Solved Trojans, conhooks, and more

[needcomphelp]

I am trying to fix my moms computer that she just bought about 2 months ago. I currently have downloaded IObit Advanced System Care 3. The first time I ran the program it picked up 9,593 Security Defense problems. I am able to look at the problems. In those problems are trojans, and conhooks. As well as a lot of other items I have not seen before. A few of them that are listed several times are : KeenValue, a lot of different Hijacker listings, SearchBarCash, NetCash Dialer, DailerPlatform Dialer, and many, many more.

Advanced System Care 3 lists the problems as being "(Immunized)", so im not sure if it Advanced System Care gets rid of them or not, but there are a few things that are not working right on the internet.

How can I get rid of them with out having to reinstall the whole Operating System?

Also, we are on a dial up connection, so does that make the chance greater of us getting trojans and conhooks on our computer?

One more thing, We have Windows 7 Operating System on this computer, But we have a regular Internet Explorer, and Internet Explorer (x64). Neither of them are listed in the "Add and Remove Programs" under the Control Panel. Which one should I set as default and how do I get rid of the other one?

 

[Broni]

Leave both IE alone. It's normal on 64 bit system to have both versions (32 bit and 64 bit).

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

 

[needcomphelp]

ok thank you, I will give it a try! I just hope that it works. Again. Thank you so much!

 

[Broni]

Sure thing

 

[needcomphelp]

ok... so ive done all the steps up to the GMER part.... i followed the instructions. I tried renaming it, and then running it in safe mode. in safe mode, after i press scan a window comes up saying something about windows/sys32 is already in use. Something along those lines. I am not sure if i did something wrong. Or if that is normal. If you would, please let me know. Right now im at a stand still.... Thank you so much for your help

 

[Broni]

Skip GMER for now, proceed with other steps.

 

[needcomphelp]

Logfile of Advanced SystemCare 3 Security Analyzer
Scan saved at 11:53:54 PM, on 5/1/2010
Platform: Windows Vista (WinNT 6.1)
MSIE: Internet Explorer v8.0 (8.0.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files (x86)\Lexmark 5200 Series\lxbtmon.exe
C:\Program Files (x86)\Lexmark 5200 Series\ezprint.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\EarthLink\ISP\ISP8200\Browser\Bartshel.exe
C:\Program Files (x86)\EarthLink\ISP\ISP8200\Browser\PPShared.exe
C:\Program Files (x86)\EarthLink Accelerated\propelac.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files (x86)\EarthLink\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRA~2\EARTHL~2\PRPL_I~1.DLL
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files (x86)\EarthLink\Toolbar\ProtctIE.dll
O2 - BHO: Earthlink Protection BHO - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files (x86)\EarthLink\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files (x86)\EarthLink\Toolbar\Toolbar.dll
O4 - HKCU\..\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKLM\..\Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files (x86)\EarthLink\ISP\ISP8200\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files (x86)\EarthLink Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files (x86)\EarthLink Accelerated\pac-image.html
O9 - Extra button: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} -
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro2.cce.hp.com/ChatEntry/downloads/sysinfo.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://wimpro2.cce.hp.com/ChatEntry/downloads/msxml4.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_20) - http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} (Java Plug-in 1.6.0_20) - http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_20) - http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agr64svc.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\HP Games\HP Game Console\GameConsoleService.exe
O23 - Service: GameConsoleService (gpsvc) - WildTangent, Inc. - C:\Program Files (x86)\HP Games\HP Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxbt_device - Unknown owner - C:\Windows\system32\lxbtcoms.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown - %PROGRAMFILES%\Windows Media Player\wmpnetwk.exe



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4058

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

5/2/2010 1:11:08 AM
mbam-log-2010-05-02 (01-11-08).txt

Scan type: Quick scan
Objects scanned: 113351
Time elapsed: 3 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





