TechSpot

Search is starting automatically

By sumeshmd
Sep 20, 2011
  1. hi all

    i am facing with a new problem with my laptop..when i start my laptop, a search window will popup. even if i close that it will again popup. I have to press any of the function keys to stop that for some time. but again after some time it will popup.
    also if i open notepad it will open search window inside that. same as with mozilla firefox. it s like i have pressed ctrl+F.

    laptop is Hp compaq c700 and os is windows 7 ultimate

    i have run mbam and hijackthis. got some malware, but the problem remains same.

    it is really annoying.. please help
     
  2. sumeshmd

    sumeshmd TS Rookie Topic Starter Posts: 73

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 7725

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    9/21/2011 12:01:06 AM
    mbam-log-2011-09-21 (00-01-06).txt

    Scan type: Quick scan
    Objects scanned: 173637
    Time elapsed: 3 minute(s), 9 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  3. sumeshmd

    sumeshmd TS Rookie Topic Starter Posts: 73

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-09-20 23:53:41
    Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9200827AS rev.3.BHA
    Running: gnhppxlf.exe; Driver: C:\Users\sumesh\AppData\Local\Temp\kwdiqpow.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
     
  4. sumeshmd

    sumeshmd TS Rookie Topic Starter Posts: 73

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.7600.16385
    Run by sumesh at 23:54:51 on 2011-09-20
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3062.2039 [GMT 5.5:30]
    .
    AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\Windows\system32\IoctlSvc.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Reliance Netconnect+\bin\MonServiceUDisk.exe
    C:\Users\sumesh\AppData\Roaming\Google\Google Talk\googletalk.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\WordWeb\wweb32.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
    C:\Windows\system32\vmnat.exe
    C:\Windows\system32\vmnetdhcp.exe
    C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
    C:\Program Files\Reliance Netconnect+\bin\App.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Page = hxxp://www.google.com
    uStart Page = about:blank
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    uURLSearchHooks: H - No File
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    uRun: [googletalk] c:\users\sumesh\appdata\roaming\google\google talk\googletalk.exe /autostart
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
    uRun: [WordWeb] "c:\program files\wordweb\wweb32.exe" -startup
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [vmware-tray] "c:\program files\vmware\vmware workstation\vmware-tray.exe"
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
    TCP: Interfaces\{8A57C6E6-97D0-42ED-B201-FEB7B3C6F878} : DhcpNameServer = 192.168.1.1
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\sumesh\appdata\roaming\mozilla\firefox\profiles\bworhnp9.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: network.proxy.type - 4
    FF - component: c:\program files\mozilla firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor.dll
    FF - component: c:\users\sumesh\appdata\roaming\mozilla\firefox\profiles\bworhnp9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - component: c:\users\sumesh\appdata\roaming\mozilla\firefox\profiles\bworhnp9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\microsoft silverlight\3.0.50106.0\npctrlui.dll
    FF - plugin: c:\users\sumesh\appdata\local\google\update\1.3.21.65\npGoogleUpdate3.dll
    FF - plugin: c:\users\sumesh\appdata\roaming\mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\users\sumesh\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    ============= SERVICES / DRIVERS ===============
    .
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-8-27 11608]
    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-8-27 108289]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-8-27 185089]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-8-27 56816]
    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-2 374152]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-1-27 12856]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-6-17 47640]
    R2 UDisk Monitor;UDisk Monitor;c:\program files\reliance netconnect+\bin\MonServiceUDisk.exe [2011-8-25 512000]
    R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2010-5-20 539184]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-14 207360]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-14 980992]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-14 661504]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
    R3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [2011-8-25 105472]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
    S3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\drivers\BthAvrcp.sys [2009-8-13 22528]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-13 1343400]
    .
    =============== Created Last 30 ================
    .
    2011-09-20 17:54:39 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe
    2011-09-20 17:54:34 399920 ----a-w- c:\windows\system32\vmnat.exe
    2011-09-20 17:54:34 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
    2011-09-20 17:54:30 760368 ----a-w- c:\windows\system32\vnetlib.dll
    2011-09-20 17:53:46 24624 ----a-w- c:\windows\system32\drivers\VMkbd.sys
    2011-09-20 17:52:52 -------- d-----w- c:\program files\common files\VMware
    2011-09-20 17:51:46 -------- d-----w- c:\program files\VMware
    2011-09-19 18:20:37 388096 ----a-r- c:\users\sumesh\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-09-19 18:20:37 -------- d-----w- c:\program files\Trend Micro
    2011-09-16 03:40:34 -------- d-----w- c:\users\sumesh\appdata\roaming\Malwarebytes
    2011-09-16 03:40:29 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-09-16 03:40:19 -------- d-----w- c:\programdata\Malwarebytes
    2011-09-16 03:40:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-09-04 07:25:22 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2011-09-04 07:25:21 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
    2011-09-04 07:25:21 785368 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
    2011-09-04 07:25:21 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
    2011-09-04 07:25:21 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
    2011-09-04 07:25:21 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
    2011-09-04 07:25:21 1846232 ----a-w- c:\program files\mozilla firefox\mozjs.dll
    2011-09-04 07:25:21 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
    2011-08-31 05:42:47 -------- d-----w- c:\windows\pss
    2011-08-27 12:03:35 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-08-27 12:03:34 -------- d-----w- c:\programdata\Avira
    2011-08-27 12:03:34 -------- d-----w- c:\program files\Avira
    2011-08-27 10:52:10 -------- d-----w- c:\program files\IVT Corporation
    2011-08-25 18:16:43 -------- d-----w- c:\users\sumesh\appdata\roaming\ZTEEVDO
    2011-08-25 18:15:39 105472 ----a-w- c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys
    2011-08-25 18:15:36 -------- d-----w- c:\program files\Reliance Netconnect+
    .
    ==================== Find3M ====================
    .
    2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
    2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
    2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
    .
    ============= FINISH: 23:55:24.04 ===============
     
