Inactive Assistance needed for persistent Google redirect virus

[ormolu611]

I am in need of assistance. Apparently, I picked up some redirect virus about 5 or so days ago that results in redirects to websites like "www.bricksearch.com" when I click on search result links. In order to visit the page that I am looking for, I have to either click on the cache version or copy and paste the address into the address bar. In perusing the web over the past few days, I have tried to eradicate it myself by downloading and running cloud panda, and malwarebytes. Malwarebytes did actually find a couple of trojans, but alas, I still have the problem! Oh yeah, perhaps the most annoying, which I think is related as it started at the same time, Captcha does not work on my machine as the letters are not displayed! This makes posting to Craigslist and even this site impossible! I have to use my girlfriend's computer! Is this site going to require a captcha for every post I make? Help!

 

[Bobbye]

Welcome to TechSpot! Are you old enough to remember the Mighty Mouse cartoons? When he swooped in, he always said> "Here I am to save the day!" Okay, I don't 'swoop', but I will be glad to help with the redirect problem.

Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[ormolu611]

difficulty posting logs

Bobbye, thanks for offering to help me with this! I have completed the steps that you outlined, but I am delayed in posting the logs because my computer does not display captcha since a few days ago. I wonder if it virus related as this problem started when I started getting redirected. I am posting this now using my blackberry. I can post the logs tomorrow ising my girlfriend's pc.

 

[Bobbye]

Are you logging in? That should be all it takes once you're registered.

 

[ormolu611]

captcha required

Yes, I am logged in, but immediately below the "reply to thread" section, there is a captcha requirement prior to posting a response. On my blackberry, the distorted words are visible. On my pc, they are not. Just says "image verification" with no captcha image below it. When I try to post without the captcha, I get an error saying,"The string you entered for the image verification did not match what was displayed."

 

[Bobbye]

I am going to advise the site editor of this, but I need to know the following:
1. Operating system
2. Browser and version

As soon as you let me know , I'll add it to the message I already have written.

 

[ormolu611]

Thanks so much! I am using Windows XP, and the problem with captcha is in IE8, Mozilla 5.0, and the latest version of Opera.

 

[Bobbye]

Okay, thanks. Have sent PM. Hang on to the logs and don't run any other cleaning scans so the logs will still be good. S/B later today.

 

[ormolu611]

