCRT4.dll [ADVAPI32.dll!RegCloseKey] [00408900] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\RPCRT4.dll [ADVAPI32.dll!RegOpenKeyExW] [00408F20] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [00407980] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [00407960] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\Secur32.dll [ADVAPI32.dll!RegCreateKeyExW] [00408BF0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\Secur32.dll [ADVAPI32.dll!RegCloseKey] [00408900] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\Secur32.dll [ADVAPI32.dll!RegOpenKeyExW] [00408F20] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [00407980] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [00407960] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!RegCloseKey] [00408900] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!RegCreateKeyExW] [00408BF0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!RegOpenKeyExW] [00408F20] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!RegOpenKeyExA] [00408D70] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [00407980] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [00407960] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [00407760] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [004078D0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [00407980] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\SHLWAPI.dll [ADVAPI32.dll!RegCloseKey] [00408900] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\SHLWAPI.dll [ADVAPI32.dll!RegOpenKeyExW] [00408F20] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\SHLWAPI.dll [ADVAPI32.dll!RegCreateKeyExA] [00408A00] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\SHLWAPI.dll [ADVAPI32.dll!RegCreateKeyExW] [00408BF0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\SHLWAPI.dll [ADVAPI32.dll!RegOpenKeyExA] [00408D70] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [004078D0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [00407760] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [00407960] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [00407980] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [00407980] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [00407960] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [00407760] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [004078D0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegOpenKeyExA] [00408D70] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegCreateKeyExW] [00408BF0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegCloseKey] [00408900] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegOpenKeyExW] [00408F20] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegOpenUserClassesRoot] [004086A0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [00407980] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\NETAPI32.dll [ADVAPI32.dll!RegOpenKeyExA] [00408D70] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\NETAPI32.dll [ADVAPI32.dll!RegCloseKey] [00408900] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\NETAPI32.dll [ADVAPI32.dll!RegOpenKeyExW] [00408F20] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\NETAPI32.dll [ADVAPI32.dll!RegCreateKeyExW] [00408BF0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [00407960] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [00407980] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\USERENV.dll [ADVAPI32.dll!RegCreateKeyExW] [00408BF0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\USERENV.dll [ADVAPI32.dll!RegCloseKey] [00408900] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\USERENV.dll [ADVAPI32.dll!RegOpenKeyExW] [00408F20] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryW] [00407960] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryExA] [004078D0] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)
    IAT C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe[472] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [00407980] C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe (Nero MediaHome/Nero AG)

    ---- EOF - GMER 1.0.15 ----


    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Administrator at 15:36:23 on 2012-02-13
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.147 [GMT 11:00]
    .
    AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\S24EvMon.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
    C:\WINDOWS\system32\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Ask.com\Updater\Updater.exe
    C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com.au/
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: BFlix Class: {0c9f4179-6ce2-4c6a-a3e5-67ff3592a12e} - c:\program files\bflix\BFlix.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Incredibar.com Helper Object: {6e13dde1-2b6e-46ce-8b66-dc8bf36f6b99} - c:\program files\incredibar.com\incredibar\1.5.3.27\bh\incredibar.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: Incredibar Toolbar: {f9639e4a-801b-4843-aee3-03d9da199e77} - c:\program files\incredibar.com\incredibar\1.5.3.27\incredibarTlbr.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe" -NoStart
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
    mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
    mRun: [AGRSMMSG] AGRSMMSG.exe
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [ACUMon] "c:\program files\cisco systems\aironet client monitor\ACUMon.Exe" -a
    mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
    mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
    mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
    mRun: [BLOG] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
    mRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\FirstStart.exe" /OM
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [<NO NAME>]
    mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
    mRun: [PMBVolumeWatcher] c:\program files\sony\pmb\PMBVolumeWatcher.exe
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Nero MediaHome 4] "c:\program files\nero\nero mediahome 4\NeroMediaHome.exe" /AUTORUN
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\documents and settings\administrator\desktop\PartyPoker.lnk
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
    DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.fujifilmimagine.com/imagine/ax/ImageUploader5.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1299310973505
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{4365D515-1E78-4F11-ABA8-11120F730D3F} : DhcpNameServer = 192.168.2.1
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-3-17 11608]
    R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2008-8-21 16384]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-3-17 136360]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-3-17 269480]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-3-17 66616]
    R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\sony\pmb\PMBDeviceInfoProvider.exe [2010-6-1 367456]
    S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;c:\windows\system32\drivers\cben5.sys [2006-11-30 46108]
    S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2011-12-6 18432]
    S3 PCX504;Cisco Systems Wireless LAN Adapter Driver;c:\windows\system32\drivers\PCX504.sys [2006-12-8 119296]
    .
    =============== Created Last 30 ================
    .
    2012-02-11 11:53:19 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
    2012-02-11 11:52:20 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2012-02-11 11:52:14 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-11 11:52:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-10 10:20:41 -------- d-----w- c:\documents and settings\administrator\application data\Incredibar.com
    2012-02-10 10:19:58 -------- d-----w- c:\program files\BFlix
    2012-02-10 10:19:23 -------- d-----w- c:\program files\Incredibar.com
    2012-02-10 10:17:04 -------- d-----w- c:\documents and settings\all users\application data\100
    2012-02-10 10:17:02 -------- d-----w- c:\documents and settings\all users\application data\InstallMate
    2012-02-05 09:18:15 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Nero
    2012-02-05 09:13:06 -------- d-----w- c:\program files\Nero
    2012-02-05 09:12:46 -------- d-----w- c:\documents and settings\all users\application data\Nero
    2012-01-19 06:24:17 -------- d-----w- C:\a6cf2f781aae66c5528c7397822a18
    2012-01-19 06:00:22 -------- d-----w- c:\windows\system32\XPSViewer
    2012-01-19 05:58:50 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2012-01-19 05:58:18 14048 ------w- c:\windows\system32\spmsg2.dll
    2012-01-19 05:55:37 -------- d-----w- c:\program files\Navman
    .
    ==================== Find3M ====================
    .
    .
    ============= FINISH: 15:37:35.55 ===============

