TechSpot

Started w browser hijack, now no Google/ gmail or printer (win 7)

By tussey
Aug 27, 2011
  1. Hi everyone and thank you for making this forum available.

    Our problem started with mywebsearch and redirection problems. Now we can't access Google, gmail, or use search functions of any toolbars. We get a 404 Page Unavailable message. We usually use Internet Explorer, but even Firefox has the same problems.

    We also cannot use our printer/scanner now.

    Before we found this forum, we used Malwarebytes, SuperAntispiware, and a host of other malware removal tools. Cleaned/ repaired registry, flushed DNS, Combofix, defogger, and who knows what else.

    Here are our logs from your prescribed actions.

    PLEASE NOTE THAT GMER found nothing, although it appeared to be scanning only services, registry and files (default settings, since instructions did not seem to indicate enabling any of the other options- please let us know if we need to redo anything).


    Malwarebytes
    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7587

    Windows 6.1.7601 Service Pack 1
    Internet Explorer 9.0.8112.16421

    8/27/2011 8:32:29 AM
    mbam-log-2011-08-27 (08-32-29).txt

    Scan type: Quick scan
    Objects scanned: 182497
    Time elapsed: 1 minute(s), 58 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    NO GMER LOG- NOTHING FOUND


    DDS
    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421
    Run by Tussey at 9:10:34 on 2011-08-27
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5887.4052 [GMT -5:00]
    .
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files\LSI SoftModem\agr64svc.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
    C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe
    C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
    C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
    C:\Program Files\Common Files\Nitro PDF\Reader\2.0\NitroPDFReaderDriverService2x64.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\spool\drivers\x64\3\EKIJ5000MUI.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
    C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\system32\taskeng.exe
    c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
    c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
    C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
    C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
    C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10u_ActiveX.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
    C:\Windows\SysWOW64\ctfmon.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com
    uSearch Bar = Preserve
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cndt
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cndt
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
    uRun: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW
    uRun: [VDC] "C:\ProgramData\1c5a77\AntiMalwareLab.exe" /s
    uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    mRun: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
    mRun: [HP Remote Solution] %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
    mRun: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
    mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
    mRun: [UpdatePRCShortCut] "C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Recovery" UpdateWithCreateOnce "Software\CyberLink\PowerRecover"
    mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [EKIJ5000StatusMonitor] C:\Windows\System32\spool\drivers\x64\3\EKIJ5000MUI.exe
    StartupFolder: C:\Users\Tussey\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PICTUR~1.LNK - C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
    TCP: DhcpNameServer = 24.116.2.50 24.116.2.34
    TCP: Interfaces\{B89FDC3A-DB16-4BA9-AE8C-35E30C01AB66} : DhcpNameServer = 24.116.2.50 24.116.2.34
    IFEO: ehshell.exe - "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe" -MceShellRedirect
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    TB-X64: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
    mRun-x64: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
    mRun-x64: [HP Remote Solution] %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
    mRun-x64: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
    mRun-x64: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
    mRun-x64: [UpdatePRCShortCut] "C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Recovery" UpdateWithCreateOnce "Software\CyberLink\PowerRecover"
    mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun-x64: [EKIJ5000StatusMonitor] C:\Windows\System32\spool\drivers\x64\3\EKIJ5000MUI.exe
    IFEO-X64: ehshell.exe - "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe" -MceShellRedirect
    Hosts: 217.23.15.126 www.google.com.
    Hosts: 217.23.15.126 google.com.
    Hosts: 217.23.15.126 google.com.au.
    Hosts: 217.23.15.126 www.google.com.au.
    Hosts: 217.23.15.126 google.be.
    .
    Note: multiple HOSTS entries found. Please refer to Attach.txt
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Tussey\AppData\Roaming\Mozilla\Firefox\Profiles\tsn7gjlc.default\
    FF - prefs.js: browser.search.selectedEngine - My Web Search
    FF - prefs.js: browser.startup.homepage - hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cndt
    FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=XPxdm002L1us&ptb=7083F09A-4E4A-4E17-93F7-B2B8F580580E&psa=&ind=2011080221&ptnrS=XPxdm002L1us&si=CO-E17uCsqoCFQHu7QodlxRZ8g&st=kwd&n=77dea61d&searchfor=
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Nitro PDF\Reader 2\npdf.dll
    FF - plugin: C:\Program Files (x86)\Nitro PDF\Reader 2\npnitromozilla.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
    R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
    R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
    R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
    R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
    R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
    R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
    R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
    R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
    R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2011-7-14 42184]
    R2 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2011-7-6 375176]
    R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files (x86)\LogMeIn\x64\rainfo.sys [2011-1-11 15928]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\Windows\system32\drivers\LMIRfsDriver.sys --> C:\Windows\system32\drivers\LMIRfsDriver.sys [?]
    R2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;C:\Program Files\Common Files\Nitro PDF\Reader\2.0\NitroPDFReaderDriverService2x64.exe [2011-6-21 341296]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-7-18 136176]
    S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-7-18 136176]
    S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
    S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
    S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    .
    =============== Created Last 30 ================
    .