  5. sumeshmd

    sumeshmd TS Rookie Topic Starter Posts: 73

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume1
    Install Date: 4/12/2010 8:07:55 AM
    System Uptime: 9/20/2011 11:15:17 PM (0 hours ago)
    .
    Motherboard: Hewlett-Packard | | 30D9
    Processor: Intel(R) Core(TM)2 Duo CPU T5750 @ 2.00GHz | CPU | 2000/667mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 89 GiB total, 48.706 GiB free.
    D: is FIXED (NTFS) - 87 GiB total, 33.381 GiB free.
    E: is FIXED (NTFS) - 10 GiB total, 2.287 GiB free.
    F: is CDROM ()
    G: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP27: 5/31/2011 12:34:25 PM - Scheduled Checkpoint
    RP28: 8/27/2011 4:21:52 PM - Installed Bluesoleil2.6.0.8 Release 070517
    RP29: 8/27/2011 4:44:09 PM - Removed VEVA
    RP30: 8/27/2011 4:45:01 PM - Removed Skype Toolbars
    RP31: 8/27/2011 4:45:32 PM - Removed Ringomax v9.7
    RP32: 8/27/2011 4:46:02 PM - Removed Ringomax Premium
    RP34: 8/27/2011 5:33:02 PM - Avira AntiVir Personal - 8/27/2011 17:33
    RP35: 9/4/2011 2:13:16 PM - Scheduled Checkpoint
    RP36: 9/19/2011 11:50:13 PM - Installed HiJackThis
    .
    ==== Installed Programs ======================
    .
    2007 Microsoft Office system
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8
    AutoUpdate
    Avira AntiVir Personal - Free Antivirus
    Bluesoleil2.6.0.8 Release 070517
    Conexant HD Audio
    DivX Codec
    DivX Content Uploader
    DivX Converter
    DivX Player
    DivX Web Player
    Google Chrome
    Google Talk (remove only)
    Google Talk Plugin
    HiJackThis
    Intel(R) Graphics Media Accelerator Driver
    LogMeIn
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Hybrid 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Mozilla Firefox 6.0.2 (x86 en-US)
    MSVCRT
    Nero 8
    neroxml
    OGA Notifier 2.0.0048.0
    Picasa 3
    Reliance Netconnect+
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB978380)
    Security Update for Microsoft Office Excel 2007 (KB978382)
    Security Update for Microsoft Office Outlook 2007 (KB972363)
    Security Update for Microsoft Office PowerPoint 2007 (KB957789)
    Security Update for Microsoft Office Publisher 2007 (KB969693)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB969613)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Skype™ 4.2
    SUPER © Version 2008.bld.32 (July 8, 2008)
    tools-freebsd
    tools-linux
    tools-netware
    tools-solaris
    tools-windows
    tools-winPre2k
    Touch Pad Driver
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office InfoPath 2007 (KB976416)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 (KB974561)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (kb979895)
    VLC media player 1.0.1
    VMware Workstation
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    WinRAR archiver
    WordWeb
    Yahoo! Messenger
    .
    ==== Event Viewer Messages From Past Week ========
    .
    9/19/2011 11:58:03 PM, Error: Service Control Manager [7034] - The Hotspot Shield Monitoring Service service terminated unexpectedly. It has done this 1 time(s).
    9/19/2011 11:58:02 PM, Error: Service Control Manager [7034] - The Hotspot Shield Routing Service service terminated unexpectedly. It has done this 1 time(s).
    9/19/2011 11:11:54 AM, Error: Microsoft-Windows-HAL [12] - The platform firmware has corrupted memory across the previous system power transition. Please check for updated firmware for your system.
    9/16/2011 10:00:25 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    9/16/2011 10:00:24 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    9/16/2011 10:00:24 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    9/16/2011 10:00:24 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    9/16/2011 10:00:24 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    9/16/2011 10:00:22 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    9/16/2011 10:00:15 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    9/16/2011 10:00:11 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb CSC DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr ssmdrv tdx vwififlt Wanarpv6 WfpLwf
    9/16/2011 10:00:10 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    9/16/2011 10:00:10 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    9/16/2011 10:00:10 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    9/16/2011 10:00:10 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    9/16/2011 10:00:10 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    9/16/2011 10:00:10 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
    9/16/2011 10:00:10 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    9/16/2011 10:00:10 AM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    9/16/2011 10:00:10 AM, Error: Service Control Manager [7001] - The Hotspot Shield Service service depends on the DHCP Client service which failed to start because of the following error: The dependency service or group failed to start.
    9/16/2011 10:00:10 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/16/2011 10:00:10 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    9/13/2011 9:46:22 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk2\DR6.
    .
    ==== End Of File ===========================
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, I have some questions:

    1. What is the search Window for? Is there any URL in the Address Bar? Or is this just an empty search box? Does the Window have any particular search engine associated with it?

    2. The install date for Windows 7 is almost a year and a half ago, but you have no Windows Updates or Security updates. The only updates I see are for MS Office. Is there some reason you aren't getting updates?

    3. I note you have Reliance Netconnect+. There are some complaints made about the annoying connections this program makes. Did the search pop up start after you installed this program? Do you see any indication in the search Window of this program?

    4. I notice that you're running a remote log-in- are you actively using this now?
    =====================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ==================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ==================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you, including a Registry Cleaner or make changes in the Registry.
      [o] Please Do not Attach logs or put in code boxes
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
     
  7. sumeshmd

    sumeshmd TS Rookie Topic Starter Posts: 73

    Hi Bobbye,

    Thanks for the quick response. first i will answer your questions

    1. What is the search Window for? Is there any URL in the Address Bar? Or is this just an empty search box? Does the Window have any particular search engine associated with it?

    search window is a blank one. when it opens it will blink all my previous searches on the right corner.