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 11/30/2006 10:15:25 AM
    System Uptime: 2/13/2012 1:10:50 PM (2 hours ago)
    .
    Motherboard: IBM | | 23747FM
    Processor: Intel(R) Pentium(R) M processor 1600MHz | None | 1594/400mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 37 GiB total, 8.674 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP66: 11/23/2011 2:29:39 PM - System Checkpoint
    RP67: 11/28/2011 6:14:33 PM - System Checkpoint
    RP68: 12/1/2011 4:57:57 PM - System Checkpoint
    RP69: 12/2/2011 7:58:46 PM - System Checkpoint
    RP70: 12/4/2011 2:08:44 PM - System Checkpoint
    RP71: 12/5/2011 5:06:14 PM - System Checkpoint
    RP72: 12/6/2011 5:21:50 PM - Removed Apple Application Support
    RP73: 12/6/2011 5:23:57 PM - Removed Apple Mobile Device Support
    RP74: 12/10/2011 10:49:41 AM - System Checkpoint
    RP75: 12/13/2011 9:29:45 AM - System Checkpoint
    RP76: 12/14/2011 6:59:51 PM - System Checkpoint
    RP77: 12/15/2011 11:22:09 AM - Software Distribution Service 3.0
    RP78: 12/16/2011 11:33:56 AM - System Checkpoint
    RP79: 12/17/2011 4:28:15 PM - Installed Windows XP Wdf01009.
    RP80: 12/18/2011 4:03:45 PM - Software Distribution Service 3.0
    RP81: 12/21/2011 2:03:18 PM - System Checkpoint
    RP82: 12/28/2011 10:38:22 AM - Installed Java(TM) 6 Update 30
    RP83: 12/29/2011 7:48:52 PM - System Checkpoint
    RP84: 1/5/2012 3:36:48 PM - System Checkpoint
    RP85: 1/8/2012 8:09:14 AM - System Checkpoint
    RP86: 1/10/2012 10:48:36 AM - System Checkpoint
    RP87: 1/13/2012 3:15:22 PM - System Checkpoint
    RP88: 1/13/2012 8:51:50 PM - Removed Adobe Reader 9.4.7.
    RP89: 1/17/2012 9:47:17 PM - System Checkpoint
    RP90: 1/19/2012 4:53:55 PM - Installed NavDesk 2009
    RP91: 1/19/2012 4:55:57 PM - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    RP92: 1/19/2012 4:57:38 PM - Installed Windows XP WIC.
    RP93: 1/19/2012 4:58:18 PM - Installed %1 %2.
    RP94: 1/19/2012 4:58:30 PM - Printer Driver Microsoft XPS Document Writer Installed
    RP95: 1/19/2012 5:26:09 PM - Installed Windows KB954550-v5.
    RP96: 1/19/2012 5:28:21 PM - Printer Driver Microsoft XPS Document Writer Installed
    RP97: 1/26/2012 8:40:37 AM - Printer Driver Microsoft XPS Document Writer Installed
    RP98: 1/31/2012 12:11:14 PM - System Checkpoint
    RP99: 2/5/2012 8:11:02 PM - Installed Nero MediaHome 4 Essentials 4.4.8.1
    RP100: 2/10/2012 7:17:11 PM - System Checkpoint
    RP101: 2/12/2012 9:17:50 AM - System Checkpoint
    RP102: 2/13/2012 3:26:25 PM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader 9.5.0
    Advertising Center
    Agere Systems AC'97 Modem
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Ask Toolbar
    ATI - Software Uninstall Utility
    ATI Control Panel
    ATI Display Driver
    Avira AntiVir Personal - Free Antivirus
    BFlix
    Bonjour
    Cisco Aironet Installation Wizard
    DivX Setup
    e-tax 2011
    FrostWire 4.21.7
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB926239)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB981793)
    IBM ThinkPad Battery MaxiMiser and Power Management Features
    Incredibar Toolbar on IE and Chrome
    Intel(R) PRO Network Adapters and Drivers
    Intel(R) PROSet
    Intel(R) Sebring API
    iPod To Computer Transfer 6.6
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 30
    Malwarebytes Anti-Malware version 1.60.1.1000
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
    Microsoft Office Professional Edition 2003
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    MSXML 6.0 Parser (KB925673)
    Nero ControlCenter
    Nero Installer
    Nero MediaHome 4
    Nero MediaHome 4 Essentials
    Nero MediaHome 4 Help
    Nero Online Upgrade
    OLYMPUS Master 2
    PartyPoker
    PMB
    PowerDVD
    QuickTime
    Realtek AC'97 Audio
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958470)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB971032)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Spybot - Search & Destroy
    ThinkPad Power Management Driver
    ThinkPad Wireless LAN Adapters Software (11a/b, 11b/g, 11a/b/g)
    Ultimate Mahjongg 5
    Unwired
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VC80CRTRedist - 8.0.50727.6195
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Presentation Foundation
    XML Paper Specification Shared Components Pack 1.0
    .
    ==== Event Viewer Messages From Past Week ========
    .
    2/9/2012 11:40:20 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
    2/13/2012 2:38:10 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    2/11/2012 9:47:17 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Nero MediaHome 4 Service service to connect.
    2/11/2012 9:47:17 PM, error: Service Control Manager [7000] - The Nero MediaHome 4 Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    2/11/2012 11:12:06 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
    2/11/2012 10:28:44 PM, error: PSched [14103] - QoS [Adapter {4365D515-1E78-4F11-ABA8-11120F730D3F}]: The netcard driver failed the query for OID_GEN_LINK_SPEED.
    .
    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    DO you notice the following?
    Start with this: How to stop MyStart by IncrediBar processes:
    • Click the Start menu, select Run.
    • Type taskmgr.exe into the the Run command box, and click “OK.” You can also launch the Task Manager by pressing keys CTRL + Shift + ESC.
    • Click Processes tab, and find MyStart by IncrediBar processes.
    • Once you’ve found the MyStart by IncrediBar processes, right-click them and select “End Process” to kill MyStart by IncrediBar .
    =========================================
    You have other entries that need to be removed:
    Uninstall or disable the file sharing Frostwire while I am helping you.