    2011-08-27 12:11:56 8862544 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{ACF9CEE0-97BF-4026-B647-6F5A0DD4A6F7}\mpengine.dll
    2011-08-25 20:03:00 902656 ----a-w- C:\Windows\System32\d2d1.dll
    2011-08-25 20:03:00 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
    2011-08-25 20:03:00 1544192 ----a-w- C:\Windows\System32\DWrite.dll
    2011-08-25 20:03:00 1139200 ----a-w- C:\Windows\System32\FntCache.dll
    2011-08-25 20:03:00 1076736 ----a-w- C:\Windows\SysWow64\DWrite.dll
    2011-08-24 19:00:19 87456 ----a-w- C:\Windows\System32\LMIRfsClientNP.dll
    2011-08-24 19:00:19 72216 ----a-w- C:\Windows\System32\drivers\LMIRfsDriver.sys
    2011-08-24 19:00:19 60800 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\LMIproc.dll
    2011-08-24 19:00:19 33152 ----a-w- C:\Windows\System32\LMIport.dll
    2011-08-24 19:00:15 80768 ----a-w- C:\Windows\System32\LMIinit.dll
    2011-08-24 19:00:01 -------- d-----w- C:\Program Files (x86)\LogMeIn
    2011-08-23 22:56:34 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
    2011-08-23 22:56:34 2048 ----a-w- C:\Windows\System32\tzres.dll
    2011-08-23 02:11:15 -------- d-----w- C:\ProgramData\Recovery
    2011-08-20 22:38:16 388096 ----a-r- C:\Users\Tussey\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-08-20 22:38:16 -------- d-----w- C:\Program Files (x86)\Trend Micro
    2011-08-20 20:40:50 -------- d-----w- C:\MGtools
    2011-08-20 20:12:13 -------- d-----w- C:\ComboFix
    2011-08-20 17:09:50 -------- d-----w- C:\Users\Tussey\AppData\Roaming\SUPERAntiSpyware.com
    2011-08-20 17:08:34 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
    2011-08-20 17:08:34 -------- d-----w- C:\Program Files\SUPERAntiSpyware
    2011-08-20 02:09:02 -------- d-----w- C:\Program Files (x86)\Free Window Registry Repair
    2011-08-19 17:02:17 -------- d-----w- C:\Windows\System32\SPReview
    2011-08-19 17:01:44 -------- d-----w- C:\Windows\System32\EventProviders
    2011-08-18 19:44:40 96320 ----a-w- C:\Users\Tussey\AppData\Local\TelevisionFanaticAuto.exe
    2011-08-11 13:48:37 601424 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2011-08-11 13:48:33 601424 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F4DFFFB9-2BF6-464F-90CA-90C60A652E4D}\gapaengine.dll
    2011-08-10 16:51:10 -------- d-----w- C:\Users\Tussey\AppData\Roaming\OpenOffice.org
    2011-08-10 15:34:54 338432 ----a-w- C:\Windows\System32\conhost.exe
    2011-08-05 22:34:01 8862544 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-08-04 22:14:45 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
    2011-08-04 22:14:28 -------- d-----w- C:\Program Files\Microsoft Security Client
    2011-08-03 01:55:34 -------- d-----w- C:\Program Files (x86)\TelevisionFanaticEI
    2011-08-02 12:57:27 8578896 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{FB04AEE2-CE39-4382-9435-FDA6074829B1}\mpengine.dll
    2011-08-01 18:51:49 -------- d-----w- C:\Users\Tussey\AppData\Roaming\PrimoPDF
    2011-08-01 18:50:40 28976 ----a-w- C:\Windows\System32\nitrolocalmon2.dll
    2011-08-01 18:50:40 17200 ----a-w- C:\Windows\System32\nitrolocalui2.dll
    2011-08-01 18:50:33 -------- d-----w- C:\Program Files\Common Files\Nitro PDF
    2011-08-01 18:50:33 -------- d-----w- C:\Program Files (x86)\Common Files\Nitro PDF
    2011-08-01 18:49:26 -------- d-----w- C:\Users\Tussey\AppData\Local\OpenCandy
    2011-08-01 18:49:24 95008 ----a-w- C:\Windows\System32\Primomonnt.dll
    2011-08-01 18:49:24 -------- d-----w- C:\Users\Tussey\AppData\Roaming\OpenCandy
    2011-08-01 18:49:23 -------- d-----w- C:\Program Files (x86)\Nitro PDF
    2011-07-29 18:14:09 -------- d-----w- C:\Users\Tussey\AppData\Local\Diagnostics
    .
    ==================== Find3M ====================
    .
    2011-08-19 18:00:00 74752 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
    2011-08-19 18:00:00 1797632 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2011-08-19 18:00:00 161792 ----a-w- C:\Windows\SysWow64\msls31.dll
    2011-08-19 18:00:00 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll
    2011-08-19 17:12:08 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
    2011-08-19 17:12:07 175616 ----a-w- C:\Windows\System32\msclmd.dll
    2011-07-20 17:05:42 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-07-16 05:41:50 362496 ----a-w- C:\Windows\System32\wow64win.dll
    2011-07-16 05:41:49 243200 ----a-w- C:\Windows\System32\wow64.dll
    2011-07-16 05:41:49 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
    2011-07-16 05:39:10 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
    2011-07-16 05:37:12 421888 ----a-w- C:\Windows\System32\KernelBase.dll
    2011-07-16 04:29:19 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
    2011-07-16 04:26:00 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
    2011-07-16 04:25:37 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
    2011-07-16 04:24:23 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
    2011-07-16 04:24:22 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll
    2011-07-16 02:21:44 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
    2011-07-16 02:21:41 2048 ----a-w- C:\Windows\SysWow64\user.exe
    2011-07-16 02:17:19 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
    2011-07-16 02:17:19 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
    2011-07-16 02:17:19 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
    2011-07-16 02:17:19 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
    2011-07-09 02:46:28 288768 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
    2011-07-07 00:52:42 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
    2011-07-07 00:52:42 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2011-07-04 11:43:53 40112 ----a-w- C:\Windows\avastSS.scr
    2011-07-04 11:36:56 600920 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
    2011-07-04 11:32:24 64856 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
    2011-06-24 05:34:53 214528 ----a-w- C:\Windows\System32\winsrv.dll
    2011-06-23 05:43:12 5561216 ----a-w- C:\Windows\System32\ntoskrnl.exe
    2011-06-23 04:33:57 3967872 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2011-06-23 04:33:57 3912576 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
    2011-06-21 06:34:00 1923968 ----a-w- C:\Windows\System32\drivers\tcpip.sys
    2011-06-15 10:02:23 212992 ----a-w- C:\Windows\System32\odbctrac.dll
    2011-06-15 10:02:23 163840 ----a-w- C:\Windows\System32\odbccp32.dll
    2011-06-15 10:02:23 106496 ----a-w- C:\Windows\System32\odbccu32.dll
    2011-06-15 10:02:23 106496 ----a-w- C:\Windows\System32\odbccr32.dll
    2011-06-15 08:55:19 86016 ----a-w- C:\Windows\SysWow64\odbccu32.dll
    2011-06-15 08:55:19 81920 ----a-w- C:\Windows\SysWow64\odbccr32.dll
    2011-06-15 08:55:19 319488 ----a-w- C:\Windows\SysWow64\odbcjt32.dll
    2011-06-15 08:55:19 163840 ----a-w- C:\Windows\SysWow64\odbctrac.dll
    2011-06-15 08:55:19 122880 ----a-w- C:\Windows\SysWow64\odbccp32.dll
    2011-06-11 03:07:25 3137536 ----a-w- C:\Windows\System32\win32k.sys
    2011-06-06 21:53:32 1243192 ----a-w- C:\Windows\help\OEM\Scripts\HPSAUpgrade.exe
    2011-06-03 19:03:02 55864 ----a-w- C:\Windows\help\OEM\Scripts\HPSAUpdaterObj.exe
    .
    ============= FINISH: 9:10:58.60 ===============


