Possible Virus? googletoolbar_32.exe is infected

By jwollmuth
Oct 15, 2010
  1. Hi all, my name is Jerry. Totally newbie here, so if I violate your protocol, please accept my apologies, my first post. When logging on to the internet with IE, i get a warning page. Any website that i try to access thru IE gives me the same warning.I also get the small Windows Security Alert box that says "Application cannot be executed. The file googletoolbar_32.exe is infected. Do you want to activate your antivirus software now? When clicking on "Yes" it takes you to a webpage to purchase AV protection from a website (Rogue website URL removed) where you are offered 3 choices of levels of AV protection to purchase. I've tried different ways to get around this but cannot access anything thru IE. Not long ago my AV protection thru Trendmicro expired, and no sooner than that, I acquired this problem.I began to follow your 8 steps to eliminate it. I downloaded Avast Antivirus and ran a full scan. nothing was picked up in it but there were approx. 7 or 8 files that it couldn't access. Next I downloaded TFC but it won't allow it to run. I went on to the next step. I downloaded MBAM went thru the install, but again it won't let the program scan. Any help or suggestions on where or how to proceed from here, would be greatly appreciated. I have Mozilla Firefox as an alternative internet access on my computer, which is how I am able to access your website. Thank you in advance for your help.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot, Jerry! And congrats on going back to school. You'll be amazed at how different it seems to an adult> Your time will be premium so you will learn well and may end up leading the class!

    It sounds like you may have a malware infection called Security Tool It sucks many users in. Just a comment to you> never click on a security popups like this. It will tell you the system is infected and offer to fix it for a price. Meanwhile, it's leaving more malware on the system.

    I'd like to vary the preliminary scans a bit to try and get you running:

    First, Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Then, to help run Mbam, download randmbam.exe

    It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already. Once done, try running a scan again

    Paste the logs in your next reply and after I see what we're dealing with, I'll know what steps to take next.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
  3. jwollmuth

    jwollmuth TS Rookie Topic Starter

    Bobbye, thanks for getting back to me. I started to walk thru the steps of your fix. First I downloaded the eset smart installer. When I go to open, it opens for a second and then disappears, as if whatever is going on is blocking it. this is the same thing that happened when I tried the 8 step fix. I get something downloaded, but when I try to open it, it opens for a split second and disappears. What to do next?
  4. jwollmuth

    jwollmuth TS Rookie Topic Starter

    Update to post on possible virus

    Bobbye- Just got back from my sat. morning classes. Found out a couple of more things that I thought might be useful info before you reply with the next steps to take.
    When I log in and use mozilla to access web, I can do that and go almost anywhere. However, I do get the IE window opening up by itself, as I access different things thru Mozilla. The annoying little security alert window and other alerts keep randomly opening also. For what ever reason, this rogue malware or whatever the correct term for it is, keeps randomly opening one of three websites besides the page to purchase their software. They are, and viagra something or other, I forgot. I do not look at porno and have never been to these websites. The only other users are all young children, and they would have no idea about these and if so, wouldn't be on them as I supervise their use. Two other things that happened, turned on the computer and logged on under my kids user symbol. Everything worked so I quickly closed out and logged on as me. Immediately upon opening IE, avast quarantined a potential threat. Don't know how to access it to tell you what it is. However, I still cannot access IE, all I get is the page that says "internet explorer cannot display this webpage". Don't know if any of this helps get us closer to a resolution. But thanks again in advance for your time and assistance
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    All of the symptoms you're having describe malware. It's possible one of the kids click on some popup and now there is at least adware on the system. Porno and Viagra are all over the internet- few people actually click on the sites but many people get the annoying popups. I suspect that the kids have User accounts with lower security. But when you used your account, it was for the Administrator and malware loves that account!