    To find other entries:
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Expect these- they are normal:
    1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
    2. Before you run the Combofix scan, please disable any security software you have running.
    3. Combofix may need to reboot your computer more than once to do its job this is normal.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ==============================================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ===================================
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
    =====================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.

    If I haven't replied back to you within 48 hours, you can send a PM with your thread link in it as a reminder. Do not include technical problems from your thread. Support is given only in the forum.
    Threads are closed after 5 days if there is no reply.

    Please leave all logs in your next post.
     
  3. Cloudnine

    Cloudnine TS Rookie Topic Starter Posts: 17

    The Incredibar toolbar has now disappeared from Internet Explorer after I followed your steps above.

    Note that even before I commenced the steps above, there was no MyStart by Incredibar running in Processes in Task Manager.

    ESET found nothing.


    ComboFix 12-02-13.01 - Administrator 02/15/2012 11:12:59.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.275 [GMT 11:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\100
    C:\Install.exe
    c:\program files\Incredibar.com
    c:\program files\Incredibar.com\incredibar\1.5.3.27\bh\inCRedibar.dll
    c:\program files\Incredibar.com\incredibar\1.5.3.27\incredibar.crx
    c:\program files\Incredibar.com\incredibar\1.5.3.27\incredibarApp.dll
    c:\program files\Incredibar.com\incredibar\1.5.3.27\incredibarEng.dll
    c:\program files\Incredibar.com\incredibar\1.5.3.27\incredibarsrv.exe
    c:\program files\Incredibar.com\incredibar\1.5.3.27\incredibarTlbr.dll
    c:\program files\Incredibar.com\incredibar\1.5.3.27\uninstall.exe
    c:\windows\system32\cswGina.dll
    c:\windows\system32\drivers\etc\hosts.ics
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-01-15 to 2012-02-15 )))))))))))))))))))))))))))))))
    .
    .
    2012-02-11 11:53 . 2012-02-11 11:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2012-02-11 11:52 . 2012-02-11 11:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-02-11 11:52 . 2012-02-11 11:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-11 11:52 . 2011-12-10 04:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-10 10:20 . 2012-02-10 10:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Incredibar.com
    2012-02-10 10:19 . 2012-02-10 10:19 -------- d-----w- c:\program files\BFlix
    2012-02-10 10:19 . 2012-02-10 10:19 -------- d-----w- c:\program files\Windows Sidebar
    2012-02-10 10:19 . 2012-02-10 10:19 449 ----a-w- C:\user.js
    2012-02-10 10:17 . 2012-02-10 10:20 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
    2012-02-05 09:18 . 2012-02-05 09:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\Nero
    2012-02-05 09:18 . 2012-02-11 11:19 -------- d-----w- c:\documents and settings\NeroMediaHomeUser.4
    2012-02-05 09:18 . 2012-02-05 09:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Nero
    2012-02-05 09:13 . 2012-02-05 09:14 -------- d-----w- c:\program files\Nero
    2012-02-05 09:12 . 2012-02-05 09:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
    2012-02-05 09:12 . 2012-02-05 09:15 -------- d-----w- c:\program files\Common Files\Nero
    2012-01-19 06:24 . 2012-01-19 06:30 -------- d-----w- C:\a6cf2f781aae66c5528c7397822a18
    2012-01-19 06:04 . 2012-01-19 06:04 -------- d-----w- c:\program files\MSBuild
    2012-01-19 06:00 . 2012-01-19 06:33 -------- d-----w- c:\windows\system32\XPSViewer
    2012-01-19 05:59 . 2012-01-19 05:59 -------- d-----w- c:\program files\Reference Assemblies
    2012-01-19 05:58 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2012-01-19 05:58 . 2006-06-29 02:07 14048 ------w- c:\windows\system32\spmsg2.dll
    2012-01-19 05:55 . 2012-01-19 05:55 -------- d-----w- c:\program files\Navman