    2. The install date for Windows 7 is almost a year and a half ago, but you have no Windows Updates or Security updates. The only updates I see are for MS Office. Is there some reason you aren't getting updates?

    i was not using internet for a long time in this laptop. so disabled update

    3. I note you have Reliance Netconnect+. There are some complaints made about the annoying connections this program makes. Did the search pop up start after you installed this program? Do you see any indication in the search Window of this program?

    no. internet i bought recently. but the problem is there for some time. it was not severe before. only at the startup this problem was there. but it now is coming in between all programs after i took internet

    4. I notice that you're running a remote log-in- are you actively using this now?

    not using that much

    combo log

    ComboFix 11-09-20.04 - sumesh 09/21/2011 9:03.1.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3062.1923 [GMT 5.5:30]
    Running from: d:\downloads\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\sumesh\AppData\Roaming\.#
    c:\users\sumesh\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-08-21 to 2011-09-21 )))))))))))))))))))))))))))))))
    .
    .
    2011-09-21 03:39 . 2011-09-21 03:41 -------- d-----w- c:\users\sumesh\AppData\Local\temp
    2011-09-21 03:39 . 2011-09-21 03:39 -------- d-----w- c:\users\LogMeInRemoteUser\AppData\Local\temp
    2011-09-21 03:39 . 2011-09-21 03:39 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-09-20 17:54 . 2010-05-20 19:26 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe
    2011-09-20 17:54 . 2010-05-20 19:26 399920 ----a-w- c:\windows\system32\vmnat.exe
    2011-09-20 17:54 . 2010-05-20 19:23 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
    2011-09-20 17:54 . 2010-05-20 19:25 760368 ----a-w- c:\windows\system32\vnetlib.dll
    2011-09-20 17:53 . 2010-05-20 19:25 24624 ----a-w- c:\windows\system32\drivers\VMkbd.sys
    2011-09-20 17:52 . 2011-09-20 17:52 -------- d-----w- c:\program files\Common Files\VMware
    2011-09-20 17:51 . 2011-09-21 03:41 -------- d-----w- c:\programdata\VMware
    2011-09-20 17:51 . 2011-09-20 17:51 -------- d-----w- c:\program files\VMware
    2011-09-19 18:20 . 2011-09-19 18:20 388096 ----a-r- c:\users\sumesh\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-09-19 18:20 . 2011-09-19 18:20 -------- d-----w- c:\program files\Trend Micro
    2011-09-16 03:40 . 2011-09-16 03:40 -------- d-----w- c:\users\sumesh\AppData\Roaming\Malwarebytes
    2011-09-16 03:40 . 2011-08-31 11:30 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-09-16 03:40 . 2011-09-16 03:40 -------- d-----w- c:\programdata\Malwarebytes
    2011-09-16 03:40 . 2011-09-16 03:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-09-04 07:25 . 2011-09-09 09:29 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
    2011-09-04 07:25 . 2011-09-09 09:29 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
    2011-09-04 07:25 . 2011-09-09 09:29 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
    2011-09-04 07:25 . 2011-09-09 09:29 785368 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
    2011-09-04 07:25 . 2011-09-09 09:29 1846232 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
    2011-09-04 07:25 . 2011-09-09 09:29 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
    2011-09-04 07:25 . 2011-08-30 19:41 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
    2011-09-04 07:25 . 2011-08-30 19:41 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
    2011-08-27 12:03 . 2011-08-27 12:32 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-08-27 12:03 . 2009-03-30 05:03 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-08-27 12:03 . 2011-08-27 12:03 -------- d-----w- c:\programdata\Avira
    2011-08-27 12:03 . 2011-08-27 12:03 -------- d-----w- c:\program files\Avira
    2011-08-27 10:53 . 2011-08-27 10:54 -------- d-----w- c:\programdata\Bluetooth
    2011-08-27 10:52 . 2011-08-27 10:52 -------- d-----w- c:\program files\IVT Corporation
    2011-08-25 18:16 . 2011-08-25 18:20 -------- d-----w- c:\users\sumesh\AppData\Roaming\ZTEEVDO
    2011-08-25 18:15 . 2010-11-04 04:45 105472 ----a-w- c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys
    2011-08-25 18:15 . 2011-08-25 18:15 -------- d-----w- c:\program files\Reliance Netconnect+
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-09-09 09:29 . 2011-09-04 07:25 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2006-05-03 09:06 163328 --sh--r- c:\windows\System32\flvDX.dll
    2007-02-21 10:47 31232 --sh--r- c:\windows\System32\msfDX.dll
    2008-03-16 12:30 216064 --sh--r- c:\windows\System32\nbDX.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2011-01-09 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7600.16385] . . c:\windows\System32\user32.dll
    [7] 2009-07-14 . 34B7E222E81FAFA885F0C5F2CFA56861 . 811520 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "googletalk"="c:\users\sumesh\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
    "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-03-19 5248312]
    "WordWeb"="c:\program files\WordWeb\wweb32.exe" [2009-11-08 65216]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
    "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
    "vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2010-05-20 129584]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer2"=wdmaud.drv
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
    backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2010-04-13 10:31 136176 ----atw- c:\users\sumesh\AppData\Local\Google\Update\GoogleUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    2008-02-28 11:37 1828136 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
    2010-01-27 06:52 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2009-07-26 12:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
    2008-02-18 10:59 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2010-04-05 22:27 26102056 ----a-r- c:\program files\Skype\Phone\Skype.exe
    .
    R3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\DRIVERS\BthAvrcp.sys [2009-08-13 22528]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-13 1343400]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-08-27 108289]
    S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2010-12-08 374152]
    S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-01-27 12856]
    S2 UDisk Monitor;UDisk Monitor;c:\program files\Reliance Netconnect+\bin\MonServiceUDisk.exe [2011-02-21 512000]
    S2 vmci;VMware vmci;c:\windows\system32\Drivers\vmci.sys [2010-05-20 70704]
    S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-05-20 539184]
    S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
    S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
    S3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\DRIVERS\CT_ZTEMT_U_USBSER.sys [2010-11-04 105472]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-09-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2054017810-423255862-2823113913-1000Core.job
    - c:\users\sumesh\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-13 10:31]
    .
    2011-09-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2054017810-423255862-2823113913-1000UA.job
    - c:\users\sumesh\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-13 10:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
    FF - ProfilePath - c:\users\sumesh\AppData\Roaming\Mozilla\Firefox\Profiles\bworhnp9.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: network.proxy.type - 4
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\AUDIODG.EXE
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\LogMeIn\x86\RaMaint.exe
    c:\program files\LogMeIn\x86\LogMeIn.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
    c:\windows\system32\IoctlSvc.exe
    c:\windows\system32\vmnat.exe
    c:\program files\VMware\VMware Workstation\vmware-authd.exe
    c:\windows\system32\vmnetdhcp.exe
    c:\windows\system32\WUDFHost.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\conhost.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
    .
    **************************************************************************
    .
    Completion time: 2011-09-21 09:14:19 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-09-21 03:44
    .
    Pre-Run: 53,337,206,784 bytes free
    Post-Run: 53,835,780,096 bytes free
    .
    - - End Of File - - 18911BCB3E651D3A5002D5FEB99CCCDA
     
  8. sumeshmd

    sumeshmd TS Rookie Topic Starter Posts: 73

    another problem i have seen is when i open notepad, current date and time is typing on it automatically...
     