DDS

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Thomas Love at 21:42:26.01 on Sun 05/01/2011
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_24
.
============== Running Processes ===============
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\WINDOWS\system32\TPSODDCtl.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\WINDOWS\system32\thpsrv.exe
C:\Program Files\TOSHIBA\TME3\TMETEMNU.EXE
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\WINDOWS\SkyTel.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Sprint\Sprint SmartView\RDVCHG.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\LivePost\LivePost powered by PostNexus\AppStart.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\LivePost\LivePost powered by PostNexus\3.2.0.47\PNlaunch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Thomas Love\Desktop\dds.scr
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANToManager.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = https://www.emortgagelogic.com/www/index.htm
uSearch Bar =
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101110120748.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TSkrMain] c:\program files\toshiba\acceleration utilities\shaker\TSkrMain.exe
mRun: [TRot.exe] c:\program files\toshiba\toshiba rotation utility\TRot.exe
mRun: [TPSODDCtl] TPSODDCtl.exe
mRun: [TPSMain] TPSMain.exe
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe
mRun: [TOSDCR] TOSDCR.EXE
mRun: [TMESRV.EXE] c:\program files\toshiba\tme3\TMESRV31.EXE /Logon
mRun: [TMERzCtl.EXE] c:\program files\toshiba\tme3\TMERzCtl.EXE /Service
mRun: [ThpSrv] c:\windows\system32\thpsrv /logon
mRun: [TFNF5] TFNF5.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TAcelMgr] c:\program files\toshiba\acceleration utilities\tacelmgr\TAcelMgr.exe
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [NDSTray.exe] NDSTray.exe
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
mRun: [CrossMenu] c:\program files\toshiba\crossmenu\CrossMenu.exe
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Nikon Transfer Monitor] c:\program files\common files\nikon\monitor\NkMonitor.exe
mRun: [Sprint SmartView] "c:\program files\sprint\sprint smartview\SprintSV.exe" -a
mRun: [RDVCHG] "c:\program files\sprint\sprint smartview\RDVCHG.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35[1].exe" /scan:boot
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
dRun: [AVG7_Run] c:\progra~1\grisoft\avgfre~1\avgw.exe /RUNONCE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxps://web11.farvv.com/sn/ImageUploader6.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: psfus - psqlpwd.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
Notify: TSigNP - TSigNP.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli psqlpwd
Hosts: 184.107.64.190 www.google.com
Hosts: 209.172.56.115 search.yahoo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\thomas~1\applic~1\mozilla\firefox\profiles\olrqrkyz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.nefar.com/memberMain.php|http://flexmls.realtyweb.net/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\thomas love\application data\mozilla\firefox\profiles\olrqrkyz.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npxsciter.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R? Avg7Alrt;AVG7 Alert Manager Server
R? Avg7Core;AVG7 Kernel
R? Avg7RsW;AVG7 Wrap Driver
R? Avg7RsXP;AVG7 Resident Driver XP
R? AvgClean;AVG Clean Driver
R? gupdate;Google Update Service (gupdate)
R? gupdatem;Google Update Service (gupdatem)
R? mfebopk;McAfee Inc. mfebopk
R? mfendisk;McAfee Core NDIS Intermediate Filter
R? mferkdet;McAfee Inc. mferkdet
R? NWUSBCDFIL;Novatel Wireless Installation CD
R? NWUSBPort2;Novatel Wireless USB Status2 Port Driver
S? Akamai;Akamai NetSession Interface
S? Avg7UpdSvc;AVG7 Update Service
S? cfwids;McAfee Inc. cfwids
S? FdRedir;FdRedir
S? FileDisk2;FileDisk Protector Kernel Driver
S? McAfee SiteAdvisor Service;McAfee SiteAdvisor Service
S? McMPFSvc;McAfee Personal Firewall Service
S? McNaiAnn;McAfee VirusScan Announcer
S? McProxy;McAfee Proxy Service
S? McShield;McShield
S? mfeavfk;McAfee Inc. mfeavfk
S? mfefire;McAfee Firewall Core Service
S? mfefirek;McAfee Inc. mfefirek
S? mfehidk;McAfee Inc. mfehidk
S? mfendiskmp;mfendiskmp
S? mfetdi2k;McAfee Inc. mfetdi2k
S? mfevtp;McAfee Validation Trust Protection Service
S? NanoServiceMain;Panda Cloud Antivirus Service
S? NvtlService;NovaCore SDK Service
S? PSINAflt;PSINAflt
S? PSINFile;PSINFile
S? PSINKNC;PSINKNC
S? PSINProc;PSINProc
S? PSINProt;PSINProt
S? smihlp;SMI helper driver
S? TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver
S? tdudf;TOSHIBA UDF File System Driver
S? Thpdrv;TOSHIBA HDD Protection Driver
S? Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver
S? TMEI3E;TMEI3E
S? Tmesrv;Tmesrv3
S? WacomPen;Wacom Serial Pen HID Driver
.
=============== Created Last 30 ================
.
2011-04-30 16:43:03 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-30 16:43:03 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-30 16:42:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\Walgreens
2011-04-30 16:42:21 -------- d-----w- c:\program files\Walgreens
2011-04-28 13:31:33 -------- d-----w- c:\docume~1\thomas~1\applic~1\Panda Security
2011-04-28 13:29:40 -------- d-----w- c:\program files\Panda Security
2011-04-28 13:29:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\Panda Security
2011-04-28 13:10:57 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-28 13:10:56 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-04-28 13:09:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-04-27 14:32:19 -------- d-----w- c:\docume~1\thomas~1\applic~1\Malwarebytes
2011-04-27 13:54:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-27 13:54:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-27 13:54:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-27 13:54:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-22 21:35:51 -------- d-----w- c:\program files\iPod
2011-04-22 21:35:19 -------- d-----w- c:\program files\iTunes
2011-04-22 21:21:31 -------- d-----w- c:\program files\Bonjour
2011-04-19 23:21:56 69632 ----a-r- c:\docume~1\thomas~1\applic~1\microsoft\installer\{87df5956-a327-4304-8338-8e2b0aab843e}\NewShortcut4_838BDC75346D4F49BD1D5328F986CD86.exe
2011-04-19 23:21:56 413696 ----a-r- c:\docume~1\thomas~1\applic~1\microsoft\installer\{87df5956-a327-4304-8338-8e2b0aab843e}\NewShortcut2_5B2EDCAA303A43629DACC3FFFABD0901.exe
2011-04-19 23:21:56 413696 ----a-r- c:\docume~1\thomas~1\applic~1\microsoft\installer\{87df5956-a327-4304-8338-8e2b0aab843e}\NewShortcut1_9F9ABBA94B874F449DBFBD7EB1332F16.exe
2011-04-19 23:21:55 413696 ----a-r- c:\docume~1\thomas~1\applic~1\microsoft\installer\{87df5956-a327-4304-8338-8e2b0aab843e}\ARPPRODUCTICON.exe
2011-04-07 01:17:25 -------- d-----w- c:\docume~1\thomas~1\locals~1\applic~1\Research In Motion
2011-04-07 01:16:37 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2011-04-07 00:14:51 14744 ----a-w- c:\docume~1\thomas~1\applic~1\microsoft\identitycrl\production\ppcrlconfig.dll
2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
==================== Find3M ====================
.
2011-03-15 01:28:51 256 ----a-w- c:\windows\system32\pool.bin
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-03 01:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 23:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
============= FINISH: 21:46:04.21 ===============

 

[ormolu611]

gmer

GMER 1.0.15.15572 - http://www.gmer.net
Rootkit quick scan 2011-05-01 21:25:24
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 TOSHIBA_MK1032GSX rev.AS021G
Running: rb9497xr.exe; Driver: C:\DOCUME~1\THOMAS~1\LOCALS~1\Temp\kwrdykob.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF74200E0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF74200F4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF7420120]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF7420176]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF74200CC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF74200A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF74200B8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF742010A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF742014C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF7420136]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF742018C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF7420160]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs FdRedir.sys (File Disk Redirector/UPEK Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tcpipBM.SYS (Bytemobile Kernel Network Provider/Bytemobile, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

 

[ormolu611]

mbam

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6487

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18372

5/1/2011 8:41:16 PM
mbam-log-2011-05-01 (20-41-15).txt

Scan type: Quick scan
Objects scanned: 168200
Time elapsed: 39 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[ormolu611]

Logs posted

Bobbye, I have posted the logs that you requested. I am using another computer that I borrowed for the interim to get around the captcha issue. Please let me know if I have left anything out. Thanks.

 

[Bobbye]

I'll see if I can get someone else to reply. These logs don't look right- date of installs are missing.
There is also another log from DDS named Attach.txt that I need.

Basically, you host files have been hijacked. Usually something related to this will show up in Mbam, but that's clean. Go ahead and do the following first:

You will need to do a DNS Flush, then reset your router.
Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

Exit the Command prompt when finished and shut the system down.-

• 
  [1]. Shut down your computer, and any other computer connected to your router.
  [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
  [3]. Unplug the router. Wait sixty seconds.
  [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
  [5].With the router unplugged, start your computer. Run MBAM again.
  [6].Connect to the router again. The turn the router back on.
  [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
  [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.