    The IE Window that is coming up will also be malware. Although having several iexplore.exe entries in the Task Manager is normal if you use IE 8, the popups IE Window will be malware..See if you can run HijackThis. That's about as basic as there is to give information. It is not a 'threat' to malware because it doesn't remove anything automatically:

    Download the HijackThis Installer and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Now that you have the programs downloaded, if necessary, I'll have you try to run them in Safe Mode. But I have to get something I can see. If it's in HJT, I can have you stop it and it may allow you to run the other programs.
  6. jwollmuth

    jwollmuth TS Rookie Topic Starter

    Reply after trying HijackThis


    Not sure what is happening. I can no longer access IE or Mozilla when logged in as "Owner". I only get a "internet webpage is not available" when on IE. With Mozilla, I now get a proxy registry problem page when trying to access internet. I can only access anyt hing when I log on as a different user. And of course many things that are available to me as owner, are not as a different user, such as my documents for papers I wrote for classes, pictures, things on my desktop and so on. So I logged on under a different user and downloaded the HijackThis and ran a scan. For some reason my system denied write access to the file. I have Vista 32bit. It is supposed to allow me to choose the "Run as Administrator" option when I right click on the icon on my desktop. That option is not there. When the log appears after the scan and I click on "save log" The savelog window opens. When I click on "Save" a small window opens to say the file already exists and do i want to replace it. "No" leaves me there. "Yes" brings me to a script that says "Cannot find the C:\Program Files\Trend Micro\HijackThis\ hijackthis.log file. Do you want to create a new file? " Either answer "yes" or "no" leaves me with a blank notepad document. Tha scan results in the scan window will not let me copy and paste them. As you can imagine, they are quite lengthy to have to write out completely manually. What do suggest next?
    Again, thanks for your continued help.
    Best regards-
    Jerry W.
  7. jwollmuth

    jwollmuth TS Rookie Topic Starter

    Did an advanced search for HijackThis on my computer and found this file. Hope its what you were looking for and it helps bring us a step closer. A question for you- if we fix this under a different user, will it fix everything under the "Owner" as well? Also, when this is finished I would appreciate your suggestions as to what I should have for internet security, steps to take to speed up the computer, and suggestions as to programs that should be added or removed. As of right now, my TrendMicro recently expired. Maybe that's what allowed this to happen. I have the avast! Antivirus on there which you previously had me download.
    Thanks again-
    Jerry W.

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 2:28:23 PM, on 10/18/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18975)
    Boot mode: Normal

    Running processes:
    C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
    C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
    C:\Program Files\Carbonite\CarbonitePreinstaller.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqdirec.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
    C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
    C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: (no name) - MRI_DISABLED - (no file)
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: vShare Plugin - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
    O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
    O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll
    O2 - BHO: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\PROGRA~1\INBOXT~1\Inbox.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\PROGRA~1\INBOXT~1\Inbox.dll
    O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O3 - Toolbar: vShare Plugin - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll
    O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
    O3 - Toolbar: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
    O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
    O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
    O4 - HKLM\..\Run: [MSN Toolbar] "C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe"
    O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
    O4 - HKLM\..\Run: [CarboniteSetupLite] "C:\Program Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800
    O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
    O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW,SYSTRAY
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'Default user')
    O4 - Startup: IMVU.lnk = C:\Users\mikala\AppData\Roaming\IMVUClient\IMVUQualityAgent.exe
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    O18 - Protocol: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\PROGRA~1\INBOXT~1\Inbox.dll
    O18 - Protocol: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - C:\Program Files\vShare\vshare_toolbar.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: HP Chasis Button Service (HPBtnSrv) - Unknown owner - c:\hp\HPEZBTN\HPBtnSrv.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
    O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
    O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
    O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
    O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
    O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    End of file - 13529 bytes
  8. jwollmuth

    jwollmuth TS Rookie Topic Starter

    Making some progress

    Copy of file from ESET
  9. jwollmuth

    jwollmuth TS Rookie Topic Starter

    Hello, again. I was able to go into tools and found that the proxy settings had been changed for some reason. I changed them back to autodetect and was able to connect to the internet. So, I started thru the steps you gave me originally. I will include the results of the scans here.
    Let me know what to do next. Thanks again.
    Jerry W.