    ATTACH LOG
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 7/12/2011 8:17:19 PM
    System Uptime: 8/27/2011 7:01:14 AM (2 hours ago)
    .
    Motherboard: PEGATRON CORPORATION | | VIOLET
    Processor: AMD Athlon(tm) II X4 620 Processor | CPU 1 | 2600/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 584 GiB total, 535.656 GiB free.
    D: is FIXED (NTFS) - 12 GiB total, 2.18 GiB free.
    E: is CDROM ()
    G: is Removable
    H: is Removable
    I: is Removable
    J: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID:
    Description: DVD Xpress
    Device ID: USB\VID_06E1&PID_B701\6&E7FC690&0&3
    Manufacturer:
    Name: DVD Xpress
    PNP Device ID: USB\VID_06E1&PID_B701\6&E7FC690&0&3
    Service:
    .
    Class GUID:
    Description:
    Device ID: USB\VID_0733&PID_0401\6&E7FC690&0&2
    Manufacturer:
    Name:
    PNP Device ID: USB\VID_0733&PID_0401\6&E7FC690&0&2
    Service:
    .
    ==== System Restore Points ===================
    .
    RP51: 8/23/2011 8:10:45 AM - Windows Update
    RP52: 8/24/2011 12:20:26 AM - Windows Update
    RP53: 8/24/2011 1:59:37 PM - Installed LogMeIn
    RP54: 8/25/2011 9:21:59 PM - Windows Update
    .
    ==== Hosts File Hijack ======================
    .
    Hosts: 217.23.15.126 www.google.com.
    Hosts: 217.23.15.126 google.com.
    Hosts: 217.23.15.126 google.com.au.
    Hosts: 217.23.15.126 www.google.com.au.
    Hosts: 217.23.15.126 google.be.
    Hosts: 217.23.15.126 www.google.be.
    Hosts: 217.23.15.126 google.com.br.
    Hosts: 217.23.15.126 www.google.com.br.
    Hosts: 217.23.15.126 google.ca.
    Hosts: 217.23.15.126 www.google.ca.
    Hosts: 217.23.15.126 google.ch.
    Hosts: 217.23.15.126 www.google.ch.
    Hosts: 217.23.15.126 google.de.
    Hosts: 217.23.15.126 www.google.de.
    Hosts: 217.23.15.126 google.dk.
    Hosts: 217.23.15.126 www.google.dk.
    Hosts: 217.23.15.126 google.fr.
    Hosts: 217.23.15.126 www.google.fr.
    Hosts: 217.23.15.126 google.ie.
    Hosts: 217.23.15.126 www.google.ie.
    Hosts: 217.23.15.126 google.it.
    Hosts: 217.23.15.126 www.google.it.
    Hosts: 217.23.15.126 google.co.jp.
    Hosts: 217.23.15.126 www.google.co.jp.
    Hosts: 217.23.15.126 google.nl.
    Hosts: 217.23.15.126 www.google.nl.
    Hosts: 217.23.15.126 google.no.
    Hosts: 217.23.15.126 www.google.no.
    Hosts: 217.23.15.126 google.co.nz.
    Hosts: 217.23.15.126 www.google.co.nz.
    Hosts: 217.23.15.126 google.pl.
    Hosts: 217.23.15.126 www.google.pl.
    Hosts: 217.23.15.126 google.se.
    Hosts: 217.23.15.126 www.google.se.
    Hosts: 217.23.15.126 google.co.uk.
    Hosts: 217.23.15.126 www.google.co.uk.
    Hosts: 217.23.15.126 google.co.za.
    Hosts: 217.23.15.126 www.google.co.za.
    Hosts: 217.23.15.126 www.google-analytics.com.
    Hosts: 217.23.15.126 www.bing.com.
    Hosts: 217.23.15.126 search.yahoo.com.
    Hosts: 217.23.15.126 www.search.yahoo.com.
    Hosts: 217.23.15.126 uk.search.yahoo.com.
    Hosts: 217.23.15.126 ca.search.yahoo.com.
    Hosts: 217.23.15.126 de.search.yahoo.com.
    Hosts: 217.23.15.126 fr.search.yahoo.com.
    Hosts: 217.23.15.126 au.search.yahoo.com.
    .
    ==== Installed Programs ======================
    .
    Activate Norton Online Backup
    ActiveCheck component for HP Active Support Library
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader X (10.1.0)
    Adobe Shockwave Player 11.6
    avast! Free Antivirus
    Compatibility Pack for the 2007 Office system
    CyberLink DVD Suite Deluxe
    DirectX for Managed Code Update (Summer 2004)
    Free Window Registry Repair
    Google Chrome
    Google Toolbar for Internet Explorer
    Google Update Helper
    HiJackThis
    HP Advisor
    HP Customer Experience Enhancements
    HP Games
    HP MediaSmart Demo
    HP MediaSmart DVD
    HP MediaSmart Movie Themes
    HP MediaSmart Music/Photo/Video
    HP Odometer
    HP Remote Solution
    HP Setup
    HP Support Assistant
    HP Support Information
    HP Update
    HPAsset component for HP Active Support Library
    LabelPrint
    LightScribe System Software
    LogMeIn
    Malwarebytes' Anti-Malware version 1.51.1.1800
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Works
    Moraff's Maximum MahJongg
    Mozilla Firefox 5.0.1 (x86 en-US)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    OpenOffice.org 3.3
    PictureMover
    Power2Go
    PowerDirector
    PowerRecover
    PrimoPDF -- brought to you by Nitro PDF Software
    Realtek High Definition Audio Driver
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    .
    ==== Event Viewer Messages From Past Week ========
    .
    8/25/2011 12:24:00 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.111.587.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7604.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    8/22/2011 9:05:24 PM, Error: Microsoft Antimalware [2004] - Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x80070002 Error description: The system cannot find the file specified. Signature version: 0.0.0.0;0.0.0.0 Engine version: 0.0.0.0
    8/22/2011 8:33:24 PM, Error: Service Control Manager [7043] - The Windows Update service did not shut down properly after receiving a preshutdown control.
    8/22/2011 8:20:36 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver has restarted scanning items and is out of pass through mode.
    8/22/2011 8:19:34 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: On Access Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver skipped scanning items and is in pass through mode. This may be due to low resource conditions.
    8/22/2011 8:19:34 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver skipped scanning items and is in pass through mode. This may be due to low resource conditions.
    8/22/2011 8:16:13 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the BITS service.
    8/22/2011 8:15:14 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    8/22/2011 8:14:59 PM, Error: Service Control Manager [7023] - The IP Helper service terminated with the following error: The specified module could not be found.
    8/22/2011 8:14:50 PM, Error: Service Control Manager [7022] - The avast! Antivirus service hung on starting.
    8/22/2011 8:07:27 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Dnscache service.
    8/22/2011 8:06:20 PM, Error: Microsoft Antimalware [2004] - Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x80070002 Error description: The system cannot find the file specified. Signature version: 0.0.0.0;0.0.0.0 Engine version: 0.0.0.0
    8/21/2011 1:09:16 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the DNS Client service, but this action failed with the following error: An instance of the service is already running.
    8/21/2011 1:07:16 PM, Error: Service Control Manager [7031] - The Workstation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    8/21/2011 1:07:16 PM, Error: Service Control Manager [7031] - The Network Location Awareness service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
    8/21/2011 1:07:16 PM, Error: Service Control Manager [7031] - The DNS Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    8/21/2011 1:07:16 PM, Error: Service Control Manager [7031] - The Cryptographic Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    8/20/2011 6:20:43 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    8/20/2011 12:05:27 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    .
    ==== End Of File ===========================