=====================================
When that has been done: Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.com/us/online-scanner#

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Please Uncheck "Remove found threats" (I will remove them, if any, in a programs that will also remove related files)
7. Check "Scan unwanted applications"
8. Click Scan
9. Wait for the scan to finish
10. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
11. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
12. Re-enable your Antivirus software.
    NOTE: If you forget to copy to the clipboard you can find the log here:
    C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

===========================================
Please note: If you have Combofix on the desktop already, please uninstall it. The download the current version and do the scan:
Uninstall directions

Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Question Do you have another language other than English on the system?

Hold off on the logs until later today.

 

[ormolu611]

attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/2/2006 8:54:42 AM
System Uptime: 5/1/2011 7:46:10 PM (2 hours ago)
.
Motherboard: TOSHIBA | | Portable PC
Processor: Genuine Intel(R) CPU T2050 @ 1.60GHz | uFC-PGA Socket | 1053/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 93 GiB total, 49.885 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP101: 1/30/2011 6:59:37 PM - System Checkpoint
RP102: 2/1/2011 8:02:10 AM - NMEA Port
RP103: 2/1/2011 8:03:06 AM - Removed Sprint SmartView.
RP104: 2/1/2011 8:05:27 AM - Installed Sprint SmartView.
RP105: 2/2/2011 3:50:55 PM - System Checkpoint
RP106: 2/3/2011 6:58:07 PM - System Checkpoint
RP107: 2/7/2011 12:49:57 PM - Removed Opera 10.61.
RP108: 2/7/2011 12:50:46 PM - Installed Opera 11.01.
RP109: 2/10/2011 6:32:11 PM - System Checkpoint
RP110: 2/12/2011 8:10:22 PM - Software Distribution Service 3.0
RP111: 2/14/2011 11:06:01 PM - System Checkpoint
RP112: 2/15/2011 11:41:37 PM - System Checkpoint
RP113: 2/17/2011 12:03:52 AM - System Checkpoint
RP114: 2/17/2011 12:27:57 AM - Software Distribution Service 3.0
RP115: 2/18/2011 9:29:06 AM - System Checkpoint
RP116: 2/20/2011 9:11:25 AM - System Checkpoint
RP117: 2/21/2011 10:14:24 AM - System Checkpoint
RP118: 2/21/2011 10:38:00 PM - Installed Windows Media Player 10
RP119: 2/21/2011 10:38:55 PM - Software Distribution Service 3.0
RP120: 2/24/2011 11:55:55 AM - System Checkpoint
RP121: 2/26/2011 9:09:25 PM - Software Distribution Service 3.0
RP122: 3/2/2011 12:28:58 PM - System Checkpoint
RP123: 3/3/2011 5:45:18 PM - Installed BlackBerry Desktop Software 5.0.1.
RP124: 3/5/2011 2:23:54 PM - System Checkpoint
RP125: 3/6/2011 8:30:42 PM - Software Distribution Service 3.0
RP126: 3/10/2011 10:19:14 AM - Installed Connect Service
RP127: 3/11/2011 10:32:10 AM - System Checkpoint
RP128: 3/12/2011 4:00:38 PM - System Checkpoint
RP129: 3/13/2011 6:05:31 AM - Software Distribution Service 3.0
RP130: 3/14/2011 11:56:45 AM - System Checkpoint
RP131: 3/15/2011 12:26:56 PM - System Checkpoint
RP132: 3/17/2011 12:00:01 PM - System Checkpoint
RP133: 3/17/2011 5:57:57 PM - Software Distribution Service 3.0
RP134: 3/21/2011 3:55:19 PM - System Checkpoint
RP135: 3/23/2011 3:07:07 PM - System Checkpoint
RP136: 3/24/2011 3:21:53 PM - System Checkpoint
RP137: 3/25/2011 8:10:47 AM - Software Distribution Service 3.0
RP138: 3/25/2011 10:04:36 AM - Installed Java(TM) 6 Update 24
RP139: 3/26/2011 11:02:34 AM - System Checkpoint
RP140: 3/29/2011 2:01:53 PM - System Checkpoint
RP141: 3/30/2011 2:27:24 PM - System Checkpoint
RP142: 4/4/2011 2:40:25 PM - System Checkpoint
RP143: 4/5/2011 3:37:26 PM - System Checkpoint
RP144: 4/6/2011 8:11:08 PM - Installed Microsoft Office Outlook Connector
RP145: 4/6/2011 9:16:37 PM - Installed Windows XP Wdf01009.
RP146: 4/7/2011 10:16:59 PM - System Checkpoint
RP147: 4/8/2011 10:27:02 PM - System Checkpoint
RP148: 4/11/2011 10:39:52 AM - System Checkpoint
RP149: 4/12/2011 12:16:52 PM - System Checkpoint
RP150: 4/13/2011 7:12:20 PM - System Checkpoint
RP151: 4/14/2011 7:59:29 AM - Software Distribution Service 3.0
RP152: 4/15/2011 9:35:05 AM - System Checkpoint
RP153: 4/16/2011 2:31:07 PM - System Checkpoint
RP154: 4/18/2011 1:32:35 PM - System Checkpoint
RP155: 4/18/2011 5:06:21 PM - Software Distribution Service 3.0
RP156: 4/20/2011 9:17:25 AM - System Checkpoint
RP157: 4/21/2011 7:05:09 PM - Software Distribution Service 3.0
RP158: 4/22/2011 7:09:35 PM - System Checkpoint
RP159: 4/24/2011 6:47:34 PM - System Checkpoint
RP160: 4/25/2011 2:43:29 PM - Removed Opera 11.01.
RP161: 4/26/2011 3:50:14 PM - System Checkpoint
RP162: 4/27/2011 10:02:50 AM - Software Distribution Service 3.0
RP163: 4/29/2011 12:12:16 PM - System Checkpoint
RP164: 4/30/2011 12:19:00 AM - Removed W Photo Studio
RP165: 4/30/2011 6:28:24 AM - Installed Java(TM) 6 Update 25
RP166: 4/30/2011 12:39:00 PM - Restore Operation
RP167: 5/1/2011 7:16:30 PM - System Checkpoint
.
==== Installed Programs ======================
.
7300
7300_Help
7300Trb
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0.1
Adobe Reader 8.1.5
Agilix GoBinder Lite
AiO_Scan
AiOSoftware
Akamai NetSession Interface
ALPS Touch Pad Driver
America Online (Choose which version to remove)
AnswerWorks 5.0 English Runtime
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Connectivity Services
AOL Spyware Protection
AOL You've Got Pictures Screensaver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Arachnophilia 5.4
ArcSoft Panorama Maker 5