    Results from ESET Online Antivirus

    C:\Users\Owner\AppData\Local\Temp\478D.tmp a variant of Win32/Olmarik.AFN trojan
    C:\Users\Owner\AppData\Local\Temp\47BC.tmp.exe a variant of Win32/Olmarik.AFN trojan
    C:\Users\Owner\AppData\Local\Temp\6f105709.exe Win32/Adware.SpywareProtect2009 application
    C:\Users\Owner\AppData\Local\Temp\93702ac4.exe.vir a variant of Win32/Olmarik.AFN trojan
    C:\Users\Owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\4808c9f2-26f00dc3 multiple threats
    C:\Users\Owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\7cc1ceff-52bb95ff a variant of Java/Rowindal.A trojan

    Results from MBAM-

    Malwarebytes' Anti-Malware 1.46

    Database version: 4052

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18975

    10/18/2010 11:42:19 PM
    mbam-log-2010-10-18 (23-42-19).txt

    Scan type: Full scan (C:\|D:\|E:\|F:\|)
    Objects scanned: 284455
    Time elapsed: 49 minute(s), 51 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9d425283-d487-4337-bab6-ab8354a81457} (Trojan.BHO) -> No action taken.
    HKEY_CLASSES_ROOT\CLSID\{9d425283-d487-4337-bab6-ab8354a81457} (Trojan.BHO) -> No action taken.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Program Files\Search Toolbar\SearchToolbar.dll (Trojan.BHO) -> No action taken.
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay- it's amazing how many lost internet connections are due to settings! Whether it malware or user, glad you got yours fixed. Jerry, I will give you tips and security information when we have finished.

    You will need to update and run Malwarebytes again, paying attention to the direction that says:
    Be sure that everything is checked, and click Remove Selected.
    When a log comes back as yours did saying No Action Taken, it means that wasn't checked and what was found is still on the system.

    To remove what Eset found:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      [start explorer]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    After you have finished running OTMoveIt, you will need to empty the Java Cache:
    Control Panel> Java> Temporary Internet Files> Settings> Delete and Close.
    You have a ton of junk running! I award you the prize for having the most unwanted Browser Helper Opjects (BH) and Toolbars. This is not a prize you want!

    Please reopen HijackThis to 'do system scan only.'. Check each of the following, if found:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    O2 - BHO: (no name) - MRI_DISABLED - (no file)
    O2 - BHO: vShare Plugin - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll
    O2 - BHO: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
    O2 - BHO: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\PROGRA~1\INBOXT~1\Inbox.dll
    O3 - Toolbar: vShare Plugin - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll
    O3 - Toolbar: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
    O18 - Protocol: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\PROGRA~1\INBOXT~1\Inbox.dll
    O18 - Protocol: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - C:\Program Files\vShare\vshare_toolbar.dll

    Close all Windows except HijackThis and click on "Fix All".
    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    vShare> Redirects home and search pages

    To Uninstall the vShare Toolbar from your Internet Explorer browser:
    1. Close all Internet Explorer windows.
    2. Open Start menu and select Control Panel.
    3. Click the “Add or Remove Programs” button.
    4. Scroll down until you find the name of the Toolbar
    5. Select the “Change/Remove” button or the “Remove” button
    6. On the "Select Uninstall method" choose "Automatic" Click “Finish” to perform the “uninstall”
    7. Restart Internet explorer after the uninstallation is complete to ensure that the toolbar is removed.

    To Uninstall the vShare Toolbar from your Firefox browser:
    1. In the Mozilla Firefox window, select the “Tools” menu.
    2. Click on "Add Ons"
    3. Scroll down until you find the name of the Toolbar
    4. Click “Uninstall”
    5. Click “Uninstall” again to confirm that the toolbar has been uninstalled.
      Restart your Firefox browser
    6. The toolbar should be now successfully uninstalled from your browser and operating system.
    Empty the Recycle Bin
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    There will be Registry entries showing up in the Combofix log from some of the entries I had you stop in HJT. I will remove them with script I'll have you run after the Combofix scan.
  11. jwollmuth

    jwollmuth TS Rookie Topic Starter


    Thought I would post this in case I were to lose it prior to completing the rest of your steps.
    Will post again when I finish.
    Jerry W.

