[Solved] Windows Recovery FakeAV: Deleted icons & My Document files locked

G4SnAK · May 18, 2011

Okay, Still wasn't able to find anything in the recycle bin to delete...
About the proxies, I don't know where the US ones came from and they were not in my proxy list in FP. I removed all proxy entries from the list (there were only 3) and changed the default to No Proxy. Checked my connection settings in FF and made sure there were no proxys set there either.Then I updated Foxy Proxy to the current version. (I don't use FF often so there was some cleaning up to do) I removed the cacaoweb and zugo extentions, and disabled all prior versons of java, leaving only 6.0.25 enabled.
Had another proxy program installed called Your Freedom, I took that one off as well. (Perhaps that is where the US proxies came from when I was playing around with it... it was just more junk that I experimented with and didn't use).
I was able to reset the keyword entry after a few attempts (it kept changing itself back grrr) but it finally stuck. the homepage is google now.
As for the other programs... I uninstalled utorrent.

I could not find Ares 2.1.1 - it is not installed and I don't find it in program files.There is a program called 360Share Pro that is uninstalled, the folder is still in program files.

The only poker program I have on here is called Planet 7 Casino, it is not installed but I see now that it left a lot of junk behind in the program folder - the only thing it uninstalled was the casino.exe file. I don't see the others you mentioned, they are not installed and I didn't see them in the program folders either.

Bobbye · May 19, 2011

There is a program called 360Share Pro that is uninstalled, the folder is still in program files.

Please use Windows Explorer to access My Computer> Local Drive> Programs> Delete the folder for any programs you have uninstalled.

Sorry about Ares and the 3 poker programs. I inadvertently included them on the screen I had started for you.

Your Freedom, is as you say, another proxy program that "Bypass restrictive firewalls and filtering web proxies and allows you to surf anonymously."

Please go through what is installed on the system. Uninstall whatever you're not using, then delete the program folder. When you have finished, please reboot the computer. Then update and rescan with Combofix.[/]b This should reflect the changes you have made and I can move any 'left-over' entries.

G4SnAK · May 19, 2011

Thanks Bobbye, here's the log:

ComboFix 11-05-18.04 - Brandley 05/19/2011 10:21:24.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.989 [GMT -8:00]
Running from: c:\users\Brandley\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\hijackthis\HijackThis.exe
c:\programdata\PCDr\5744\Downloads\7cfc7ddb-2ff0-41ad-a5d7-3e2c7c6da278.dll
c:\programdata\PCDr\5744\Downloads\9f7cb229-6226-4846-9375-1b73ad107c4e.dll
c:\programdata\PCDr\5744\Downloads\aad4193c-5f11-4479-83a6-e739206cb375.dll
c:\programdata\PCDr\5744\Downloads\ccb2bb33-3a38-4a93-93e7-871d4d9be0b6.dll
c:\programdata\PCDr\5744\Downloads\d57ca607-df9e-42be-b6e5-f975ebf2105b.dll
c:\programdata\PCDr\5744\Downloads\db49fe36-7c40-41f5-b9c1-5a7c3297c269.dll
c:\programdata\PCDr\5744\Downloads\e3d50fea-9128-4ef0-9ea5-b4d74186612f.dll
c:\programdata\PCDr\5744\Downloads\e87994e7-694e-4058-a64a-df23fd76e4df.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-04-19 to 2011-05-19 )))))))))))))))))))))))))))))))
.
.
2011-05-19 18:41 . 2011-05-19 18:48 -------- d-----w- c:\users\Brandley\AppData\Local\temp
2011-05-19 18:41 . 2011-05-19 18:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-19 18:41 . 2011-05-19 18:41 -------- d-----w- c:\users\Admin\AppData\Local\temp
2011-05-19 00:49 . 2011-05-19 00:49 -------- d-----w- c:\windows\system32\tr
2011-05-19 00:49 . 2011-05-19 00:49 -------- d-----w- c:\windows\system32\sv
2011-05-19 00:49 . 2011-05-19 00:49 -------- d-----w- c:\windows\system32\ru
2011-05-19 00:49 . 2011-05-19 00:49 -------- d-----w- c:\windows\system32\no
2011-05-19 00:49 . 2011-05-19 00:49 -------- d-----w- c:\windows\system32\da
2011-05-19 00:49 . 2011-05-19 00:49 -------- d-----w- c:\windows\system32\ko
2011-05-19 00:49 . 2011-05-19 00:49 -------- d-----w- c:\windows\system32\ja
2011-05-19 00:49 . 2011-05-19 00:49 -------- d-----w- c:\windows\system32\it
2011-05-19 00:49 . 2011-05-19 00:49 -------- d-----w- c:\windows\system32\fr
2011-05-19 00:49 . 2011-05-19 00:49 -------- d-----w- c:\windows\system32\es
2011-05-19 00:49 . 2011-05-19 00:49 -------- d-----w- c:\windows\system32\de
2011-05-19 00:48 . 2011-05-19 00:49 -------- d-----w- c:\windows\DPDrv
2011-05-19 00:44 . 2011-05-19 00:44 -------- d-----w- c:\programdata\Downloaded Installations
2011-05-17 09:52 . 2011-04-18 17:15 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C0FC8D8E-3E30-4F4F-956A-E96A5AE30051}\mpengine.dll
2011-05-14 18:22 . 2011-05-19 18:40 -------- d-----w- C:\HijackThis
2011-05-14 18:16 . 2011-05-14 18:16 -------- d-----w- c:\program files\Common Files\Adobe
2011-05-14 18:10 . 2011-05-14 18:10 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-05-14 17:57 . 2011-05-14 17:57 -------- d-----w- c:\program files\Common Files\Java
2011-05-14 00:22 . 2011-05-14 00:22 -------- d-----w- C:\_OTM
2011-05-12 16:34 . 2011-05-12 16:34 -------- d-----w- c:\program files\ESET
2011-05-12 05:23 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-12 05:23 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-12 05:23 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-12 05:23 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-12 05:23 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-12 05:23 . 2011-05-10 11:59 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-05-12 05:22 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr
2011-05-12 05:22 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-12 05:22 . 2011-05-12 05:22 -------- d-----w- c:\programdata\AVAST Software
2011-05-12 05:22 . 2011-05-12 05:22 -------- d-----w- c:\program files\AVAST Software
2011-05-11 22:30 . 2010-12-21 02:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-11 22:29 . 2010-12-21 02:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-11 09:33 . 2011-05-11 09:34 -------- d-----w- c:\users\Brandley\AppData\Local\{C3107B9A-2BF5-41E5-BBC0-208E3C70F5F0}
2011-05-11 08:07 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-05-06 16:29 . 2011-05-06 16:29 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-04-30 11:00 . 2011-04-30 11:00 -------- d-----w- c:\windows\CheckSur
2011-04-28 17:10 . 2011-04-28 17:10 -------- d-----w- c:\users\Brandley\AppData\Roaming\AVG10
2011-04-28 16:38 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-28 16:37 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-28 16:37 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-04-26 00:55 . 2011-05-12 05:05 -------- d-----w- c:\programdata\AVG10
2011-04-26 00:22 . 2011-05-12 05:03 -------- d-----w- c:\programdata\MFAData
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-14 17:55 . 2010-04-25 22:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-10 17:03 . 2011-04-15 02:03 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03 . 2011-04-15 02:03 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-09 08:06 . 2010-06-24 20:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-03 15:42 . 2011-04-15 02:02 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 15:40 . 2011-04-28 16:38 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40 . 2011-04-28 16:38 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40 . 2011-04-28 16:38 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40 . 2011-04-28 16:38 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 13:25 . 2011-04-15 02:02 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44 . 2011-04-15 02:02 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-02-22 14:13 . 2011-03-23 07:08 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33 . 2011-03-23 07:08 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33 . 2011-03-23 07:08 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-02-22 13:24 . 2011-04-15 02:03 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-22 13:24 . 2011-04-15 02:03 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-22 13:23 . 