ArcSoft Software Suite
AudibleManager
Bejeweled 2 Deluxe
BlackBerry Desktop Software 6.0.2
Blasterball 2 Revolution
Bluetooth Stack for Windows by Toshiba
Bonjour
BufferChm
Carbonite
CCleaner
CD/DVD Drive Acoustic Silencer
Compatibility Pack for the 2007 Office system
Convert Image To PDF
Copy
CP_AtenaShokunin1Config
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CreativeProjects
CreativeProjectsTemplates
CueTour
CutePDF Writer 2.7
Destinations
Director
DocProc
DocumentViewer
DVD-RAM Driver
FATE
Fax
File Uploader
Florida Real Estate Exam Manual
FranklinCovey TabletPlanner
Google AFE
Google Earth
Google Update Helper
High Definition Audio Driver Package - KB888111
Hitman Pro 3.5
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Extended Capabilities 4.7
HP Image Zone 4.7
HP Officejet 7300 series
HP Product Assistant
HP PSC & OfficeJet 4.7
HP Update
HPSystemDiagnostics
Ink Art
InstallVC90Support
InstantShare
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet/Wireless Software
InterVideo WinDVD Creator 2
InterVideo WinDVD for TOSHIBA
iTunes
J2SE Runtime Environment 5.0 Update 6
Java Auto Updater
Java(TM) 6 Update 24
K-Lite Codec Pack 5.5.1 (Standard)
KB408682
LivePost powered by PostNexus
Malwarebytes' Anti-Malware
MapSource - City Select North America v7
MarketResearch
McAfee SecurityCenter
mCore
mDrWiFi
mHelp
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Starter Edition 2006
Microsoft Digital Image Starter Edition 2006 Editor
Microsoft Digital Image Starter Edition 2006 Library
Microsoft Education Pack for Windows XP Tablet PC Edition
Microsoft Energy Blue Theme Pack
Microsoft Experience Pack for Tablet PC
Microsoft Ink Crossword
Microsoft Ink Desktop
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Media Transfer
Microsoft National Language Support Downlevel APIs
Microsoft Office OneNote 2003
Microsoft Office Outlook Connector
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Standard Edition 2003
Microsoft Publisher 2002
Microsoft Silverlight
Microsoft Snipping Tool 2.0
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
mIWA
mLogView
mMHouse
Mozilla Firefox (3.6.13)
mPfMgr
mPfWiz
mProSafe
MSN
MSN Toolbar
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
mWlsSafe
mXML
MyConnect Special Offer
mZConfig
Nikon Message Center
Nikon Transfer
oDesk Team
Office 2003 Trial Assistant
Opera 11.10
Panda Cloud Antivirus
PanoStandAlone
PhotoGallery
Picture Control Utility
Polar Golfer
PrimoPDF -- by Nitro PDF Software
ProductContext
Protector Suite 5.4
Pure Networks Port Magic
QFolder
Quicken 2008
QuickTime
Readme
RealPlayer Basic
Realtek High Definition Audio Driver
Revo Uninstaller 1.85
Scan
ScannerCopy
SCRABBLE
SD Secure Module
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SkinsHP1
Sprint SmartView
Tablet PC Tutorials for Microsoft Windows XP SP2
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
Top Producer Editor
TOSHIBA Accelerometer Utilities
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Direct Disc Writer
TOSHIBA Disc Creator
TOSHIBA Display Devices Change Utility
TOSHIBA Game Console
TOSHIBA HDD Protection
TOSHIBA Hotkey Utility for Display Devices
TOSHIBA Mobile Extension3 for Windows XP V3.82.00.XP
TOSHIBA Password Utility
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
Toshiba Registration
TOSHIBA Rotation Utility
TOSHIBA SD Memory Boot Utility
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Tablet Access Code Logon Utility
TOSHIBA TouchPad On/Off Utility V2.05.01
TOSHIBA Utilities
TOSHIBA Virtual Sound
TOSHIBA Zooming Utility
TrayApp
Trial1-2-3FileConvert v3.0
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB961813)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
ViewNX
Viewpoint Media Player
W Photo Studio
WebFldrs XP
WebReg
WildTangent Web Driver
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8 Release Candidate 1
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
4/27/2011 10:09:08 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Avg7Core Avg7RsW Avg7RsXP AvgClean
4/27/2011 10:09:02 AM, error: Service Control Manager [7000] - The Pantech&Curitel Utility Service service failed to start due to the following error: The system cannot find the file specified.
4/27/2011 10:09:02 AM, error: Service Control Manager [7000] - The AVG7 Alert Manager Server service failed to start due to the following error: The system cannot find the file specified.
4/27/2011 10:08:51 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00130288A1D0. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
4/27/2011 10:08:47 AM, error: Dhcp [1002] - The IP address lease 192.168.0.12 for the Network Card with network address 00130288A1D0 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================

 

[Bobbye]

I just sent another PM, this time to the site owner. There are some things you can work on:

You are running multiple antivirus programs:
Panda
AVG7> this is way outdated, I don't think it's even been supported for 2-3 years. It's up to AVG 2011.
McAfee> full suite

Uninstall AVG: AVG Remover eliminates all the parts of your AVG installation from your computer, including registry items, installation files, user files, etc.
Note:

• AVG user settings will be removed.
• Virus Vault contents will be removed.
• All other items related to AVG installation and use will be removed.
• You will be asked during the removal procedure to restart your computer. Please do so.
• Make sure there is no open work in process prior to launching AVG Remover.