NO GMER LOG- was having problems





DDS (Ver_10-03-17.01) - NTFSX64
Run by Vanessia Thomas at 16:53:12.96 on Sun 05/02/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1790.1051 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LSI SoftModem\agr64svc.exe
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxbtcoms.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files (x86)\Lexmark 5200 Series\lxbtmon.exe
C:\Program Files (x86)\Lexmark 5200 Series\ezprint.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\EarthLink\ISP\ISP8200\Browser\Bartshel.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\EarthLink\ISP\ISP8200\Browser\PPShared.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\EarthLink Accelerated\propelac.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
c:\program files\windows defender\MpCmdRun.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Vanessia Thomas\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
uSearch Bar = Preserve
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mLocal Page = c:\windows\syswow64\blank.htm
uInternet Settings,ProxyServer = http=localhost:8080
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://search.earthlink.net
mWinlogon: Userinit=userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: ElnkPubBHO Class: {512acf1b-64d9-4928-b382-a80556f28db4} - c:\program files (x86)\earthlink\toolbar\ElnkPuB.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Accelerator Plugin: {656ec4b7-072b-4698-b504-2a414c1f0037} - c:\progra~2\earthl~2\PRPL_I~1.DLL
BHO: ElnkProtectionBHO Class: {9579d574-d4d8-4335-9560-fe8641a013bd} - c:\program files (x86)\earthlink\toolbar\ProtctIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
BHO: ElnkLegacyUninstBHO Class: {e713904c-df05-4c79-bbad-02db923253be} - c:\program files (x86)\earthlink\toolbar\uninsttb.dll
TB: EarthLink Toolbar: {c7768536-96f8-4001-b1a2-90ee21279187} - c:\program files (x86)\earthlink\toolbar\Toolbar.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [HPADVISOR] c:\program files (x86)\hewlett-packard\hp advisor\HPAdvisor.exe view=DOCKVIEW
uRun: [Messenger (Yahoo!)] "c:\progra~2\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [hpsysdrv] c:\program files (x86)\hewlett-packard\hp odometer\hpsysdrv.exe
mRun: [HP Remote Solution] %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
mRun: [HP Software Update] c:\program files (x86)\hp\hp software update\HPWuSchd2.exe
mRun: [Bart Station] c:\program files (x86)\earthlink\isp\isp8200\bin\PPCOLink.exe -STATION
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files (x86)\common files\java\java update\jusched.exe"
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\pictur~1.lnk - c:\program files (x86)\picturemover\bin\PictureMover.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Refresh Pa&ge with Full Quality - c:\program files (x86)\earthlink accelerated\pac-page.html
IE: Refresh Pi&cture with Full Quality - c:\program files (x86)\earthlink accelerated\pac-image.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files (x86)\windows live\writer\WriterBrowserExtension.dll
Trusted Zone: facebook.com\apps
Trusted Zone: yahoo.com\www
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxps://wimpro2.cce.hp.com/ChatEntry/downloads/sysinfo.cab
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxps://wimpro2.cce.hp.com/ChatEntry/downloads/msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB-X64: {C7768536-96F8-4001-B1A2-90EE21279187} - No File
mRun-x64: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun-x64: [PC-Doctor for Windows localizer] c:\program files\pc-doctor for windows\localizer.exe
mRun-x64: [LXBTCATS] rundll32 c:\windows\system32\spool\drivers\x64\3\LXBTtime.dll,RunDLLEntry
mRun-x64: [lxbtmon.exe] "c:\program files (x86)\lexmark 5200 series\lxbtmon.exe"
mRun-x64: [EzPrint] "c:\program files (x86)\lexmark 5200 series\ezprint.exe"

============= SERVICES / DRIVERS ===============

S2 gupdate;Google Update Service (gupdate);c:\program files (x86)\google\update\GoogleUpdate.exe [2010-3-13 135664]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-25 1255736]