2011-04-15 02:03 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-22 13:23 . 2011-04-15 02:03 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-16 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-03-11 163840]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-02-19 438403]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2008-05-09 126976]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-17 483428]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-19 54576]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-15 47904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-26 421160]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2009-05-13 842816]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-5-13 1058088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer6"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WDDMStatus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WDDMStatus.lnk
backup=c:\windows\pss\WDDMStatus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Brandley^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Brandley\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 20:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-11-25 10:35 135664 ----atw- c:\users\Brandley\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-26 00:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-12-21 02:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-08-16 23:49 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [x]
R3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2010-11-18 21744]
R3 Ph3xIB32;Philips 713x Inbox PCI TV Card;c:\windows\system32\DRIVERS\Ph3xIB32.sys [2007-04-03 1131136]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-05-08 12872]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2009-02-13 11520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2010-09-14 25704]
R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2010-09-14 25704]
R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2010-09-14 25704]
R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2010-09-14 25704]
R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2010-09-14 25704]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 51040]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-05-08 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-05-28 67656]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe [2009-03-17 81920]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-05-10 53592]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2008-02-29 1053944]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-04-28 161048]
S2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2010-05-10 110592]
S2 WDFME;WD File Management Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [2010-05-10 1858048]
S2 WDSC;WD File Management Shadow Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [2010-05-10 482304]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2008-03-13 548352]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2010-03-08 62496]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-03-11 203264]
S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\DRIVERS\OA001Ufd.sys [2009-03-06 133632]
S3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\DRIVERS\OA001Vid.sys [2009-03-09 280096]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2}]
2010-02-17 03:02 114688 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-313869043-597203798-2405295701-1000Core.job
- c:\users\Brandley\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-25 10:35]
.
2011-05-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-313869043-597203798-2405295701-1000UA.job
- c:\users\Brandley\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-25 10:35]
.
2011-04-23 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-11-18 15:13]
.
2011-05-18 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-11-18 15:13]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{a5837a04-1cda-49e5-80f5-25baef5e6a32} - c:\program files\Clip Extractor\ClipExtractor.exe
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
FF - ProfilePath - c:\users\Brandley\AppData\Roaming\Mozilla\Firefox\Profiles\8w3rm69w.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo-FileServe
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://fileservehome.com/?prt=fileservetb02ff&Keywords=
FF - prefs.js: network.proxy.ftp - 127.0.0.1
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 5.6.7.8
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 1080
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\Brandley\AppData\Roaming\Move Networks
FF - Ext: Download Accelerator Plus (DAP) extension: {F17C1572-C9EC-4e5c-A542-D05CBB5C5A08} - c:\program files\DAP\DAPFireFox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: FoxyProxy Standard: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
FF - Ext: FoxyProxy Basic: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - user.js: keyword.URL - hxxp://fileservehome.com/?prt=fileservetb02ff&Keywords=
FF - user.js: keyword.enabled - 1
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-19 10:48
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5856)
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\WLANExt.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\System32\LEXBCES.EXE
c:\windows\System32\LEXPPS.EXE
c:\program files\DigitalPersona\Bin\DpHostW.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\msfeedssync.exe
.
**************************************************************************
.
Completion time: 2011-05-19 11:08:29 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-19 19:07
ComboFix2.txt 2011-05-14 16:47
ComboFix3.txt 2011-05-12 06:34
.
Pre-Run: 97,487,958,016 bytes free
Post-Run: 97,419,296,768 bytes free
.
- - End Of File - - F3FF76B383E06CC24EEF66DFBA7E7B81