AVG Remover:32bit
=====================================================
Make sure McAfee is current. If it is not and you don't want to keep it, uninstall:
McAfee Removal
If it is not, you can put one of the following AV on the system after you remove AVG and Panda
Antivirus :(only one):Both of the following programs are free and known to be good:
[o]Avira-AntiVir-Personal-Free-Antivirus
[o]Avast-Free Antivirus
=========================================
Please uninstall Hitman Pro 3.5. It is nothing but a bundle of security programs that are all free on the internet. Hitman gives you a trial, then won't remove bad entries unless you pay for the program. Considering all of the free programs are fully functional, this is a big rip off.
==========================================
Please go ahead and paste in the Mbam and Eset scan logs. Keep the original logs on your computer.

Question: Are you in Canada? Is French on the system?[/B]

 

[ormolu611]

Mbam

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6487
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18372
5/3/2011 7:37:47 PM
mbam-log-2011-05-03 (19-37-47).txt
Scan type: Quick scan
Objects scanned: 168998
Time elapsed: 34 minute(s), 51 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

 

[ormolu611]

Eset

ESETSmartInstaller@High as CAB hook log:
OnlineScannerUninstaller.exe - copy file error :The system cannot find the file specified.

OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18372 (longhorn_ie8_rc1(wmbla).090115-0053)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=4465ab14d7dd8041bd165844fc805af6
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-05-04 01:45:58
# local_time=2011-05-03 09:45:58 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1538 16774118 20 3 0 132077036 0 0
# compatibility_mode=5121 16777189 100 75 0 20700784 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 0 77 144173476 147157892 0 0
# scanned=119840
# found=0
# cleaned=0
# scan_time=6413

 

[ormolu611]

AVG

You know, I tried to delete AVG about three years ago and it was surprisingly difficult to do so. I downloaded Revo Uninstaller some time ago to help me get rid of it, which I thought I had done. There is no AVG in any of the add/delete programs menus, and revo cannot find it now, yet Combofix continually tells me that AVG is running and that my computer may be ruined if I proceed unless I stop it from running. Strange...needless to say, I have not yet run Combofix. I downloaded the AVG Remover, and it did a few things in a small DOS window, but never got around to restarting my computer as explained. I ran it a couple of times with the same result. Meanwhile, Combofix keeps telling me that AVG is running...aggghhh! Sorry for the melodrama...

 

[Bobbye]

Try this for AVG instead:
Download AppRemover and save to the desktop]

• Double click the setup on the desktop> click Next
• Select “Remove Security Application”
• Let scan finish to determine security apps
• A screen like below will appear:
  https://www.techspot.com/downloads/5514-appremover.htmlabout/chooseuninstall.gif/image_preview[/img[*] Click on [b]Next[/b] after choice has been made
  [*] Check the AVG program you want to uninstall
  [*] After uninstall shows complete, follow online prompts to Exit the program.[/list]
  
  Temporary AV [b]if needed[/b]:
  [url=http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html?part=dl-10322935&subj=dl&tag=button&cdlPid=11012914][b][color=blue]Avira-AntiVir-Personal-Free-Antivirus[/b][/color][/url]
  [URL="http://download.cnet.com/Avast-Free-Antivirus/3000-2239_4-10019223.html?part=dl-85737&subj=dl&tag=button"][B][COLOR="RoyalBlue"]Avast Free Version[/COLOR][/B][/URL]
  =====================================
  Mbam is clean and the Eset scan is clean. [B]Are you still having the redirects?[/B]
  =====================================
  [B]Please go on to Combofix after removing AVG. Reboot the computer after removing AVG, before running Combofix.[/B]
  ====================================
  [b]About Revo or any other 'unininstaller.'[/b] Here is the order you should follow when uninstalling:
  1. If the program has an uninstaller, use that: Hold mouse over program to open> look for 'uninstaller.'
  2. If the program does not have it's own uninstaller, go to Add/Remove Programs and uninstall there.
  3. If the uninstaller has been damaged and you don't see the program in Add/Remove Programs, [b][u]then[/b][/u] use an uninstaller to remove the left-over files.
  
  [B]The uninstallers like Revo and the Windows Installer Cleanup Utility should not be use when wanting to fully uninstall. They should only be use when files remain [b]after[/b] going through the correct uninstall path.[/B]

 

[ormolu611]

Yes, unfortunately, I still have the redirects. I notice that Opera does not seem to redirect, just IE and Firefox, if that helps at all. App Remover is not detecting AVG after it scans, just Malwarebytes and McAfee. Thanks for the tips on uninstalling software though. Do you think AVG is really there?

Oh, one more thing, I don't know if it matters, but I can see prior to clicking on a link whether it will redirect of not. When I hover the mouse over a google link that will ultimately result in a redirect, the address in the lower left corner of the window shows an address similar to this:

www.google.com/go?5240309

This is opposed to the targeted address that the link would normally bring me to. Whenever I see this, I WILL be redirected if I click on that link. Again, I don't know if this helps.

Should I run Combofix regardless of it saying that AVG is running even if I cannot find it's presence anywhere? Obviously, I won't do anything until I hear from you. Thanks.

 

[Bobbye]

Please go ahead and attempt Combofix. If it has an issue with remaining AVG entries, it will let you know!