  9. sumeshmd

    sumeshmd TS Rookie Topic Starter Posts: 73

    C:\System Volume Information\_restore{02331B4C-20DB-4909-A303-D5B72EBA27D8}\RP23\A0002908.exe a variant of Win32/HotSpotShield application
    C:\System Volume Information\_restore{02331B4C-20DB-4909-A303-D5B72EBA27D8}\RP24\A0003540.exe a variant of Win32/HotSpotShield application
    C:\Windows.old\Program Files\Hotspot Shield\bin\openvpnas.exe a variant of Win32/HotSpotShield application
    C:\Windows.old.000\Windows\Temp\hss_update.exe a variant of Win32/HotSpotShield application
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Open Notepad> Click on Edit> Uncheck Time and Date at the bottom of the drop down menu> Click on Apply> OK.

    It's not really a problem- it was set up that way- easy to change.
    ==============================================
    This sounds a bit like a pop-under. Do you have a pop up stopper? The pop-under can be controlled with that> The Pop-under actually comes up under a Window and if you close your current Window, you will them notice the pop-under site.
    A pop-under will usually show on the Taskbar> blinking.
    ================================
    but now you are using it and the system is full of vulnerabilities! Advise bring system current with updates.

    This event is reported after detection of memory corruption by firmware after a power transition or sleep event.
    Contact your hardware vendor to obtain the updated firmware and BIOS to address this issue.

    You can download this Microsoft Document which more fully describer this problem.
    =================================
    Some information about these programs Mbam will remove malware entries if you have check the line directing the removal. The current Mbam log does not show any malware>

    HIjackThis, when run, doesn't remove anything. Most of the entries you see will be for normal, legitimate processes. We can stop some of the entries by repeating the scan and checking specific processes, However, neither of these scans alone will not most likely remove all the malware entries and using both of them cannot be expected to remove all either.
    ==================================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :
      :Files 
      C:\Windows.old\Program Files\Hotspot Shield\bin\openvpnas.exe 
      C:\Windows.old.000\Windows\Temp\hss_update.exe
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ====================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    FileLook::
    c:\windows\System32\flvDX.dll
    c:\windows\System32\msfDX.dll
    c:\windows\System32\nbDX.dll
    Folder::
    c:\users\sumesh\AppData\Local\temp
    c:\users\LogMeInRemoteUser\AppData\Local\temp
    c:\users\Default\AppData\Local\temp
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
     
  11. sumeshmd

    sumeshmd TS Rookie Topic Starter Posts: 73

     
  12. sumeshmd

    sumeshmd TS Rookie Topic Starter Posts: 73

    ComboFix 11-09-20.04 - sumesh 09/27/2011 23:19:05.2.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3062.1989 [GMT 5.5:30]
    Running from: D:\Downloads\ComboFix.exe
    Command switches used :: D:\Downloads\cfscript.txt
    AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    - REDUCED FUNCTIONALITY MODE -


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    c:\users\Default\AppData\Local\temp
    c:\users\LogMeInRemoteUser\AppData\Local\temp
    c:\users\sumesh\AppData\Local\temp
    c:\users\sumesh\AppData\Local\temp\Av-test.txt
    c:\users\sumesh\AppData\Local\temp\FXSAPIDebugLogFile.txt


    ((((((((((((((((((((((((( Files Created from 2011-08-27 to 2011-09-27 )))))))))))))))))))))))))))))))