    ***Please note that the scans were performed by our daughter in law through remote access (LogMeIn). She'll be performing any further instruction as well. If anything cannot be run remotely, please specify and she'll come over instead

    Thanks again
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help sort the problems out! Please read the following:

    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
    Please remove one of these antivirus programs. If you already had MSE, you did not need to download Avast. You should run only one AV program:
    Please reboot the computer when finished.
    =======================================
    Please repeat the DNS Flush, then reset your router.
    Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

    Exit the Command prompt when finished and shut the system down.-

    • [1]. Shut down your computer, and any other computer connected to your router.
      [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
      [3]. Unplug the router. Wait sixty seconds.
      [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
      [5].With the router unplugged, start your computer.
      [6].Connect to the router again. The turn the router back on.
      [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
      [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.
    =======================================
    You are running a rogue program named AntiMalwareLab a typical fake anti-spyware program it imitates a system scan and claims that your computer is infected with malicious software to urge the user whose computer is infected by Anti-Malware Lab to purchase the full version of Anti-Malware Lab.

    Firefox is also running MyWebSearch.
    =============================
    Please remove all of the following:
    1. C:\Program Files (x86)\Free Window Registry Repair>> We do not recommend that anyone use a Registry cleaner.
    2. C:\MGtools>> Please remove the entire MGTools Directory and any logs from it.
    3. C:\ComboFix>> Please see uninstall directions below
    ========================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ===========================================
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    Reopen HijackThis to do system scan only. Check each of the following if present: These will all show as 01Hosts entries.
    Hosts: 217.23.15.126 www.google.com.
    Hosts: 217.23.15.126 google.com.
    Hosts: 217.23.15.126 google.com.au.
    Hosts: 217.23.15.126 www.google.com.au.
    Hosts: 217.23.15.126 google.be.
    Hosts: 217.23.15.126 www.google.be.
    Hosts: 217.23.15.126 google.com.br.
    Hosts: 217.23.15.126 www.google.com.br.
    Hosts: 217.23.15.126 google.ca.
    Hosts: 217.23.15.126 www.google.ca.
    Hosts: 217.23.15.126 google.ch.
    Hosts: 217.23.15.126 www.google.ch.
    Hosts: 217.23.15.126 google.de.
    Hosts: 217.23.15.126 www.google.de.
    Hosts: 217.23.15.126 google.dk.
    Hosts: 217.23.15.126 www.google.dk.
    Hosts: 217.23.15.126 google.fr.
    Hosts: 217.23.15.126 www.google.fr.
    Hosts: 217.23.15.126 google.ie.
    Hosts: 217.23.15.126 www.google.ie.
    Hosts: 217.23.15.126 google.it.
    Hosts: 217.23.15.126 www.google.it.
    Hosts: 217.23.15.126 google.co.jp.
    Hosts: 217.23.15.126 www.google.co.jp.
    Hosts: 217.23.15.126 google.nl.
    Hosts: 217.23.15.126 www.google.nl.
    Hosts: 217.23.15.126 google.no.
    Hosts: 217.23.15.126 www.google.no.
    Hosts: 217.23.15.126 google.co.nz.
    Hosts: 217.23.15.126 www.google.co.nz.
    Hosts: 217.23.15.126 google.pl.
    Hosts: 217.23.15.126 www.google.pl.
    Hosts: 217.23.15.126 google.se.
    Hosts: 217.23.15.126 www.google.se.
    Hosts: 217.23.15.126 google.co.uk.
    Hosts: 217.23.15.126 www.google.co.uk.
    Hosts: 217.23.15.126 google.co.za.
    Hosts: 217.23.15.126 www.google.co.za.
    Hosts: 217.23.15.126 www.google-analytics.com.
    Hosts: 217.23.15.126 www.bing.com.
    Hosts: 217.23.15.126 search.yahoo.com.
    Hosts: 217.23.15.126 www.search.yahoo.com.
    Hosts: 217.23.15.126 uk.search.yahoo.com.
    Hosts: 217.23.15.126 ca.search.yahoo.com.
    Hosts: 217.23.15.126 de.search.yahoo.com.
    Hosts: 217.23.15.126 fr.search.yahoo.com.
    Hosts: 217.23.15.126 au.search.yahoo.com.


    Close all Windows except HijackThis and click on "Fix Checked."
    =============================================
    It may be easier for you to just register on TechSpot and let me direct you through.
     