Bobbye · May 20, 2011

We need to get FileServe out of the system:
FF - prefs.js: browser.search.selectedEngine - Yahoo-FileServe
FF - prefs.js: keyword.URL - hxxp://fileservehome.com/?prt=fileservetb02ff&Keywords=

You don't need to do the Yashoo Search on the fileserve.com site That is a hosting site.
You still have the 2 versions of FoxyProxy on Firefox.
============================================
I see 4 entries for FileServe in the earlier logs. They should show up in HijackThis and I can have you stop them in that program and direct to uninstall:
Download HijackThis and save to your desktop.

Extract it to a directory on your hard drive called c:\HijackThis.

Then navigate to that directory and double-click on the hijackthis.exe file.

When started click on the Scan button and then the Save Log button to create a log of your information.

The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad

Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.

Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

G4SnAK · May 20, 2011

I try not to do anything Yahoo related... hate Yahoo, once it has you it never goes away...
and I only see FoxyProxy Standard installed in the extensions list so I don't know how to remove the other one.

HijackThis generated a warning that the system denied write access to the Hosts file. It suggests right clicking to run as amin. but that option isn't available when I try to do so. I did not edit the file myself as it suggests, wanted to check with you first - Here is the log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:13:51 PM, on 5/20/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10p_ActiveX.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Users\Brandley\AppData\Local\temp\Temp1_HijackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DigitalPersona Fingerprint Software Extension - {395610AE-C624-4f58-B89E-23733EA00F9A} - C:\Program Files\DigitalPersona\Bin\DpOtsPluginIe8.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Download Accelerator Plus Integration - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\DAP\DAPIEL~1.DLL
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [DpAgent] C:\Program Files\DigitalPersona\Bin\dpagent.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: @C:\Program Files\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files\Windows Live\Companion\companioncore.dll
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Download with YouTube Clip Extractor - {a5837a04-1cda-49e5-80f5-25baef5e6a32} - C:\Program Files\Clip Extractor\ClipExtractor.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos-beta/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - C:\Program Files\Fingerprint Sensor\AtService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: @C:\Program Files\DigitalPersona\Bin\DpHostW.exe,-128 (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHostW.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - Unknown owner - C:\Program Files\Dell Support Center\bin\sprtsvc.exe (file missing)
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: WD SmartWare Drive Manager (WDDMService) - WDC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
O23 - Service: WD File Management Engine (WDFME) - Unknown owner - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
O23 - Service: WD File Management Shadow Engine (WDSC) - Unknown owner - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 13540 bytes

Bobbye · May 21, 2011

What happened here? Are these related? What are they for?

2011-05-19 18:41 . 2011-05-19 18:48 -------- d-----w- c:\users\Brandley\AppData\Local\temp
2011-05-19 18:41 . 2011-05-19 18:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-19 18:41 . 2011-05-19 18:41 -------- d-----w- c:\users\Admin\AppData\Local\temp
2011-05-19 00:49 . 2011-05-19 00:49 -------- d-----w- c:\windows\system32\tr
2011-05-19 00:49 . 2011-05-19 00:49 -------- d-----w- c:\windows\system32\sv
2011-05-19 00:49 . 2011-05-19 00:49 -------- d-----w- c:\windows\system32\ru
2011-05-19 00:49 . 2011-05-19 00:49 -------- d-----w- c:\windows\system32\no
2011-05-19 00:49 . 2011-05-19 00:49 -------- d-----w- c:\windows\system32\da
2011-05-19 00:49 . 2011-05-19 00:49 -------- d-----w- c:\windows\system32\ko
2011-05-19 00:49 . 2011-05-19 00:49 -------- d-----w- c:\windows\system32\ja
2011-05-19 00:49 . 2011-05-19 00:49 -------- d-----w- c:\windows\system32\it
2011-05-19 00:49 . 2011-05-19 00:49 -------- d-----w- c:\windows\system32\fr
2011-05-19 00:49 . 2011-05-19 00:49 -------- d-----w- c:\windows\system32\es
2011-05-19 00:49 . 2011-05-19 00:49 -------- d-----w- c:\windows\system32\de
2011-05-19 00:44 . 2011-05-19 00:44 -------- d-----w- c:\programdata\Downloaded Installations
2011-05-19 00:48 . 2011-05-19 00:49 -------- d-----w- c:\windows\DPDrv
(Dpdrv.sys is DP Filter Driver is a driver file from company International Business Machines Corporation belonging to product Data Protection Filter Driver.)

Obviously these are languages, but where did they come from?
========================================
There's only one entry in the HijackThis log I'd like to remove, but instead of running a scan again, handle it in 'manage add-ons:' Looks like this came with the DP Filer Driver.