=============== Created Last 30 ================

2010-05-02 05:43:29 0 d-----w- c:\users\vaness~1\appdata\roaming\Malwarebytes
2010-05-02 05:43:20 24664 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-02 05:43:20 0 d-----w- c:\programdata\Malwarebytes
2010-05-02 05:43:20 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2010-05-02 04:06:58 0 d-----w- c:\programdata\Recovery
2010-05-01 22:25:36 0 d-----w- c:\programdata\Sun
2010-05-01 21:29:22 411368 ----a-w- c:\windows\syswow64\deployJava1.dll
2010-05-01 21:29:22 153376 ----a-w- c:\windows\syswow64\javaws.exe
2010-05-01 21:29:22 145184 ----a-w- c:\windows\syswow64\javaw.exe
2010-05-01 21:29:22 145184 ----a-w- c:\windows\syswow64\java.exe
2010-05-01 08:27:15 212864 ------w- c:\windows\system32\MpSigStub.exe
2010-05-01 07:42:30 0 d-----w- c:\users\vaness~1\appdata\roaming\IObit
2010-05-01 07:42:30 0 d-----w- c:\program files (x86)\IObit
2010-04-30 18:25:49 1446912 ----a-w- c:\windows\system32\lsasrv.dll
2010-04-30 18:25:49 12867072 ----a-w- c:\windows\syswow64\shell32.dll
2010-04-30 18:25:48 96768 ----a-w- c:\windows\syswow64\sspicli.dll
2010-04-30 18:25:48 22016 ----a-w- c:\windows\syswow64\secur32.dll
2010-04-30 18:25:48 153160 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-04-30 07:39:41 0 d-----w- c:\programdata\McAfee
2010-04-30 05:59:24 223448 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-04-25 10:00:52 0 d-----w- c:\windows\syswow64\Wat
2010-04-25 10:00:52 0 d-----w- c:\windows\system32\Wat
2010-04-14 05:48:17 5509008 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 05:48:16 3954568 ----a-w- c:\windows\syswow64\ntkrnlpa.exe
2010-04-14 05:48:16 3899280 ----a-w- c:\windows\syswow64\ntoskrnl.exe
2010-04-14 05:28:07 286720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 05:28:07 157696 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 05:28:07 125952 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 05:24:25 612352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 05:24:25 427520 ----a-w- c:\windows\syswow64\vbscript.dll
2010-04-14 04:06:14 139264 ----a-w- c:\windows\system32\cabview.dll
2010-04-14 04:06:14 132608 ----a-w- c:\windows\syswow64\cabview.dll
2010-04-14 04:04:58 220672 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 04:04:58 172032 ----a-w- c:\windows\syswow64\wintrust.dll

==================== Find3M ====================

2010-03-18 03:20:56 0 ----a-w- c:\users\vaness~1\appdata\roaming\wklnhst.dat
2010-03-09 01:29:23 1685 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_AY028AA-ABA CQ5300Y_YC_0Pres_Q4CE002_EA1NAv6PrA3_49_INARRA5_SPEGATRON CORPORATION_V5.00_B5.55_T091208_WUH0_L409_M1791_J320_7AMD_8Sempron LE-1300_92.3_#_N10DE03EF_Z11C10630_G10DE03D0.MRK
2010-02-23 08:22:50 1192960 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 07:56:00 977920 ----a-w- c:\windows\syswow64\wininet.dll
2010-02-23 07:55:56 1225216 ----a-w- c:\windows\syswow64\urlmon.dll
2010-02-23 07:55:45 606208 ----a-w- c:\windows\syswow64\mstime.dll
2010-02-23 07:55:43 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2010-02-23 07:55:43 5964800 ----a-w- c:\windows\syswow64\mshtml.dll
2010-02-23 07:55:24 10978816 ----a-w- c:\windows\syswow64\ieframe.dll
2010-02-23 07:55:20 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll
2010-02-02 08:36:47 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-02 07:45:54 2048 ----a-w- c:\windows\syswow64\tzres.dll
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 05:12:52 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 16:53:25.51 ===============

 

[Broni]

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT


* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[needcomphelp]

They were too many characters so I had to attach them

 

[Broni]

I don't see much here....


Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
  O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
  O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Value error.)
  O18:[b]64bit:[/b] - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
  O18:[b]64bit:[/b] - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
  O18:[b]64bit:[/b] - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
  O18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
  O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
  
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [resethosts]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[needcomphelp]

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\livecall\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{828030A1-22C1-4009-854F-8E305202313F}\ deleted successfully.
File {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-itss\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A9007C0-4076-11D3-8789-0000F8105754}\ deleted successfully.
File {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msnim\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{828030A1-22C1-4009-854F-8E305202313F}\ not found.
File {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wlmailhtml\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03C514A3-1EFB-4856-9F99-10D7BE1653C0}\ deleted successfully.
File {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: Vanessia Thomas
->Temp folder emptied: 395148 bytes
->Temporary Internet Files folder emptied: 12794895 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 585 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1686 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32902 bytes
RecycleBin emptied: 525824 bytes