    2011-09-27 17:49:59 . 2011-09-27 17:49:59 -------- d-----w- C:\Windows\system32\config\systemprofile\AppData\Local\temp
    2011-09-27 17:25:06 . 2011-04-09 05:56:38 123904 ----a-w- C:\Windows\system32\poqexec.exe
    2011-09-27 17:23:23 . 2011-03-11 05:40:24 1164288 ----a-w- C:\Windows\system32\mfc42u.dll
    2011-09-27 17:23:23 . 2011-03-11 05:40:24 1137664 ----a-w- C:\Windows\system32\mfc42.dll
    2011-09-27 17:23:15 . 2011-02-23 05:05:41 221696 ----a-w- C:\Windows\system32\drivers\mrxsmb10.sys
    2011-09-27 17:23:15 . 2011-02-23 05:05:35 95744 ----a-w- C:\Windows\system32\drivers\mrxsmb20.sys
    2011-09-27 17:23:15 . 2011-02-23 05:05:31 123392 ----a-w- C:\Windows\system32\drivers\mrxsmb.sys
    2011-09-27 17:23:15 . 2011-02-23 05:05:25 69632 ----a-w- C:\Windows\system32\drivers\bowser.sys
    2011-09-22 17:56:49 . 2011-09-22 17:56:49 -------- d-----w- C:\Users\sumesh\AppData\Roaming\Yahoo!
    2011-09-21 05:26:31 . 2011-09-22 17:27:38 -------- d-----w- C:\Users\sumesh\AppData\Local\VMware
    2011-09-21 05:26:30 . 2011-09-22 17:25:54 -------- d-----w- C:\Users\sumesh\AppData\Roaming\VMware
    2011-09-21 04:04:18 . 2011-09-21 04:04:18 -------- d-----w- C:\Program Files\ESET
    2011-09-20 17:54:39 . 2010-05-20 19:26:36 334384 ----a-w- C:\Windows\system32\vmnetdhcp.exe
    2011-09-20 17:54:34 . 2010-05-20 19:26:18 399920 ----a-w- C:\Windows\system32\vmnat.exe
    2011-09-20 17:54:34 . 2010-05-20 19:23:58 26288 ----a-w- C:\Windows\system32\drivers\vmnetuserif.sys
    2011-09-20 17:54:30 . 2010-05-20 19:25:24 760368 ----a-w- C:\Windows\system32\vnetlib.dll
    2011-09-20 17:53:46 . 2010-05-20 19:25:04 24624 ----a-w- C:\Windows\system32\drivers\VMkbd.sys
    2011-09-20 17:52:52 . 2011-09-20 17:52:52 -------- d-----w- C:\Program Files\Common Files\VMware
    2011-09-20 17:51:46 . 2011-09-27 17:39:52 -------- d-----w- C:\ProgramData\VMware
    2011-09-20 17:51:46 . 2011-09-20 17:51:46 -------- d-----w- C:\Program Files\VMware
    2011-09-19 18:20:37 . 2011-09-19 18:20:37 388096 ----a-r- C:\Users\sumesh\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-09-19 18:20:37 . 2011-09-19 18:20:37 -------- d-----w- C:\Program Files\Trend Micro
    2011-09-16 03:40:34 . 2011-09-16 03:40:34 -------- d-----w- C:\Users\sumesh\AppData\Roaming\Malwarebytes
    2011-09-16 03:40:29 . 2011-08-31 11:30:50 22216 ----a-w- C:\Windows\system32\drivers\mbam.sys
    2011-09-16 03:40:19 . 2011-09-16 03:40:19 -------- d-----w- C:\ProgramData\Malwarebytes
    2011-09-16 03:40:16 . 2011-09-16 03:54:34 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
    2011-09-04 07:25:22 . 2011-09-09 09:29:25 134104 ----a-w- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
    2011-09-04 07:25:21 . 2011-09-09 09:29:25 89048 ----a-w- C:\Program Files\Mozilla Firefox\libEGL.dll
    2011-09-04 07:25:21 . 2011-09-09 09:29:25 478168 ----a-w- C:\Program Files\Mozilla Firefox\libGLESv2.dll
    2011-09-04 07:25:21 . 2011-09-09 09:29:24 785368 ----a-w- C:\Program Files\Mozilla Firefox\mozsqlite3.dll
    2011-09-04 07:25:21 . 2011-09-09 09:29:24 1846232 ----a-w- C:\Program Files\Mozilla Firefox\mozjs.dll
    2011-09-04 07:25:21 . 2011-09-09 09:29:24 15832 ----a-w- C:\Program Files\Mozilla Firefox\mozalloc.dll
    2011-09-04 07:25:21 . 2011-08-30 19:41:03 2106216 ----a-w- C:\Program Files\Mozilla Firefox\D3DCompiler_43.dll
    2011-09-04 07:25:21 . 2011-08-30 19:41:03 1998168 ----a-w- C:\Program Files\Mozilla Firefox\d3dx9_43.dll
    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2011-08-27 12:32:19 . 2011-08-27 12:03:35 56816 ----a-w- C:\Windows\system32\drivers\avgntflt.sys
    2011-09-09 09:29:25 . 2011-09-04 07:25:22 134104 ----a-w- C:\Program Files\mozilla firefox\components\browsercomps.dll
    2006-05-03 09:06:54 163328 --sh--r- C:\Windows\System32\flvDX.dll
    2007-02-21 10:47:16 31232 --sh--r- C:\Windows\System32\msfDX.dll
    2008-03-16 12:30:52 216064 --sh--r- C:\Windows\System32\nbDX.dll


    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))


    --- c:\windows\System32\flvDX.dll ---
    Company: Gabest
    File Description: FLV Splitter
    File Version: 1, 0, 0, 1
    Product Name: FLV Splitter
    Copyright: Copyright (C) 2005-2006 Gabest
    Original Filename: FLVSplitter.ax
    File size: 163328
    Created time: 2010-04-11 16:09:07
    Modified time: 2006-05-03 09:06:54
    MD5: 8453687A045C926F0291301EBAF50370
    SHA1: 8D756345C945B75EF63314FA8992F1B582067FF3


    --- c:\windows\System32\msfDX.dll ---
    Company: Hans Mayerl
    File Description: msfDX.dll
    File Version: 2.02.2113
    Product Name: msfDX.dll
    Copyright:
    Original Filename: msfDX.dll
    File size: 31232
    Created time: 2010-04-11 16:09:07
    Modified time: 2007-02-21 10:47:16
    MD5: 21D8F42D54598B73C2E1A9571399113B
    SHA1: ED711FAA61FDD6D53EACC7A99D60D95DD9137A7D


    --- c:\windows\System32\nbDX.dll ---
    Company: MONOGRAM Multimedia, s.r.o.
    File Description: AMR Filter Pack
    File Version: 1, 0, 1, 0
    Product Name: MONOGRAM AMR Filter Pack
    Copyright: Copyright (C) 2008
    Original Filename: mmamr.ax
    File size: 216064
    Created time: 2010-04-11 16:09:07
    Modified time: 2008-03-16 12:30:52
    MD5: E4B6B932B6E5CE386627CEEA2A0A0F4C
    SHA1: B9BCAAE7BB27161148E1301FC8D8CD3F568C6E22


    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.

    [-] 2011-01-09 07:41:39 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7600.16385 (win7_rtm.090713-1255)] . . C:\Windows\System32\user32.dll
    [7] 2009-07-14 01:16:17 . 34B7E222E81FAFA885F0C5F2CFA56861 . 811520 . . [6.1.7600.16385 (win7_rtm.090713-1255)] . . C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "googletalk"="C:\Users\sumesh\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 21:22:02 3739648]
    "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2009-07-14 01:14:38 1173504]
    "Messenger (Yahoo!)"="C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-03-19 13:27:46 5248312]
    "WordWeb"="C:\Program Files\WordWeb\wweb32.exe" [2009-11-08 19:18:00 65216]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-09-27 17:26:55 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="C:\Windows\system32\igfxtray.exe" [2009-09-23 15:30:48 141848]
    "HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2009-09-23 15:30:48 173592]
    "Persistence"="C:\Windows\system32\igfxpers.exe" [2009-09-23 15:30:48 150552]
    "avgnt"="C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 07:38:47 209153]
    "Malwarebytes' Anti-Malware (reboot)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 11:30:48 1047208]
    "vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2010-05-20 19:26:12 129584]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer2"=wdmaud.drv