    2012-01-19 05:51 . 2012-01-19 05:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
    .
    [HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C9F4179-6CE2-4c6a-A3E5-67FF3592A12E}]
    2011-12-30 19:33 167936 ----a-w- c:\program files\BFlix\Bflix.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2011-05-17 03:29 1490312 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2009-04-17 95536]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2002-10-22 86016]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-25 344064]
    "AGRSMMSG"="AGRSMMSG.exe" [2003-06-26 88363]
    "SoundMan"="SOUNDMAN.EXE" [2004-10-27 73728]
    "ACUMon"="c:\program files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" [2004-02-23 217088]
    "BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-19 110592]
    "BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-19 20480]
    "BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-19 396288]
    "BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-19 208896]
    "OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2009-04-17 54576]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-05-17 395144]
    "PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2010-05-31 600928]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-26 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-12 421736]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-01 843712]
    "Nero MediaHome 4"="c:\program files\Nero\Nero MediaHome 4\NeroMediaHome.exe" [2009-06-23 4891944]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Unwired\\UwWiz.exe"=
    "c:\\Program Files\\FrostWire\\FrostWire.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Nero\\Nero MediaHome 4\\NMMediaServerService.exe"=
    .
    R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [8/21/2008 9:11 AM 16384]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/17/2011 9:24 PM 136360]
    R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe [6/1/2010 4:01 AM 367456]
    S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;c:\windows\system32\drivers\cben5.sys [11/30/2006 10:23 AM 46108]
    S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [12/6/2011 5:23 PM 18432]
    S3 PCX504;Cisco Systems Wireless LAN Adapter Driver;c:\windows\system32\drivers\PCX504.sys [12/8/2006 11:29 AM 119296]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-11-04 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 06:57]
    .
    2008-08-20 c:\windows\Tasks\BMMTask.job
    - c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2008-08-20 15:38]
    .
    2012-02-13 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2011-05-17 03:29]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com.au/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.2.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-incredibar - c:\program files\Incredibar.com\incredibar\1.5.3.27\uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-02-15 11:25
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2052111302-1060284298-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ed,16,2d,59,2a,48,96,43,b5,1f,02,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,86,41,62,3f,5f,85,f0,4d,ba,e2,73,\
    "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ed,16,2d,59,2a,48,96,43,b5,1f,02,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(916)
    c:\windows\system32\Ati2evxx.dll
    .
    - - - - - - - > 'explorer.exe'(2924)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\msi.dll
    c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\ibmpmsvc.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\S24EvMon.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Nero\Nero MediaHome 4\NMMediaServerService.exe
    c:\windows\system32\RegSrvc.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\AGRSMMSG.exe
    c:\windows\SOUNDMAN.EXE
    c:\windows\system32\RunDll32.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2012-02-15 11:33:34 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-02-15 00:33
    .
    Pre-Run: 9,645,862,912 bytes free
    Post-Run: 9,673,322,496 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 1633F28BF553C533572541FFC55F582B