Total Files Cleaned = 13.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.4.0 log created on 05022010_175001

Files\Folders moved on Reboot...
C:\Users\Vanessia Thomas\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

 

[Broni]

Please download OTC to your desktop. It'll remove most tools and logs we used so far. If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

• Double-click OTC.exe to run it. (Vista and 7 users, please right click on OTC and select "Run as an Administrator")
• Click on the CleanUp! button and follow the prompts.
• You will be asked to reboot the machine to finish the Cleanup process, choose Yes. If it doesn't ask you to reboot, restart computer manually.
• After the reboot all the tools we used should be gone.
• The tool will delete itself once it finishes.

=========================================================================

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Post fresh HijackThis log as well.

 

[needcomphelp]

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, May 4, 2010
Operating system: Microsoft (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, May 04, 2010 21:19:52
Records in database: 4049719
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 145710
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 01:43:09

No threats found. Scanned area is clean.

Selected area has been scanned.




This one?


Logfile of Advanced SystemCare 3 Security Analyzer
Scan saved at 1:27:47 AM, on 5/5/2010
Platform: Windows Vista (WinNT 6.1)
MSIE: Internet Explorer v8.0 (8.0.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files (x86)\Lexmark 5200 Series\lxbtmon.exe
C:\Program Files (x86)\Lexmark 5200 Series\ezprint.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\EarthLink\ISP\ISP8200\Browser\Bartshel.exe
C:\Program Files (x86)\EarthLink\ISP\ISP8200\Browser\PPShared.exe
C:\Program Files (x86)\EarthLink Accelerated\propelac.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWow64\Macromed\Flash\FlashUtil10e.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files (x86)\EarthLink\Toolbar\ElnkPuB.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRA~2\EARTHL~2\PRPL_I~1.DLL
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files (x86)\EarthLink\Toolbar\ProtctIE.dll
O2 - BHO: Earthlink Protection BHO - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files (x86)\EarthLink\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files (x86)\EarthLink\Toolbar\Toolbar.dll
O4 - HKCU\..\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKLM\..\Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files (x86)\EarthLink\ISP\ISP8200\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files (x86)\EarthLink Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files (x86)\EarthLink Accelerated\pac-image.html
O9 - Extra button: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} -
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro2.cce.hp.com/ChatEntry/downloads/sysinfo.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://wimpro2.cce.hp.com/ChatEntry/downloads/msxml4.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_20) - http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} (Java Plug-in 1.6.0_20) - http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_20) - http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agr64svc.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\HP Games\HP Game Console\GameConsoleService.exe
O23 - Service: GameConsoleService (gpsvc) - WildTangent, Inc. - C:\Program Files (x86)\HP Games\HP Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxbt_device - Unknown owner - C:\Windows\system32\lxbtcoms.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown - %PROGRAMFILES%\Windows Media Player\wmpnetwk.exe

 

[Broni]

Your computer is clean

1. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

 

[Broni]

Any word about your computer status?

 

[needcomphelp]

im sorry it has taken this long to reply back.. been really busy.. and the computer WAS doing a lot better...... until my modem screwed up... was on the phone with HP twice today ... and Earthlink lol ..i believe that the modem is kinda stuck lol .. i even unpluged the modem and plugged it into another slot inside the computer. and its still messed up.. there is nothing wrong with the phone line either. I am on another computer that i had that is an older dell. On dial up, just like the other one, and its working fine. I got them to send me the recovery disks for it..they were going to charge me for the shipping and handling but i told him i couldnt pay for it and i really needed the computer asap because i do a lot of work on the computer. so they waived the fee for me lol . But...if that doesnt work then they are going to send me a new modem free of charge. I have tried reseting the BIOS as well, and that didnt help. If you know of anything that i can do please let me know. When the phone line is plugged into the computer, i have no dial tone on any of my phones. When its unplugged, i have a dial tone on my phones. Help!! lol .. if you cant thats fine, just thought id ask. and thank you so much for your help with the other stuff

 

[Broni]

Since your current issue is not malware related, I suggest you start a new topic in Windows forum and I'm sure, someone will help you out.
Here, your last post is pretty much buried deep into the thread, so I doubt anyone will pay any attention.