  3. tussey

    tussey TS Rookie Topic Starter

    COMBOFIX LOG

    ComboFix 11-08-27.01 - Tussey 08/27/2011 15:11:43.1.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5887.4484 [GMT -5:00]
    Running from: c:\users\Tussey\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Tussey\AppData\Local\TelevisionFanaticAuto.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-27 to 2011-08-27 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-27 19:47 . 2011-08-12 04:10 8862544 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D8CCDB78-157F-4543-A888-81E7A91AB075}\mpengine.dll
    2011-08-25 20:03 . 2011-02-19 12:05 1139200 ----a-w- c:\windows\system32\FntCache.dll
    2011-08-25 20:03 . 2011-02-19 12:04 1544192 ----a-w- c:\windows\system32\DWrite.dll
    2011-08-25 20:03 . 2011-02-19 12:04 902656 ----a-w- c:\windows\system32\d2d1.dll
    2011-08-25 20:03 . 2011-02-19 06:30 1076736 ----a-w- c:\windows\SysWow64\DWrite.dll
    2011-08-25 20:03 . 2011-02-19 06:30 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
    2011-08-24 19:03 . 2011-08-24 19:03 -------- d-----w- c:\users\LogMeInRemoteUser
    2011-08-24 19:00 . 2011-07-06 21:33 87456 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
    2011-08-24 19:00 . 2011-07-06 21:33 60800 ----a-w- c:\windows\system32\Spool\prtprocs\x64\LMIproc.dll
    2011-08-24 19:00 . 2011-07-06 21:33 33152 ----a-w- c:\windows\system32\LMIport.dll
    2011-08-24 19:00 . 2011-01-12 00:04 72216 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
    2011-08-24 19:00 . 2011-07-06 21:33 80768 ----a-w- c:\windows\system32\LMIinit.dll
    2011-08-24 19:00 . 2011-08-24 19:03 -------- d-----w- c:\program files (x86)\LogMeIn
    2011-08-23 22:56 . 2011-07-09 05:26 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-08-23 22:56 . 2011-07-09 04:29 2048 ----a-w- c:\windows\SysWow64\tzres.dll
    2011-08-23 02:11 . 2011-08-23 02:11 -------- d-----w- c:\programdata\Recovery
    2011-08-20 22:38 . 2011-08-23 01:38 -------- d-----w- c:\program files (x86)\Trend Micro
    2011-08-20 22:38 . 2011-08-20 22:38 388096 ----a-r- c:\users\Tussey\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-08-20 17:09 . 2011-08-23 01:40 -------- d-----w- c:\users\Tussey\AppData\Roaming\SUPERAntiSpyware.com
    2011-08-20 17:08 . 2011-08-23 01:48 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-08-20 17:08 . 2011-08-20 17:08 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2011-08-19 17:02 . 2011-08-23 01:50 -------- d-----w- c:\windows\system32\SPReview
    2011-08-19 17:01 . 2011-08-19 17:01 -------- d-----w- c:\windows\system32\EventProviders
    2011-08-11 13:48 . 2010-11-30 16:43 601424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2011-08-11 13:48 . 2010-11-30 16:43 601424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F4DFFFB9-2BF6-464F-90CA-90C60A652E4D}\gapaengine.dll
    2011-08-10 16:51 . 2011-08-10 16:51 -------- d-----w- c:\users\Tussey\AppData\Roaming\OpenOffice.org
    2011-08-05 22:34 . 2011-08-12 04:10 8862544 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-08-04 22:14 . 2011-08-04 22:14 -------- d-----w- c:\program files (x86)\Microsoft Security Client
    2011-08-04 22:14 . 2011-08-04 22:15 -------- d-----w- c:\program files\Microsoft Security Client
    2011-08-03 01:55 . 2011-08-03 01:55 -------- d-----w- c:\program files (x86)\TelevisionFanaticEI
    2011-08-02 12:57 . 2011-07-13 04:53 8578896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FB04AEE2-CE39-4382-9435-FDA6074829B1}\mpengine.dll
    2011-08-01 18:53 . 2011-08-20 20:44 -------- d-----w- c:\users\Tussey\AppData\Roaming\Nitro PDF
    2011-08-01 18:51 . 2011-08-01 18:55 -------- d-----w- c:\users\Tussey\AppData\Roaming\PrimoPDF
    2011-08-01 18:50 . 2011-06-21 23:56 17200 ----a-w- c:\windows\system32\nitrolocalui2.dll
    2011-08-01 18:50 . 2011-06-21 23:56 28976 ----a-w- c:\windows\system32\nitrolocalmon2.dll
    2011-08-01 18:50 . 2011-08-01 18:50 -------- d-----w- c:\programdata\Nitro PDF
    2011-08-01 18:50 . 2011-08-01 18:50 -------- d-----w- c:\program files\Common Files\Nitro PDF
    2011-08-01 18:50 . 2011-08-01 18:50 -------- d-----w- c:\program files (x86)\Common Files\Nitro PDF
    2011-08-01 18:49 . 2011-08-02 12:52 -------- d-----w- c:\users\Tussey\AppData\Local\OpenCandy
    2011-08-01 18:49 . 2011-08-01 18:49 -------- d-----w- c:\users\Tussey\AppData\Roaming\OpenCandy
    2011-08-01 18:49 . 2011-02-28 22:37 95008 ----a-w- c:\windows\system32\Primomonnt.dll