    Results from OTMoveIt

    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    C:\Users\Owner\AppData\Local\Temp\478D.tmp moved successfully.
    C:\Users\Owner\AppData\Local\Temp\47BC.tmp.exe moved successfully.
    C:\Users\Owner\AppData\Local\Temp\6f105709.exe moved successfully.
    File/Folder C:\Users\Owner\AppData\Local\Temp\93702ac4.exe. not found.
    C:\Users\Owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\4808c9f2-26f00dc3 moved successfully.
    C:\Users\Owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\7cc1ceff-52bb95ff moved successfully.
    ========== COMMANDS ==========


    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: IUSR_NMPR
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: mikala
    ->Temp folder emptied: 33794947 bytes
    ->Temporary Internet Files folder emptied: 57566843 bytes
    ->Java cache emptied: 3019138 bytes
    ->FireFox cache emptied: 16115242 bytes
    ->Flash cache emptied: 4799 bytes

    User: Owner
    ->Temp folder emptied: 668583 bytes
    ->Temporary Internet Files folder emptied: 744928225 bytes
    ->Java cache emptied: 102484059 bytes
    ->FireFox cache emptied: 96474613 bytes
    ->Google Chrome cache emptied: 7233286 bytes
    ->Flash cache emptied: 888299 bytes

    User: Public

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 666351416 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 21840183 bytes
    %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 25538196 bytes
    RecycleBin emptied: 71246154 bytes

    Total Files Cleaned = 1,763.00 mb

    OTM by OldTimer - Version log created on 10192010_154359

    Files moved on Reboot...
    File move failed. C:\Windows\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.
    File move failed. C:\Windows\temp\nmsmc_DQLWinService.log scheduled to be moved on reboot.

    Registry entries deleted on Reboot...
  12. jwollmuth

    jwollmuth TS Rookie Topic Starter

    Ran the combofix. I see that several icons no longer appear in my tray at bottom of page. Just curious. Also, I've been using the mozilla to do all of this, didn't want to chance screwing up the IE. It has a small window that opens when you download anything and is displayed there for you to open it or move it . No option to move to desktop and clicking on it and dragging doesn't work. Haven't figured out how to move it to desktop. Some items appear there by themselves, avast, MBAM, McAfee, but this one didn't. Just wondering. If I need it again, guess I will just have to download and open again.Any way, I will attach the log file and wait to hear back from you. One other thing I just thought of, when you had me go to empty the recycle bin after uninstalling the toolbar in IE, there was nothing there. Also the vShare toolbar in Mozilla wasn't listed anywhere. Also, some of the items that you wanted me to check in the HijackThis scan list, were not there and the first two you listed are duplicated by the next two on the list. Just wondering if there was something that got missed or???
    As always, I appreciate your time and effort.
    Jerry W.

    ComboFix Log

    ComboFix 10-10-18.06 - Owner 10/19/2010 17:33:23.1.4 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3071.1943 [GMT -5:00]
    Running from: c:\users\Owner\Downloads\ComboFix.exe
    AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

    c:\program files\Search Toolbar
    c:\program files\Search Toolbar\icon.ico
    c:\program files\Search Toolbar\SearchToolbarUninstall.exe
    c:\program files\Search Toolbar\SearchToolbarUpdater.exe

    ((((((((((((((((((((((((( Files Created from 2010-09-19 to 2010-10-19 )))))))))))))))))))))))))))))))