 

[ormolu611]

ComboFix 11-05-04.04 - Thomas Love 05/05/2011 16:41:31.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.527 [GMT -4:00]
Running from: c:\documents and settings\Thomas Love\Desktop\ComboFix.exe
AV: AVG 7.5.485 *Enabled/Updated* {41564737-3200-1071-989B-0000E87B4FB1}
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Thomas Love\GoToAssistDownloadHelper.exe
C:\Install.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-04-05 to 2011-05-05 )))))))))))))))))))))))))))))))
.
.
2011-05-03 23:53 . 2011-05-03 23:53 -------- d-----w- c:\program files\ESET
2011-05-02 14:38 . 2011-05-02 14:39 -------- d-----w- c:\windows\system32\GroupPolicy
2011-05-02 02:22 . 2011-05-02 02:22 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-05-02 02:19 . 2011-05-02 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2011-05-02 02:19 . 2011-05-05 12:39 -------- d-----w- c:\program files\McAfee Security Scan
2011-04-30 16:43 . 2011-04-30 16:43 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-30 16:42 . 2011-04-30 16:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Walgreens
2011-04-30 16:42 . 2011-04-30 16:42 -------- d-----w- c:\program files\Walgreens
2011-04-28 13:31 . 2011-04-28 13:31 -------- d-----w- c:\documents and settings\Thomas Love\Application Data\Panda Security
2011-04-28 13:29 . 2011-05-04 04:00 -------- d-----w- c:\program files\Panda Security
2011-04-28 13:29 . 2011-04-28 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
2011-04-28 13:10 . 2011-05-04 03:47 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-28 13:10 . 2011-04-28 13:10 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-04-28 13:09 . 2011-04-28 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-04-28 01:33 . 2011-04-28 01:33 -------- d-----w- c:\documents and settings\Thomas Love\Application Data\Yahoo!
2011-04-28 01:33 . 2011-04-28 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2011-04-27 14:32 . 2011-04-27 14:32 -------- d-----w- c:\documents and settings\Thomas Love\Application Data\Malwarebytes
2011-04-27 13:54 . 2011-04-27 13:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-27 13:54 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-27 13:54 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-27 13:54 . 2011-04-27 14:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-22 21:35 . 2011-04-22 21:35 -------- d-----w- c:\program files\iPod
2011-04-22 21:35 . 2011-04-22 21:37 -------- d-----w- c:\program files\iTunes
2011-04-22 21:21 . 2011-04-22 21:21 -------- d-----w- c:\program files\Bonjour
2011-04-19 23:21 . 2011-04-19 23:21 69632 ----a-r- c:\documents and settings\Thomas Love\Application Data\Microsoft\Installer\{87DF5956-A327-4304-8338-8E2B0AAB843E}\NewShortcut4_838BDC75346D4F49BD1D5328F986CD86.exe
2011-04-19 23:21 . 2011-04-19 23:21 413696 ----a-r- c:\documents and settings\Thomas Love\Application Data\Microsoft\Installer\{87DF5956-A327-4304-8338-8E2B0AAB843E}\NewShortcut2_5B2EDCAA303A43629DACC3FFFABD0901.exe
2011-04-19 23:21 . 2011-04-19 23:21 413696 ----a-r- c:\documents and settings\Thomas Love\Application Data\Microsoft\Installer\{87DF5956-A327-4304-8338-8E2B0AAB843E}\NewShortcut1_9F9ABBA94B874F449DBFBD7EB1332F16.exe
2011-04-19 23:21 . 2011-04-19 23:21 413696 ----a-r- c:\documents and settings\Thomas Love\Application Data\Microsoft\Installer\{87DF5956-A327-4304-8338-8E2B0AAB843E}\ARPPRODUCTICON.exe
2011-04-07 01:17 . 2011-04-07 01:17 -------- d-----w- c:\documents and settings\Thomas Love\Local Settings\Application Data\Research In Motion
2011-04-07 01:16 . 2008-11-07 22:55 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 01:50 . 2011-03-15 01:50 69632 ----a-r- c:\documents and settings\Thomas Love\Application Data\Microsoft\Installer\{84A78614-0E4B-4A4E-BA8C-2B0A05A08E4E}\NewShortcut4_838BDC75346D4F49BD1D5328F986CD86.exe
2011-03-15 01:50 . 2011-03-15 01:50 413696 ----a-r- c:\documents and settings\Thomas Love\Application Data\Microsoft\Installer\{84A78614-0E4B-4A4E-BA8C-2B0A05A08E4E}\NewShortcut2_5B2EDCAA303A43629DACC3FFFABD0901.exe
2011-03-15 01:50 . 2011-03-15 01:50 413696 ----a-r- c:\documents and settings\Thomas Love\Application Data\Microsoft\Installer\{84A78614-0E4B-4A4E-BA8C-2B0A05A08E4E}\NewShortcut1_9F9ABBA94B874F449DBFBD7EB1332F16.exe
2011-03-07 05:33 . 2006-05-12 18:55 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 22:47 . 2011-03-03 22:47 69632 ----a-r- c:\documents and settings\Thomas Love\Application Data\Microsoft\Installer\{2E8131B2-8DAF-41E2-B954-18FD5DEF0B54}\NewShortcut600_C6ABA3677F944B9FBB00F060701B0B5A.exe
2011-03-03 22:47 . 2011-03-03 22:47 69632 ----a-r- c:\documents and settings\Thomas Love\Application Data\Microsoft\Installer\{2E8131B2-8DAF-41E2-B954-18FD5DEF0B54}\NewShortcut60_C6ABA3677F944B9FBB00F060701B0B5A.exe
2011-03-03 22:47 . 2011-03-03 22:47 69632 ----a-r- c:\documents and settings\Thomas Love\Application Data\Microsoft\Installer\{2E8131B2-8DAF-41E2-B954-18FD5DEF0B54}\NewShortcut6_C6ABA3677F944B9FBB00F060701B0B5A.exe
2011-03-03 22:47 . 2011-03-03 22:47 69632 ----a-r- c:\documents and settings\Thomas Love\Application Data\Microsoft\Installer\{2E8131B2-8DAF-41E2-B954-18FD5DEF0B54}\NewShortcut5_C6ABA3677F944B9FBB00F060701B0B5A.exe
2011-03-03 22:47 . 2011-03-03 22:47 69632 ----a-r- c:\documents and settings\Thomas Love\Application Data\Microsoft\Installer\{2E8131B2-8DAF-41E2-B954-18FD5DEF0B54}\NewShortcut4_C6ABA3677F944B9FBB00F060701B0B5A.exe
2011-03-03 22:47 . 2011-03-03 22:47 69632 ----a-r- c:\documents and settings\Thomas Love\Application Data\Microsoft\Installer\{2E8131B2-8DAF-41E2-B954-18FD5DEF0B54}\NewShortcut3_C6ABA3677F944B9FBB00F060701B0B5A.exe
2011-03-03 22:47 . 2011-03-03 22:47 69632 ----a-r- c:\documents and settings\Thomas Love\Application Data\Microsoft\Installer\{2E8131B2-8DAF-41E2-B954-18FD5DEF0B54}\NewShortcut12_C6ABA3677F944B9FBB00F060701B0B5A.exe
2011-03-03 22:47 . 2011-03-03 22:47 69632 ----a-r- c:\documents and settings\Thomas Love\Application Data\Microsoft\Installer\{2E8131B2-8DAF-41E2-B954-18FD5DEF0B54}\DesktopMgr.exe
2011-03-03 13:21 . 2006-05-12 18:22 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 13:18 . 2006-05-12 18:21 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2006-05-12 18:21 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-16 16:55 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-16 22:56 . 2011-02-16 22:56 64000 ----a-w- c:\windows\system32\drivers\RimUsb.sys
2011-02-15 12:56 . 2006-05-12 18:20 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2006-05-12 18:52 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53 . 2006-05-12 18:21 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2006-05-12 18:20 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2006-05-12 18:21 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2006-05-12 18:21 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-10-14 03:28 . 2010-11-02 00:23 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2010-03-17 22:45 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2010-03-17 22:45 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2010-03-17 22:45 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2006-02-02 73728]
"TSkrMain"="c:\program files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe" [2004-06-30 49152]
"TRot.exe"="c:\program files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe" [2005-11-29 266240]
"TPSODDCtl"="TPSODDCtl.exe" [2006-04-25 110592]
"TPSMain"="TPSMain.exe" [2006-04-25 315392]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2005-06-29 126976]
"TOSDCR"="TOSDCR.EXE" [2005-12-13 57344]
"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-12-14 126976]