    2011-08-01 18:49 . 2011-08-01 18:50 -------- d-----w- c:\program files (x86)\Nitro PDF
    2011-07-29 18:14 . 2011-08-23 00:36 -------- d-----w- c:\users\Tussey\AppData\Local\Diagnostics
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-08-19 17:12 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
    2011-08-19 17:12 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
    2011-07-20 17:05 . 2011-07-20 17:05 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-07-16 04:26 . 2011-08-10 15:34 44032 ----a-w- c:\windows\apppatch\acwow64.dll
    2011-07-07 00:52 . 2011-07-18 16:03 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2011-07-07 00:52 . 2011-07-18 16:03 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-04 11:43 . 2011-07-18 16:00 253888 ----a-w- c:\windows\system32\aswBoot.exe
    2011-06-11 03:07 . 2011-07-14 02:38 3137536 ----a-w- c:\windows\system32\win32k.sys
    2011-06-06 21:53 . 2011-07-27 19:23 1243192 ----a-w- c:\windows\help\OEM\Scripts\HPSAUpgrade.exe
    2011-06-03 19:03 . 2011-07-27 19:23 55864 ----a-w- c:\windows\help\OEM\Scripts\HPSAUpdaterObj.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HPADVISOR"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-07-16 1668664]
    "VDC"="c:\programdata\1c5a77\AntiMalwareLab.exe" [2011-07-18 2916864]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-07-20 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
    "HP Remote Solution"="c:\program files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe" [2009-05-26 656896]
    "HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
    "NortonOnlineBackupReminder"="c:\program files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-05-13 581480]
    "UpdatePRCShortCut"="c:\program files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "EKIJ5000StatusMonitor"="c:\windows\System32\spool\drivers\x64\3\EKIJ5000MUI.exe" [2010-09-02 2045440]
    .
    c:\users\Tussey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe [2009-6-3 430080]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-18 136176]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-18 136176]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
    S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2011-07-06 375176]
    S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [2011-01-12 15928]
    S2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\Common Files\Nitro PDF\Reader\2.0\NitroPDFReaderDriverService2x64.exe [2011-06-21 341296]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-18 16:00]
    .
    2011-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-18 16:00]
    .
    2011-08-18 c:\windows\Tasks\HPCeeScheduleForTussey.job
    - c:\program files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe [2009-08-25 21:38]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-18 16334368]
    "SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2009-07-08 610360]
    "EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\x64\3\EKIJ5000MUI.exe" [2010-09-02 2045440]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
    "LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2011-01-12 57928]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cndt
    TCP: DhcpNameServer = 24.116.2.50 24.116.2.34
    FF - ProfilePath - c:\users\Tussey\AppData\Roaming\Mozilla\Firefox\Profiles\tsn7gjlc.default\
    FF - prefs.js: browser.search.selectedEngine - My Web Search
    FF - prefs.js: browser.startup.homepage - hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cndt
    FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=XPxdm002L1us&ptb=7083F09A-4E4A-4E17-93F7-B2B8F580580E&psa=&ind=2011080221&ptnrS=XPxdm002L1us&si=CO-E17uCsqoCFQHu7QodlxRZ8g&st=kwd&n=77dea61d&searchfor=
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    AddRemove-Free Window Registry Repair - c:\progra~2\FREEWI~1\UNWISE.EXE
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
    c:\program files (x86)\OpenOffice.org 3\program\soffice.exe
    c:\program files (x86)\OpenOffice.org 3\program\soffice.bin
    c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
    c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
    .
    **************************************************************************
    .
    Completion time: 2011-08-27 15:20:16 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-27 20:20
    .
    Pre-Run: 585,489,895,424 bytes free
    Post-Run: 585,288,945,664 bytes free
    .
    - - End Of File - - 87E8368AF0FFC57CF01413EAB04B2633