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\Windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
    path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
    backup=C:\Windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2010-04-13 10:31:51 136176 ----atw- C:\Users\sumesh\AppData\Local\Google\Update\GoogleUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    2008-02-28 11:37:58 1828136 ----a-w- C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
    2010-01-27 06:52:02 63048 ----a-w- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2009-07-26 12:44:34 3883856 ----a-w- C:\Program Files\Windows Live\Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
    2008-02-18 10:59:02 2221352 ----a-w- C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2010-04-05 22:27:46 26102056 ----a-r- C:\Program Files\Skype\Phone\Skype.exe

    R2 gupdate;Google Update Service (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [2011-09-27 17:22:31 136176]
    R2 UDisk Monitor;UDisk Monitor;C:\Program Files\Reliance Netconnect+\bin\MonServiceUDisk.exe [2011-02-21 15:06:34 512000]
    R3 BthAvrcp;Bluetooth AVRCP Profile;C:\Windows\system32\DRIVERS\BthAvrcp.sys [2009-08-13 02:53:02 22528]
    R3 gupdatem;Google Update Service (gupdatem);C:\Program Files\Google\Update\GoogleUpdate.exe [2011-09-27 17:22:31 136176]
    R3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe [2010-04-13 05:16:02 1343400]
    S1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys [2009-07-13 23:52:04 48128]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files\Avira\AntiVir Desktop\sched.exe [2011-08-27 12:32:19 108289]
    S2 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe [2010-12-08 07:41:32 374152]
    S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2010-01-27 06:52:02 12856]
    S2 vmci;VMware vmci;C:\Windows\system32\Drivers\vmci.sys [2010-05-20 19:26:56 70704]
    S2 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-05-20 18:10:20 539184]
    S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 22:13:45 207360]
    S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 22:13:46 980992]
    S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 22:13:45 661504]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys [2009-07-13 23:52:10 14336]
    S3 ztemtusbser;ZTEMT Legacy Serial Communication;C:\Windows\system32\DRIVERS\CT_ZTEMT_U_USBSER.sys [2010-11-04 04:45:54 105472]


    Contents of the 'Scheduled Tasks' folder

    2011-09-27 C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    - C:\Program Files\Google\Update\GoogleUpdate.exe [2011-09-27 17:22:37 . 2011-09-27 17:22:31]

    2011-09-27 C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    - C:\Program Files\Google\Update\GoogleUpdate.exe [2011-09-27 17:22:37 . 2011-09-27 17:22:31]

    2011-09-27 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2054017810-423255862-2823113913-1000Core.job
    - C:\Users\sumesh\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-13 10:31:53 . 2010-04-13 10:31:51]

    2011-09-27 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2054017810-423255862-2823113913-1000UA.job
    - C:\Users\sumesh\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-13 10:31:53 . 2010-04-13 10:31:51]


    ------- Supplementary Scan -------

    uStart Page = hxxp://www.google.com/
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    LSP: C:\Program Files\VMware\VMware Workstation\vsocklib.dll
    TCP: Interfaces\{2EC73E3C-7EF8-48AF-9305-0FF48457E2D5}: NameServer = 202.138.103.190 220.226.100.40
    FF - ProfilePath - C:\Users\sumesh\AppData\Roaming\Mozilla\Firefox\Profiles\bworhnp9.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: network.proxy.type - 4
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true


    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)

    Completion time: 2011-09-27 23:21:29
    ComboFix-quarantined-files.txt 2011-09-27 17:51:28
    ComboFix2.txt 2011-09-21 03:44:20

    Pre-Run: 66,531,991,552 bytes free
    Post-Run: 66,362,544,128 bytes free

    - - End Of File - - 9C377C5F99318DC493F66D52C67A1E7A
     
  13. sumeshmd

    sumeshmd TS Rookie Topic Starter Posts: 73

    Error: Unable to interpret <:> in the current context!
    ========== FILES ==========
    File/Folder C:\Windows.old\Program Files\Hotspot Shield\bin\openvpnas.exe not found.
    File/Folder C:\Windows.old.000\Windows\Temp\hss_update.exe not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LogMeInRemoteUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: sumesh
    ->Temp folder emptied: 7608264 bytes
    ->Temporary Internet Files folder emptied: 132439179 bytes
    ->FireFox cache emptied: 67768770 bytes
    ->Google Chrome cache emptied: 29719155 bytes
    ->Flash cache emptied: 16001 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 7808192 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 234.00 mb


    OTM by OldTimer - Version 3.1.18.0 log created on 09272011_230721

    Files moved on Reboot...
    C:\Windows\temp\vmware-SYSTEM\vmware-usbarb-SYSTEM-1856.log moved successfully.
    File C:\Windows\temp\MPENGINE.DLL not found!
    File C:\Windows\temp\TMP000000018DAA5311956F992F not found!

    Registry entries deleted on Reboot...
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Combofix ran in REDUCED FUNCTIONALITY MODE . We will have to try and determine why:

    Please run the MGA Diagnostics tool
    • You will be prompted to either “Run” or “Save” the tool. Choose to “Run” the tool and follow the on-screen prompts.
    • You will receive an Internet Explorer-Security Warning dialog box for the Windows Genuine Advantage Diagnostic Tool>
    • You must choose to Run this tool when prompted.
    • Once you are presented with the Diagnostics tool choose Continue to run the diagnostic report.
    • If the RESOLVE button is available after running the diagnostics, please click RESOLVE to allow the diagnostic tool to attempt a repair.
    • After running the MGA Diagnostic tool, click on the Windows tab and then click on Copy
    • Please return to this thread and Paste the results here for review.
    ------------------------------------------
    This tool will is to look on the computer itself, in the documentation you received with the computer or with your retail purchase of Windows to see if you have a Certificate of Authenticity (COA). If you have one, tell us about the COA. Tell us:

    1. What edition of Windows XP is it for, Home, Pro, or Media Center, or another version of Windows?
    2. Does it read "OEM Software" or "OEM Product" in black lettering?
    3. Or, does it have the computer manufacturer's name in black lettering?
    4. DO NOT post the Product Key.

    NOTE: The data collected with the Genuine Diagnostics Tool does NOT contain any information that can personally identify you and can be fully reviewed, by you, before being posted.
     
  15. sumeshmd

    sumeshmd TS Rookie Topic Starter Posts: 73

    when i run combofix, it said newer version is available and asked me to download. i selected no. then the message came that combofix is expired and it will run in reduced functionality mode.
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Allow the update please.
     