    CKScanner - Additional Security Risks - These are not necessarily bad
    c:\program files\partygaming\partycasino\language\en_us\images\flashlobby\lobby\safecrackerkeno.swf
    c:\program files\partygaming\partycasino\language\en_us\images\flashlobby\lobby\safecrackerkeno_popup.swf
    scanner sequence 3.AA.11.BRAPGJ
    ----- EOF -----
     
  4. Cloudnine

    Cloudnine TS Rookie Topic Starter Posts: 17

    Further to above, Incredibar has disappeared from Toolbars but I'm still having Google redirect issues.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    Folder::
    c:\documents and settings\Administrator\Application Data\Incredibar.com
    c:\program files\BFlix
    C:\a6cf2f781aae66c5528c7397822a18
    DDS::
    uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: BFlix Class: {0c9f4179-6ce2-4c6a-a3e5-67ff3592a12e} - c:\program files\bflix\BFlix.dll
    BHO: Incredibar.com Helper Object: {6e13dde1-2b6e-46ce-8b66-dc8bf36f6b99} - c:\program files\incredibar.com\incredibar\1.5.3.27\bh\incredibar.dll
    BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: Incredibar Toolbar: {f9639e4a-801b-4843-aee3-03d9da199e77} - c:\program files\incredibar.com\incredibar\1.5.3.27\incredibarTlbr.dll
    mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{00000000-6E41-4FD3-8538-502F5495E5FC}"=- 
    [HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C9F4179-6CE2-4c6a-A3E5-67FF3592A12E}]
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=- 
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=- 
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ApnUpdater"=
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\FrostWire\\FrostWire.exe"=
    RegLock::
    [HKEY_USERS\S-1-5-21-2052111302-1060284298-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
    Clearjavacache::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Delete this task: Update for Ask Toolbar

    Opening scheduled tasks to modify or delete them:
    Access Scheduled Tasks with Click on Start> All Programs> Accessories> System Tools> Scheduled Tasks.
    To delete the task> right-click Update for Ask Toolbar> click Delete.
    ======================================
    Go to Add/Remove Programs and uninstall any Ask entries.
    Then use Windows Explorer to access Computer> Local Drive (C)> Programs> find folder for Ask and do a right click> Delete
    ==================================
    Check all download screen for pre-checked items like toolbars or browser helper objects. Uncheck any before you download.
    =================================
    First, set up a Directory for HijackThis as follows:
    Right click Taskbar> Explore> My Computer> Local Drive (C)> File> New> Folder> Name folder HijackThis
    Exit Explorer
    You now have a folder C:\HijackThis
    -----------------------------------------
    Download HijackThis and save to your desktop.
    • Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'
    • Extract it to the directory on your hard drive you created C:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  6. Cloudnine