    *********************************************************************************
    HIJACKTHIS LOG

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 3:30:51 PM, on 8/27/2011
    Platform: Windows 7 SP1 (WinNT 6.00.3505)
    MSIE: Internet Explorer v9.00 (9.00.8112.16421)
    Boot mode: Normal

    Running processes:
    C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
    C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
    C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
    C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe
    c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
    c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
    C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10u_ActiveX.exe
    C:\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cndt
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (file missing)
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
    O4 - HKLM\..\Run: [HP Remote Solution] %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
    O4 - HKLM\..\Run: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
    O4 - HKLM\..\Run: [UpdatePRCShortCut] "C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Recovery" UpdateWithCreateOnce "Software\CyberLink\PowerRecover"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\Windows\System32\spool\drivers\x64\3\EKIJ5000MUI.exe
    O4 - HKCU\..\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW
    O4 - HKCU\..\Run: [VDC] "C:\ProgramData\1c5a77\AntiMalwareLab.exe" /s
    O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - Startup: OpenOffice.org 3.3.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
    O4 - Global Startup: PictureMover.lnk = C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
    O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
    O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agr64svc.exe
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\HP Games\HP Game Console\GameConsoleService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: NitroPDFReaderDriverCreatorReadSpool2 (NitroReaderDriverReadSpool2) - Nitro PDF Software - C:\Program Files\Common Files\Nitro PDF\Reader\2.0\NitroPDFReaderDriverService2x64.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

    --
    End of file - 8723 bytes


    *****************************************************************




    Please note: No host info appeared at all in the "System Scan Only" of HijackThis.