  17. sumeshmd

    sumeshmd TS Rookie Topic Starter Posts: 73

    please see the new combo file after update

    ComboFix 11-09-29.06 - sumesh 10/01/2011 9:14.3.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3062.2211 [GMT 5.5:30]
    Running from: d:\downloads\ComboFix.exe
    Command switches used :: d:\downloads\cfscript.txt
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\google\common\google updater\googleupdaterservice.exe
    c:\users\Default\AppData\Local\temp
    c:\users\LogMeInRemoteUser\AppData\Local\temp
    c:\users\sumesh\AppData\Local\temp
    c:\users\sumesh\AppData\Local\temp\catchme.dll
    c:\users\sumesh\AppData\Local\temp\FXSAPIDebugLogFile.txt
    c:\users\sumesh\AppData\Local\temp\nro.log\log\ShellManager_Log.txt
    c:\users\sumesh\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-09-01 to 2011-10-01 )))))))))))))))))))))))))))))))
    .
    .
    2011-10-01 03:51 . 2011-10-01 03:51 -------- d-----w- c:\users\sumesh\AppData\Local\Temp
    2011-10-01 03:49 . 2011-10-01 03:49 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2011-09-27 17:25 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe
    2011-09-27 17:23 . 2011-03-11 05:40 1164288 ----a-w- c:\windows\system32\mfc42u.dll
    2011-09-27 17:23 . 2011-03-11 05:40 1137664 ----a-w- c:\windows\system32\mfc42.dll
    2011-09-27 17:23 . 2011-02-23 05:05 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-09-27 17:23 . 2011-02-23 05:05 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2011-09-27 17:23 . 2011-02-23 05:05 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-09-27 17:23 . 2011-02-23 05:05 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
    2011-09-22 17:56 . 2011-09-22 17:56 -------- d-----w- c:\users\sumesh\AppData\Roaming\Yahoo!
    2011-09-21 05:26 . 2011-09-22 17:27 -------- d-----w- c:\users\sumesh\AppData\Local\VMware
    2011-09-21 05:26 . 2011-09-22 17:25 -------- d-----w- c:\users\sumesh\AppData\Roaming\VMware
    2011-09-21 04:04 . 2011-09-21 04:04 -------- d-----w- c:\program files\ESET
    2011-09-20 17:54 . 2010-05-20 19:26 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe
    2011-09-20 17:54 . 2010-05-20 19:26 399920 ----a-w- c:\windows\system32\vmnat.exe
    2011-09-20 17:54 . 2010-05-20 19:23 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
    2011-09-20 17:54 . 2010-05-20 19:25 760368 ----a-w- c:\windows\system32\vnetlib.dll
    2011-09-20 17:53 . 2010-05-20 19:25 24624 ----a-w- c:\windows\system32\drivers\VMkbd.sys
    2011-09-20 17:52 . 2011-09-20 17:52 -------- d-----w- c:\program files\Common Files\VMware
    2011-09-20 17:51 . 2011-10-01 03:51 -------- d-----w- c:\programdata\VMware
    2011-09-20 17:51 . 2011-09-20 17:51 -------- d-----w- c:\program files\VMware
    2011-09-19 18:20 . 2011-09-19 18:20 388096 ----a-r- c:\users\sumesh\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-09-19 18:20 . 2011-09-19 18:20 -------- d-----w- c:\program files\Trend Micro
    2011-09-16 03:40 . 2011-09-16 03:40 -------- d-----w- c:\users\sumesh\AppData\Roaming\Malwarebytes
    2011-09-16 03:40 . 2011-08-31 11:30 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-09-16 03:40 . 2011-09-16 03:40 -------- d-----w- c:\programdata\Malwarebytes
    2011-09-16 03:40 . 2011-09-16 03:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-09-04 07:25 . 2011-09-09 09:29 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
    2011-09-04 07:25 . 2011-09-09 09:29 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
    2011-09-04 07:25 . 2011-09-09 09:29 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
    2011-09-04 07:25 . 2011-09-09 09:29 785368 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
    2011-09-04 07:25 . 2011-09-09 09:29 1846232 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
    2011-09-04 07:25 . 2011-09-09 09:29 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
    2011-09-04 07:25 . 2011-08-30 19:41 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
    2011-09-04 07:25 . 2011-08-30 19:41 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-08-27 12:32 . 2011-08-27 12:03 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-09-09 09:29 . 2011-09-04 07:25 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2006-05-03 09:06 163328 --sh--r- c:\windows\System32\flvDX.dll
    2007-02-21 10:47 31232 --sh--r- c:\windows\System32\msfDX.dll
    2008-03-16 12:30 216064 --sh--r- c:\windows\System32\nbDX.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    --- c:\windows\System32\flvDX.dll ---
    Company: Gabest
    File Description: FLV Splitter
    File Version: 1, 0, 0, 1
    Product Name: FLV Splitter
    Copyright: Copyright (C) 2005-2006 Gabest
    Original Filename: FLVSplitter.ax
    File size: 163328
    Created time: 2010-04-11 16:09
    Modified time: 2006-05-03 09:06
    MD5: 8453687A045C926F0291301EBAF50370
    SHA1: 8D756345C945B75EF63314FA8992F1B582067FF3
    .
    .
    --- c:\windows\System32\msfDX.dll ---
    Company: Hans Mayerl
    File Description: msfDX.dll
    File Version: 2.02.2113
    Product Name: msfDX.dll
    Copyright:
    Original Filename: msfDX.dll
    File size: 31232
    Created time: 2010-04-11 16:09
    Modified time: 2007-02-21 10:47
    MD5: 21D8F42D54598B73C2E1A9571399113B
    SHA1: ED711FAA61FDD6D53EACC7A99D60D95DD9137A7D
    .
    .
    --- c:\windows\System32\nbDX.dll ---
    Company: MONOGRAM Multimedia, s.r.o.
    File Description: AMR Filter Pack
    File Version: 1, 0, 1, 0
    Product Name: MONOGRAM AMR Filter Pack
    Copyright: Copyright (C) 2008
    Original Filename: mmamr.ax
    File size: 216064
    Created time: 2010-04-11 16:09
    Modified time: 2008-03-16 12:30
    MD5: E4B6B932B6E5CE386627CEEA2A0A0F4C
    SHA1: B9BCAAE7BB27161148E1301FC8D8CD3F568C6E22
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2011-01-09 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7600.16385] . . c:\windows\System32\user32.dll
    [7] 2009-07-14 . 34B7E222E81FAFA885F0C5F2CFA56861 . 811520 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "googletalk"="c:\users\sumesh\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
    "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-03-19 5248312]
    "WordWeb"="c:\program files\WordWeb\wweb32.exe" [2009-11-08 65216]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-09-27 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
    "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
    "vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2010-05-20 129584]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer2"=wdmaud.drv
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
    backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2010-04-13 10:31 136176 ----atw- c:\users\sumesh\AppData\Local\Google\Update\GoogleUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    2008-02-28 11:37 1828136 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
    2010-01-27 06:52 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2009-07-26 12:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
    2008-02-18 10:59 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2010-04-05 22:27 26102056 ----a-r- c:\program files\Skype\Phone\Skype.exe
    .
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-09-27 136176]
    R3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\DRIVERS\BthAvrcp.sys [2009-08-13 22528]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-09-27 136176]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-13 1343400]
    R3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\DRIVERS\CT_ZTEMT_U_USBSER.sys [2010-11-04 105472]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-08-27 108289]
    S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2010-12-08 374152]
    S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-01-27 12856]
    S2 UDisk Monitor;UDisk Monitor;c:\program files\Reliance Netconnect+\bin\MonServiceUDisk.exe [2011-02-21 512000]
    S2 vmci;VMware vmci;c:\windows\system32\Drivers\vmci.sys [2010-05-20 70704]
    S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-05-20 539184]
    S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
    S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-10-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-09-27 17:22]
    .
    2011-09-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-09-27 17:22]
    .
    2011-09-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2054017810-423255862-2823113913-1000Core.job
    - c:\users\sumesh\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-13 10:31]
    .
    2011-10-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2054017810-423255862-2823113913-1000UA.job
    - c:\users\sumesh\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-13 10:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
    FF - ProfilePath - c:\users\sumesh\AppData\Roaming\Mozilla\Firefox\Profiles\bworhnp9.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: network.proxy.type - 4
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\AUDIODG.EXE
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\LogMeIn\x86\RaMaint.exe
    c:\windows\system32\taskhost.exe
    c:\program files\LogMeIn\x86\LogMeIn.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
    c:\windows\system32\IoctlSvc.exe
    c:\windows\system32\vmnat.exe
    c:\program files\VMware\VMware Workstation\vmware-authd.exe
    c:\windows\system32\vmnetdhcp.exe
    c:\windows\System32\rundll32.exe
    c:\windows\system32\conhost.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
    .
    **************************************************************************
    .
    Completion time: 2011-10-01 09:24:21 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-10-01 03:54
    ComboFix2.txt 2011-09-27 17:51
    ComboFix3.txt 2011-09-21 03:44
    .
    Pre-Run: 66,974,113,792 bytes free
    Post-Run: 66,759,970,816 bytes free
    .
    - - End Of File - - EA1E150F3EB6A789DB8C55EEDBEA1D46
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run the MGA Diagnostics tool as requested in my Reply #14.
     