Click on Tools> Manage Add-ons> look in both sections of the dialogue box: addons currently being used and addons previously use> find DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab> Highlight and remove or disable. Its a bundle of junk. May show as Kiwi Toolbar.

How is the system running now?

G4SnAK · May 22, 2011

Hmmm. Those entries must have came from an update of the DigitalPersona Fingerprint software... Sorry. I forgot I wasn't suppose to be updating programs during this process - it wasn't working properly and offered me an update so I took it without thinking, it updated from version 3 to 4.01.3765
The only other thing I did on the 19th was to save RKill and FixNCR to a flash drive to use on another laptop - didn't save or run the programs on this one.

G4SnAK · May 22, 2011

Didn't find an entry for DPF: CabBuilder or for kiwitool bar in any of the browser extensions. Kiwi toolbar was uninstalled a long time ago. like over a year ago so I don't know why it is still showing up in the hijack list, pretty sure it is gone... came bundled with that smileycentral crap that I had a horrible time getting rid of... anyway,

I did find a extension for Yahoo/fileserve still enabled in Chrome, so went ahead and disabled that as well.

System is running very well now - haven't noticed any other issues, and it's back up to speed as well. Even FF is working and it hasn't worked right in ages. I want to thank-you again for all your help

G4SnAK · May 24, 2011

I know you are busy, but it has been a couple of days so I am just wondering if we are finished. Thanks again.

Bobbye · May 26, 2011

Sorry for delay- I had about 5 active threads that went missing in me!

Since the problems have been resolved, you can remove all of the tools we used and the files and folders they created

Uninstall ComboFix and all Backups of the files it deleted

Click START> then RUN

Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Download OTCleanIt by OldTimer and save it to your Desktop.

Double click OTCleanIt.exe.

Click the CleanUp! button.

If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
============================

You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.

Go to Start > All Programs > Accessories > System Tools

Click "System Restore".

Choose "Create a Restore Point" on the first screen then click "Next".

Give the Restore Point a name> click "Create".

Go back and follow the path to > System Tools.
[*]Choose Disc Cleanup
[*]Click "OK" to select the partition or drive you want.
[*]Click the "More Options" Tab.
[*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

Let me know if you have any more questions.

G4SnAK · May 27, 2011

No questions Bobbye... thanks again for all your help

Bobbye · May 27, 2011

You're very welcome. Look over the following and add what you want to enhance security:

Tips for added security and safer browsing: (Links are in Bold Blue)

Browser Security
[o] Safe Settings (Please ignore the suggestion to use the Registry Editior in this section "Creating a Custom Security Zone")
[o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
[o] Replace the Host Files
[o] Google Toolbar Pop Up Blocker
[o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.

Have layered Security:
[o]Antivirus :(only one):Both of the following programs are free and known to be good:
[o]Avira-AntiVir-Personal-Free-Antivirus
[o] [o]Avast-Free Antivirus
[o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
[o]Comodo
[o]Zone Alarm

Antimalware: I recommend all of the following:
[o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
[o]Spybot Search & Destroy

Updates: Stay current:
[o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
[o]Adobe Reader Install current, uninstall old.
[o]Java Updates Install current, uninstall old.

Tracking Cookies
Reset Cookie:
[o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
[o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List
[o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.

Do regular Maintenance
[o] Temporary File Cleaner

Restore Points:
[o]See System Restore Guide

Safe Email Handling
[o] Don't open email from anyone you don't know.
[o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
[o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.

Please let me know if you find any bad link.

TechSpot

[Solved] Windows Recovery FakeAV: Deleted icons & My Document files locked

G4SnAK Newcomer, in training

Bobbye Helper on the Fringe

G4SnAK Newcomer, in training

Bobbye Helper on the Fringe

G4SnAK Newcomer, in training

Bobbye Helper on the Fringe

G4SnAK Newcomer, in training

G4SnAK Newcomer, in training

G4SnAK Newcomer, in training

Bobbye Helper on the Fringe

G4SnAK Newcomer, in training

Bobbye Helper on the Fringe