    2010-10-19 22:48 . 2010-10-19 22:48 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
    2010-10-19 22:48 . 2010-10-19 22:48 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-10-19 21:31 . 2010-10-19 21:31 388096 ----a-r- c:\users\Owner\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-10-19 20:43 . 2010-10-19 20:43 -------- d-----w- C:\_OTM
    2010-10-19 05:00 . 2010-10-19 05:00 -------- d-----w- c:\program files\ESET
    2010-10-17 05:42 . 2010-10-17 05:42 -------- d-----w- c:\programdata\McAfee
    2010-10-17 05:42 . 2010-10-17 05:42 -------- d-----w- c:\programdata\McAfee Security Scan
    2010-10-17 05:42 . 2010-10-17 05:42 -------- d-----w- c:\program files\McAfee Security Scan
    2010-10-17 05:34 . 2010-09-14 23:00 138712 ----a-w- c:\program files\Mozilla Firefox\components\brwsrcmp.dll
    2010-10-17 05:34 . 2010-09-14 22:59 23512 ----a-w- c:\program files\Mozilla Firefox\components\browserdirprovider.dll
    2010-10-17 05:34 . 2010-09-14 22:59 14808 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
    2010-10-17 05:34 . 2010-09-14 22:59 718296 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
    2010-10-15 21:10 . 2010-10-15 21:10 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes
    2010-10-15 21:09 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-15 21:09 . 2010-10-19 13:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-15 21:09 . 2010-10-15 21:09 -------- d-----w- c:\programdata\Malwarebytes
    2010-10-15 21:09 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-15 17:23 . 2010-09-07 14:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-10-15 17:23 . 2010-09-07 14:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-10-15 17:23 . 2010-09-07 14:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-10-15 17:23 . 2010-09-07 14:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-10-15 17:22 . 2010-09-07 14:47 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-10-15 17:22 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr
    2010-10-15 17:22 . 2010-09-07 15:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
    2010-10-15 17:22 . 2010-10-15 17:22 -------- d-----w- c:\programdata\Alwil Software
    2010-10-15 17:22 . 2010-10-15 17:22 -------- d-----w- c:\program files\Alwil Software
    2010-10-15 16:53 . 2010-10-15 16:54 -------- d-----w- c:\programdata\MFAData
    2010-10-15 16:47 . 2010-10-15 16:47 -------- d-----w- c:\programdata\AVGQTS
    2010-10-15 01:30 . 2010-10-15 01:30 -------- d-----w- c:\users\mikala
    2010-10-12 03:51 . 2010-10-12 03:51 -------- d-----w- c:\users\Owner\AppData\Roaming\Vivox
    2010-10-12 03:43 . 2010-10-19 22:21 -------- d-----w- c:\users\Owner\AppData\Roaming\IMVU
    2010-10-04 02:23 . 2010-10-04 02:23 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2010-09-29 18:02 . 2010-06-22 13:30 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-09-29 18:01 . 2010-08-26 04:23 13312 ----a-w- c:\program files\Internet Explorer\iecompat.dll

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    *Note* empty entries & legit default entries are not shown

    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-11 39408]
    "HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "Aim"="c:\program files\AIM\aim.exe" [2010-05-21 3824472]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

    "Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]

    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
    "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
    "KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
    "OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-06-15 178968]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13683232]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-09 92704]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
    "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-10-21 995528]
    "MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe" [2009-12-09 240992]
    "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
    "CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2010-03-09 283792]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]
    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

    "Launcher"="c:\windows\SMINST\launcher.exe" [2007-04-03 44168]

    c:\users\mikala\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    IMVU.lnk - c:\users\Owner\AppData\Roaming\IMVUClient\IMVUQualityAgent.exe [2010-10-7 21760]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

    c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    IMVU.lnk - c:\users\Owner\AppData\Roaming\IMVUClient\IMVUQualityAgent.exe [2010-10-7 21760]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
    2008-06-16 13:03 75008 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2007-10-15 02:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateReg]
    2007-04-07 09:56 54936 ----a-w- c:\windows\System32\jureg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 135664]
    R2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe [2006-05-10 29696]
    R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-09-04 497008]
    R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-09-04 677128]
    R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S1 aswSP;aswSP; [x]
    S1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\DRIVERS\tmlwf.sys [2009-02-22 145424]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
    S2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-09-03 208896]
    S2 HPBtnSrv;HP Chasis Button Service;c:\hp\HPEZBTN\HPBtnSrv.exe [2007-05-29 198240]
    S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2010-07-05 50256]
    S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-12-04 36368]
    S2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\DRIVERS\tmwfp.sys [2009-02-22 256528]
    S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2008-12-04 1426304]
    S3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2008-02-26 493568]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    Contents of the 'Scheduled Tasks' folder