"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2006-02-23 86016]
"TFNF5"="TFNF5.exe" [2006-04-11 622592]
"TFncKy"="TFncKy.exe" [BU]
"TAcelMgr"="c:\program files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe" [2004-12-16 90112]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2008-04-14 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2008-04-14 271872]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-23 122880]
"SkyTel"="SkyTel.EXE" [2006-04-24 1448960]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-09 16207360]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-05-06 30208]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"NDSTray.exe"="NDSTray.exe" [BU]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-12 299008]
"CrossMenu"="c:\program files\Toshiba\CrossMenu\CrossMenu.exe" [2006-04-12 798720]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2010-03-17 670864]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-04-26 258048]
"000StTHK"="000StTHK.exe" [2001-06-24 24576]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2009-09-15 479232]
"Sprint SmartView"="c:\program files\Sprint\Sprint SmartView\SprintSV.exe" [2010-12-15 75072]
"RDVCHG"="c:\program files\Sprint\Sprint SmartView\RDVCHG.exe" [2010-12-15 316736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
c:\documents and settings\Thomas Love\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
Sticky Notes.lnk - c:\windows\system32\stikynot.exe [2006-5-12 159232]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-1-21 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
LivePost.lnk - c:\windows\Installer\{57B5ABFC-8BD0-4CE6-8DFC-42ED54D46D96}\_6024B855C8086574E94A6F.exe [2009-6-15 1150]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-5-12 155648]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2008-04-14 00:11 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-05-06 00:48 40448 ----a-w- c:\windows\system32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 10:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2008-04-14 00:12 32256 ----a-w- c:\windows\system32\tpgwlnot.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TSigNP]
2006-03-02 21:51 53248 ----a-w- c:\windows\system32\TSigNP.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1147476082\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Toshiba\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1039:TCP"= 1039:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [12/28/2004 2:31 AM 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [5/12/2006 5:16 PM 6144]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [5/10/2010 2:41 PM 84072]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [5/12/2006 5:05 PM 5888]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [5/12/2006 2:21 PM 14336]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [5/5/2006 9:00 PM 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [5/5/2006 8:59 PM 33024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [11/1/2010 8:22 PM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [11/1/2010 8:22 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [11/1/2010 8:22 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [11/1/2010 8:23 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [11/1/2010 7:05 PM 141792]
R2 NvtlService;NovaCore SDK Service;c:\program files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe [1/11/2010 3:10 PM 82944]
R2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [5/5/2006 8:33 PM 3456]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/24/2006 11:24 PM 98560]
R2 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [5/12/2006 5:05 PM 126976]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [5/10/2010 2:41 PM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [5/10/2010 2:41 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [5/10/2010 2:41 PM 88544]
R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;c:\windows\system32\drivers\TBtnKey.sys [5/12/2006 4:56 PM 8832]
R3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [5/12/2006 7:50 AM 14208]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/17/2010 5:16 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/17/2010 5:16 PM 136176]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [5/10/2010 2:41 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [5/10/2010 2:41 PM 84264]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [9/23/2008 2:10 PM 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [5/19/2009 4:22 PM 174720]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - BMLoad
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
2011-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-17 21:16]
.
2011-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-17 21:16]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.emortgagelogic.com/www/index.htm
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxps://web11.farvv.com/sn/ImageUploader6.cab
FF - ProfilePath - c:\documents and settings\Thomas Love\Application Data\Mozilla\Firefox\Profiles\olrqrkyz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.nefar.com/memberMain.php|http://flexmls.realtyweb.net/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKU-Default-Run-AVG7_Run - c:\progra~1\Grisoft\AVGFRE~1\avgw.exe
AddRemove-Convert Image To PDF_is1 - c:\program files\Softinterface
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-05 16:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3875979560-2766346231-3334871990-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1412)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\windows\system32\TSigNP.dll
c:\program files\Protector Suite QL\crypto.dll
c:\program files\Protector Suite QL\biokmd.dll
c:\program files\Protector Suite QL\mysafe.dll
.
- - - - - - - > 'explorer.exe'(3716)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\program files\Common Files\microsoft shared\ink\tipband.dll
c:\program files\windows journal\nbmaptip.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\program files\Protector Suite QL\mysafe.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\ThpSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\windows\System32\tabbtnu.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Microsoft Shared\Ink\TCServer.exe
c:\windows\system32\TPSODDCtl.exe
c:\windows\system32\thpsrv.exe
c:\windows\system32\TFNF5.exe
c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
c:\windows\system32\TPSBattM.exe
c:\program files\TOSHIBA\TME3\TMETEMNU.EXE
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\SkyTel.EXE
c:\windows\RTHDCPL.EXE
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\program files\Protector Suite QL\psqltray.exe
c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\TOSHIBA\ConfigFree\CFSServ.exe
c:\windows\AGRSMMSG.exe
c:\program files\TOSHIBA\ConfigFree\CFXFER.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Apoint2K\Apntex.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\LivePost\LivePost powered by PostNexus\AppStart.exe
c:\program files\LivePost\LivePost powered by PostNexus\3.2.0.47\PNlaunch.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\vssvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\msdtc.exe
.
**************************************************************************
.
Completion time: 2011-05-05 17:18:15 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-05 21:17
.
Pre-Run: 53,132,767,232 bytes free
Post-Run: 53,059,158,016 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /forceresetreg
.
- - End Of File - - 82E5798AA11B49B79099A6B67349AF59