    (Thanks again for helping us. We will await your reply with further instruction. We can now access Google, though- so progress is being made, thanks to you!)
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    We still have to get My Web Search out of Firefox.
    ---------------------------------
    Question: Are you aware that you have multiple PDF programs doing the same thing?
    Adobe Reader: PDF Reader
    Nitro PDF: create, convert, combine, edit, sign and share industry-standard PDF files
    Primomonnt.dll : Part of the PDF printer?
    PrimoPDF: create, convert PDF
    Wouldn't a full program that does it all be more helpful?
    ------------------------------------------
    Look on the download site for this> http://www.primopdf.com/index.aspx
    Do you see where it says "we use Open Candy"? Well, it also bundles Open Candy:
    Why should you avoid OpenCandy? OpenCandy produces an advertising software module consisting of a Microsoft Windows library that can be incorporated in a Windows installer. When a user installs an application that has the OpenCandy library, there is an option to install additional software that it recommends (based on a scan of the user's system and geolocation)
    I did not see anywhere to opt out of OpenCandy on the site. I'm setting this up for removal but want to caution you to always look over a download screen before you download. Some sites are blatantly open like this one, other have bundled toolbars, browser helper objects, etc. pre-checked on the screen and if you don't uncheck them, they will download, usually bringing some type of malware.
    ======================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\program files (x86)\TelevisionFanaticEI
    DDS::
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cndt
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cndt
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
    uRun: [VDC] "C:\ProgramData\1c5a77\AntiMalwareLab.exe" /s
    TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    TB-X64: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
    Extra::
    Firefox::
    Firefox-: - Profile - c:\users\Tussey\AppData\Roaming\Mozilla\Firefox\Profiles\tsn7gjlc.default\
    Firefox-: prefs.js - Search.DefaultURL
    Firefox-: prefs.js - Start.Homepage
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Firefox Keyword Reset:

    • [1]. Open FireFox and instead of a URL, type about:config in the Address Bar.
      [2]. Firefox will give you a warning, but go in anyway.
      [3]. Locate the keyword.url line. It should look like the image below.
      [​IMG]
      [4]. Right click on keyword.url, then select Reset
    ===================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ================================================
    Reopen HijackThis to 'do system scan only.' Check each of the following, if present:[/b]

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...vilion&pf=cndt
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (file missing)
    O4 - HKCU\..\Run: [VDC] "C:\ProgramData\1c5a77\AntiMalwareLab.exe" /s
    See note.

    Close all Windows except HijackThis and click on "Fix Checked."

    Note for Anti-Malware Lab This is a rogue anti-spyware from the same family of rogues as PC Security Guardian, Best Malware Protection, Internet Antivirus 2011, etc. The program pretends to be a legitimate antivirus software but, in reality, it can not remove viruses, trojans, etc., nor will be protect your computer from legitimate future infections. Anti-Malware Lab is created with one purpose to trick you into purchasing the full version of the software.

    Please check the Startup Menu and Add/Remove Programs in the Control Panel. If you see any entry for or relating to Anti-Malware Lab, unchecl on Startup, uninstall in Add/Remove Programs.

    If you did find the program either place, after removal use Windows Explorer to locate Programs and do a right click> Delete on it's program folder.
     
  5. tussey

    tussey TS Rookie Topic Starter

    Thank you.

    Did ComboFix as instructed. Same for Firefox instruction.


    ESET Online Scan
    C:\Users\Tussey\AppData\LocalLow\TelevisionFanaticEI\Installr\Cache\02CCEE23.exe a variant of Win32/Toolbar.MyWebSearch.O application



    Didn't find any Anti Malware Lab remaining.


    However, now the printer stopped working.Pretends it's printing but the paper it spits out is just as blank as before. Ink levels are good (replaced just about 10 printings ago. Maybe 15 pages printed in all on these cartridges)

    (Thanks again for your help.)
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome!
    For the Eset entry:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      
      :Files  
      C:\Users\Tussey\AppData\LocalLow\TelevisionFanaticEI\Installr\Cache\02CCEE2 3.exe
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ==============================================
    Please post the new Combofix log that was generated after running the script.[/b
    =============================================
    SOP for printer problems> uninstall, then reinstall first. HP has a Troubleshooting tab available when you open the printer. Go through that after the reinstall and check all printer settings. This likely doesn't have anything to do with the hijack.

    Is there any changes in the system? Can you access your email yet? The latter may also be unrelated.

    Glad to help.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...