    2010-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 06:59]

    2010-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 06:59]

    2010-09-26 c:\windows\Tasks\HPCeeScheduleForOwner.job
    - c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-08-14 23:55]

    2010-10-19 c:\windows\Tasks\User_Feed_Synchronization-{2D6F3CAF-8396-4E09-A82A-784D213D5103}.job
    - c:\windows\system32\msfeedssync.exe [2010-10-13 04:25]
    ------- Supplementary Scan -------
    mStart Page = hxxp://
    uInternet Settings,ProxyServer = http=
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\rm2x60nl.default\
    FF - prefs.js: - hxxp://{searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=20100910150546341&tb_oid=10-09-2010&tb_mrud=10-09-2010
    FF - prefs.js: - Inbox Search
    FF - prefs.js: - Bing
    FF - prefs.js: browser.startup.homepage - hxxp://
    FF - prefs.js: keyword.URL - hxxp://
    FF - component: c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\rm2x60nl.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\MailUtil.dll
    FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: c:\program files\Google\Update\\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\Veetle\Player\npvlc.dll
    FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
    FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
    FF - plugin: c:\users\Owner\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll
    FF - plugin: c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\rm2x60nl.default\extensions\\plugins\npTVUAx.dll
    FF - plugin: c:\windows\system32\TVUAx\npTVUAx.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-hpqSRMon - (no file)
    AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe
    AddRemove-Octoshape add-in for Adobe Flash Player - c:\users\Owner\AppData\Roaming\Macromedia\Flash Player\\bin\octoshape\octoshape.exe

    --------------------- LOCKED REGISTRY KEYS ---------------------

    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    Completion time: 2010-10-19 18:16:38
    ComboFix-quarantined-files.txt 2010-10-19 23:16

    Pre-Run: 214,867,181,568 bytes free
    Post-Run: 214,954,889,216 bytes free

    - - End Of File - - 48B4F03D691B07C1E23476F4977E5327
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I think others may benefit from this so I'm going to write it all out. It will help you understand one of the easiest -and most misunderstood- features of a browser

    Download Save Location

    Each browser has a default download location. That means that anything you Save or Save As will automatically be saved to that location. The default location in Firefox is the desktop. If you want to save something to a different location, you choose Browse and choose the location.

    Firefox Downloads: Tools> Main> Downloads>
    1. Check 'show download windows when downloading the file'>
    2. If wanted, check' close the windows when download has finished'>
    3. Save Files to> Desktop is in the box. If you want the file elsewhere, click on Browse and choose a different location>
    4. If wanted, check 'always ask me where to save files'

    I do not have #2 & #4 checked because I want whatever I'm saving to go to the desktop first. If it's a setup to install a program, it's easy to double click on it on the desktop. If it's an attachment, saving to the desktop allows you to do a right click> scan with the AV first before opening it. If it's an image, I may need to set up a folder first, then move it to My Pictures.

    Internet Explorer Download Directory
    I think IE saves according to the file type. For instance, a .doc file would go to Word, a .jpeg file would go to My Pictures. This can be changed but requires a Registry Edit and I don't recommend that.

    A file can be easily 'relocated' by doing a right click> Send To> Desktop to create a shortcut.

    The scans that we run are saved to the desktop because:
    1. It's easy to find the setup to run the program.
    2. The program will be removed later so why place it elsewhere.
    3. Some programs, like Combofix and OTL have another step where you work with script code through the original program. So when you get the script to run, it's very easy to do the drop and drag because it's all on the desktop.

    The reason the desktop is usually the default is because the user may not know first, if he is going to keep the Save and if so, where he want to keep it permanently. As far as I know, every Save As is set to go to the default location-or-or gives the browse option.

    Please see next reply for your Combofix script.
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    That was probably more than you ever wanted to know about Save locations, but I guarantee it will make your computer life better!