    Cloudnine TS Rookie Topic Starter Posts: 17

    ComboFix 12-02-13.01 - Administrator 02/18/2012 14:38:26.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.279 [GMT 11:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\a6cf2f781aae66c5528c7397822a18
    c:\a6cf2f781aae66c5528c7397822a18\amd64\filterpipelineprintproc.dll
    c:\a6cf2f781aae66c5528c7397822a18\amd64\msxpsdrv.cat
    c:\a6cf2f781aae66c5528c7397822a18\amd64\msxpsdrv.inf
    c:\a6cf2f781aae66c5528c7397822a18\amd64\msxpsinc.gpd
    c:\a6cf2f781aae66c5528c7397822a18\amd64\msxpsinc.ppd
    c:\a6cf2f781aae66c5528c7397822a18\amd64\mxdwdrv.dll
    c:\a6cf2f781aae66c5528c7397822a18\amd64\xpssvcs.dll
    c:\a6cf2f781aae66c5528c7397822a18\i386\filterpipelineprintproc.dll
    c:\a6cf2f781aae66c5528c7397822a18\i386\msxpsdrv.cat
    c:\a6cf2f781aae66c5528c7397822a18\i386\msxpsdrv.inf
    c:\a6cf2f781aae66c5528c7397822a18\i386\msxpsinc.gpd
    c:\a6cf2f781aae66c5528c7397822a18\i386\msxpsinc.ppd
    c:\a6cf2f781aae66c5528c7397822a18\i386\mxdwdrv.dll
    c:\a6cf2f781aae66c5528c7397822a18\i386\xpssvcs.dll
    c:\documents and settings\Administrator\Application Data\Incredibar.com
    c:\program files\BFlix
    c:\program files\BFlix\bflix.crx
    c:\program files\BFlix\Bflix.dll
    c:\program files\BFlix\onload.js
    c:\program files\BFlix\uninstall.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-01-18 to 2012-02-18 )))))))))))))))))))))))))))))))
    .
    .
    2012-02-15 00:40 . 2012-02-15 00:40 -------- d-----w- c:\program files\ESET
    2012-02-11 11:53 . 2012-02-11 11:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2012-02-11 11:52 . 2012-02-11 11:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-02-11 11:52 . 2012-02-11 11:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-11 11:52 . 2011-12-10 04:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-10 10:19 . 2012-02-10 10:19 -------- d-----w- c:\program files\Windows Sidebar
    2012-02-10 10:19 . 2012-02-10 10:19 449 ----a-w- C:\user.js
    2012-02-10 10:17 . 2012-02-10 10:20 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
    2012-02-05 09:18 . 2012-02-05 09:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\Nero
    2012-02-05 09:18 . 2012-02-11 11:19 -------- d-----w- c:\documents and settings\NeroMediaHomeUser.4
    2012-02-05 09:18 . 2012-02-05 09:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Nero
    2012-02-05 09:13 . 2012-02-05 09:14 -------- d-----w- c:\program files\Nero
    2012-02-05 09:12 . 2012-02-05 09:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
    2012-02-05 09:12 . 2012-02-05 09:15 -------- d-----w- c:\program files\Common Files\Nero
    2012-01-19 06:04 . 2012-01-19 06:04 -------- d-----w- c:\program files\MSBuild
    2012-01-19 06:00 . 2012-01-19 06:33 -------- d-----w- c:\windows\system32\XPSViewer
    2012-01-19 05:59 . 2012-01-19 05:59 -------- d-----w- c:\program files\Reference Assemblies
    2012-01-19 05:58 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2012-01-19 05:58 . 2006-06-29 02:07 14048 ------w- c:\windows\system32\spmsg2.dll
    2012-01-19 05:55 . 2012-01-19 05:55 -------- d-----w- c:\program files\Navman
    2012-01-19 05:51 . 2012-01-19 05:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2009-04-17 95536]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2002-10-22 86016]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-25 344064]
    "AGRSMMSG"="AGRSMMSG.exe" [2003-06-26 88363]
    "SoundMan"="SOUNDMAN.EXE" [2004-10-27 73728]
    "ACUMon"="c:\program files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" [2004-02-23 217088]
    "BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-19 110592]
    "BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-19 20480]
    "BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-19 396288]
    "BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-19 208896]
    "OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2009-04-17 54576]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2010-05-31 600928]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-26 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-12 421736]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-01 843712]
    "Nero MediaHome 4"="c:\program files\Nero\Nero MediaHome 4\NeroMediaHome.exe" [2009-06-23 4891944]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Unwired\\UwWiz.exe"=
    "c:\\Program Files\\FrostWire\\FrostWire.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Nero\\Nero MediaHome 4\\NMMediaServerService.exe"=
    .
    R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [8/21/2008 9:11 AM 16384]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/17/2011 9:24 PM 136360]
    R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe [6/1/2010 4:01 AM 367456]
    S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;c:\windows\system32\drivers\cben5.sys [11/30/2006 10:23 AM 46108]
    S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [12/6/2011 5:23 PM 18432]
    S3 PCX504;Cisco Systems Wireless LAN Adapter Driver;c:\windows\system32\drivers\PCX504.sys [12/8/2006 11:29 AM 119296]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 06:57]
    .
    2008-08-20 c:\windows\Tasks\BMMTask.job
    - c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2008-08-20 15:38]
    .
    2012-02-18 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2011-05-17 03:29]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com.au/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.2.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-BFlix - c:\program files\BFlix\uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-02-18 14:48
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(916)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2012-02-18 14:51:18
    ComboFix-quarantined-files.txt 2012-02-18 03:51
    ComboFix2.txt 2012-02-15 00:33
    .
    Pre-Run: 9,360,187,392 bytes free
    Post-Run: 9,475,780,608 bytes free
    .
    - - End Of File - - 1FF8D3B84E065CE15C2FE880F8179DC2