  19. sumeshmd

    sumeshmd TS Rookie Topic Starter Posts: 73

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0
    Cached Online Validation Code: 0xc004c4ab
    Windows Product Key: *****-*****-X92GV-V7DCV-P4K27
    Windows Product Key Hash: aU2z1/fnhnLHmhBm699qYZT2E6s=
    Windows Product ID: 00426-OEM-8992662-00400
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7600.2.00010100.0.0.001
    ID: {4F709DBD-1593-4960-BC1C-EE51832AB9C2}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Ultimate
    Architecture: 0x00000000
    Build lab: 7600.win7_gdr.091207-1941
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: 2.0.48.0
    OGAExec.exe Signed By: Microsoft
    OGAAddin.dll Signed By: Microsoft

    OGA Data-->
    Office Status: 100 Genuine
    2007 Microsoft Office system - 100 Genuine
    OGA Version: Registered, 2.0.48.0
    Signed By: Microsoft
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7600.16385], Hr = 0x800b0100

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{4F709DBD-1593-4960-BC1C-EE51832AB9C2}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7600.2.00010100.0.0.001</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-P4K27</PKey><PID>00426-OEM-8992662-00400</PID><PIDType>2</PIDType><SID>S-1-5-21-2054017810-423255862-2823113913</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>Compaq Presario C700 Notebook PC</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>F.33</Version><SMBIOSVersion major="2" minor="4"/><Date>20080429000000.000000+000</Date></BIOS><HWID>EFBB3607018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>India Standard Time(GMT+05:30)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>QA09 </OEMTableID></OEM><GANotification><File Name="OGAAddin.dll" Version="2.0.48.0"/></GANotification></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-0031-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>2007 Microsoft Office system</Name><Ver>12</Ver><Val>8A2069E2CF8B42</Val><Hash>j384Xd3/PRRqo0hihFoMRPYhES4=</Hash><Pid>89451-417-1305973-66714</Pid><PidType>1</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Input Error: Can not find script file "C:\Windows\system32\slmgr.vbs".

    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: 0xC004C4AB
    HealthStatus: 0x0000000000000000
    Event Time Stamp: 10:14:2010 14:57
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Not Registered - 0x80070005
    HealthStatus Bitmask Output:


    HWID Data-->
    HWID Hash Current: PAAAAAEAAgABAAMAAAADAAAABQABAAEAeqjwQMwi/JDUr4ZwwlDOcPxTsEEOrzjd0K4gZmbrcorgmyqF

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
    ACPI Table Name OEMID Value OEMTableID Value
    APIC HPQOEM SLIC-MPC
    FACP HP SPARTAN
    HPET HPQOEM SLIC-MPC
    BOOT HPQOEM SLIC-MPC
    MCFG HPQOEM SLIC-MPC
    ASF! HPQOEM SLIC-MPC
    SLIC DELL QA09
    SSDT PmRef CpuPm
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Question:
    You have an unsigned driver for c:\windows\System32\user32.dll

    This file is also showing as a 'mismatch'.

    Have you upgraded the Win 7 version?
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...