    About emptying the recycle bin> Sometimes there's nothing in it. Sometimes users have it set for deletes to bypass the Recycle Bin. And sometimes, the user throws a lot out but forgets to empty the trash. So I just tell everyone to empty it!

    We'll check on the missing icons later. Most probably you turned off the security to run Combofix and that made the program inactive. There is a Properties setting for the Notification Area to 'Hide Inactive Icons.' Not to worry at this point!

    You need to be sure and do regular maintenance on the system. There are 6 user accounts listed and Total Files Cleaned = 1,763.00 mb> that's a LOT of files!

    And those files and folders you couldn't find> I can move entries with the script.

    You have processes running for Trend Micro Security, McAfee and Avast. Confirm please that Trend Micro Security is the security you're using. I'll include the others in the script to remove and will have you uninstal later as you should only have 1 AV program and 1 firewall.

    As soon as you do that, I will leave the script.
  15. jwollmuth

    jwollmuth TS Rookie Topic Starter

    AV software

    Hi Bobbye-

    Thanks for the info on save/save as and the desktop. Sorry I haven't got back to you sooner. Had two exams to study for/take for my classes, so didn't have time to check in.
    TrendMicro is the AV that I had, but it expired shortly before this whole problem surfaced. The McAfee and the Avast are downloads used in some of your steps, that's why they are on here. This is also why on a previous post, I asked for your recommendation for what I should have for AV, Firewall and so on. Let me know where we go from here.
    Hope things are great in Florida!
    Thanks again-
    Jerry W.
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    About the antivirus programs: Even if Trend Micro expired, you still have the program running. It just won't be updating. McAfee is not in any of our steps. If there is no AV running, we do recommend either Avast or Avira.

    However, the Combofix header shows:
    AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) which was why I asked you con confirm that it was the AV.

    Let's check the security:
    Security Check

    Download Security Check and save it to your Desktop.
    • Double-click SecurityCheck.exe to run.
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post this log in your next reply.

    Hopefully, now that I explained the Save location for you, you won't have a problem with this log..When I set up the script for you to run through Combofix, I remove left over entries. But Not unless I'm sure the program has been removed.

    I told you that when we are finished, I will give recommendations to you to enhance your security and settings.
  17. jwollmuth

    jwollmuth TS Rookie Topic Starter

    SecurityCheck log

    Good evening. Ran security check. Had no problem saving it to the desktop when downloaded. Here's the log.
    Thanks again-
    Jerry W.

    Results of screen317's Security Check version 0.99.5
    Windows Vista Service Pack 2 (UAC is enabled)
    Internet Explorer 8
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    avast! Free Antivirus
    ESET Online Scanner v3
    Trend Micro Internet Security
    McAfee Security Scan Plus
    Antivirus up to date! (On Access scanning disabled!)
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 21
    Java(TM) SE Runtime Environment 6 Update 1
    Adobe Flash Player
    Adobe Reader 8.1.3
    Out of date Adobe Reader installed!
    Mozilla Firefox (3.6.10) Firefox Out of Date!
    Process Check:
    objlist.exe by Laurent

    Alwil Software Avast5 AvastSvc.exe
    Alwil Software Avast5 AvastUI.exe
    Trend Micro BM TMBMSRV.exe
    Trend Micro Internet Security SfCtlCom.exe
    Trend Micro Internet Security UfSeAgnt.exe
    DNS Vulnerability Check:

    GREAT! (Not vulnerable to DNS cache poisoning)

    ``````````End of Log````````````
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The rule is: One Firewall: The rule is: One Antivirus:
    Decide whether you want free standing programs for AV and FW, or a suite with both. Uninstall ALL of the others

    You have outdated programs that either need to be updated or removed:
    After you finished getting the security program straight, reboot the computer. Multiple AV and FW makes the system more vulnerable, not less. IF you stop using a program or change to another one, you still have to uninstall the other and delete it's program folder. Let me know what you keep.
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Due to inactivity, this thread is being closed. If you require further help, please send your helper a PM and ask that the thread be reopened.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...