    When removing Ask Toolbar through Add or Remove Programs, following message received:

    Error 1905.Module C:\Program Files\Ask.com\GenericAsk Toolbar.dll failed
    to unregister. HRESULT -2147220472. Contact your support personnel.

    ---------------------------------------------------------------

    Couldn't find any Ask folder in C:\Program Files

    ---------------------------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 10:31:20 AM, on 2/20/2012
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
    C:\WINDOWS\system32\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Avira\AntiVir Desktop\avnotify.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
    O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
    O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
    O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [PMBVolumeWatcher] C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
    O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [Nero MediaHome 4] "C:\Program Files\Nero\Nero MediaHome 4\NeroMediaHome.exe" /AUTORUN
    O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Administrator\Desktop\PartyPoker.lnk (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Administrator\Desktop\PartyPoker.lnk (file missing)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.fujifilmimagine.com/imagine/ax/ImageUploader5.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1299310973505
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Nero MediaHome 4 Service (NeroMediaHomeService.4) - Nero AG - C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: PMBDeviceInfoProvider - Sony Corporation - C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

    --
    End of file - 8575 bytes
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Unwired\\UwWiz.exe"=-
    "c:\\Program Files\\FrostWire\\FrostWire.exe"=-
    Clearjavacache::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    2012-02-18 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2011-05-17 03:29]
    This is probably the reason for the errors when trying to remove the AskBar. There is a Scheduled Tasks for it which must be deleted:
    Opening scheduled tasks to modify or delete them:
    Access Scheduled Tasks with Click on Start> All Programs> Accessories> System Tools> Scheduled Tasks.

    • To change the settings for a task: right-click the Task> click Properties> do the following:
      [*] To delete a task> right-click the task> click Delete.
      c:\windows\Tasks\Scheduled Update for Ask Toolbar

      ======================================
      Regarding HijackThis: you did not set up the Directory for HJT per the instructions:
      C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

      That means there there is no backup in the temp file where you have it. That means if something is removed in HJT in error, there is no backup to recover it. Please uninstall the HJT program and log you have now. Then follow the instructions to create the directory:

      First, set up a Directory for HijackThis as follows:
      Right click Taskbar> Explore> My Computer> Local Drive (C)> File> New> Folder> Name folder HijackThis
      Exit Explorer
      You now have a folder C:\HijackThis

      -----------------------------------------
      Download HijackThis and save to your desktop.
      • Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'
      • Extract it to the directory on your hard drive you created C:\HijackThis.
      • Then navigate to that directory and double-click on the hijackthis.exe file.
      • When started click on the Scan button and then the Save Log button to create a log of your information.
      • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
      • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
      • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

      NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Are you going to finish?
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.