 

[ormolu611]

Maybe I'm being premature, but my browser does not seem to be redirecting after running Combofix. Baited breath....do you see anything in the log that suggests a bug being removed?

 

[Bobbye]

Ya go to give me time to look at it!! Back in a while. Be patient.

 

[Bobbye]

Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

KillAll::
File::
c:\windows\system32\drivers\hitmanpro35.sys
Folder::
c:\documents and settings\Thomas Love\Application Data\Panda Security
c:\program files\Panda Security
c:\documents and settings\All Users\Application Data\Panda Security
c:\program files\Hitman Pro 3.5
c:\documents and settings\All Users\Application Data\Hitman Pro

SecCenter::
{41564737-3200-1071-989B-0000E87B4FB1}

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"=-
"CFSServ.exe"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
I have removed Hitman Pro. This is a bundle of free software programs which can all be found on the internet. The free programs will remove bad entries. But Hitman will only do that during the trial period. After that they make you but the progrm. If you did that, ask for your money back.
=====================
Some slow day, you might want to check out the multiple installs Toshiba preloads. Any that aren't being used can be stopped and/or uninstalled.
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.

• Extract it to a directory on your hard drive called c:\HijackThis.
• Then navigate to that directory and double-click on the hijackthis.exe file.
• When started click on the Scan button and then the Save Log button to create a log of your information.
• The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and paste (Ctrl+V) the log in your next reply.

Most of what it finds will be harmless or even required.
If you want to go ahead and handle the Toshiba processes below, okay to do so
=============================
These are the Toshiba processes found in many logs. I've grouped program and processes for each so the won't all be together in the HJL log. I took the Power Saver out and copied it at the end so you know what it is. None of these processes need to start on boot, so you can include them with the first section or you can do them separately. So The 3 steps are:
1. You stop the process in HJT
Boot into Safe Mode.
2. Follow the steps to use the msconfig utility to take process off of Startup
3. Change Service Startup type to Manual
Uninstall any processes you don't use
Then reboot back into Normal Mode
Please print out the list of the Toshiba program you checked in the HJT log

Step 1: Check each of the following processes in the HJT log, if present:
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe> mobile and wireless computing, enabling Toshiba notebook users to easily switch profiles and devices as needed.
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe> tray icon for above
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
-------------------
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
---------------------
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe>>offers easy movement and freedom of programs navigation with TouchPad
-------------------------
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe>> configuration tray icon for Toshiba laptops. Available via Start -> Settings -> Control Panel
-----------------------
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\ZoomingHook.exe
O4 - HKLM\..\Run: [Zooming] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
---------------------
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
---------------------
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
------------------------------
C:\WINDOWS\system32\TCtrlIOHook.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
----------------------
C:\WINDOWS\system32\TPSBattM.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP>> utility that allows you to change various hardware settings
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL[/b]

When finished all of above, close all Windows except HijacktThis and clicck on "Fix Checked"
======================================================

These are the Power Saver entires> Do not check for removal in HJT
C:\WINDOWS\system32\TPSMain.exe>> Provides access to Power Saver settings on a Toshiba laptop.
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

===================================================
Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Step 2: Using the msconfig utility to take processes of Startup Menu:
To remove entries from the Startup Menu using the msconfig utility:

• Click on Start> Run> type in msconfig> enter>
  
  In New Orleans, this would be called Lagniappe. It means a small gift given with a purchase to a customer, by way of compliment or for good measure; bonus. ...