Inactive Search is starting automatically

[sumeshmd]

hi all

i am facing with a new problem with my laptop..when i start my laptop, a search window will popup. even if i close that it will again popup. I have to press any of the function keys to stop that for some time. but again after some time it will popup.
also if i open notepad it will open search window inside that. same as with mozilla firefox. it s like i have pressed ctrl+F.

laptop is Hp compaq c700 and os is windows 7 ultimate

i have run mbam and hijackthis. got some malware, but the problem remains same.

it is really annoying.. please help

 

[sumeshmd]

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7725

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

9/21/2011 12:01:06 AM
mbam-log-2011-09-21 (00-01-06).txt

Scan type: Quick scan
Objects scanned: 173637
Time elapsed: 3 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[sumeshmd]

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-09-20 23:53:41
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9200827AS rev.3.BHA
Running: gnhppxlf.exe; Driver: C:\Users\sumesh\AppData\Local\Temp\kwdiqpow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

 

[sumeshmd]

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385
Run by sumesh at 23:54:51 on 2011-09-20
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3062.2039 [GMT 5.5:30]
.
AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\system32\IoctlSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Reliance Netconnect+\bin\MonServiceUDisk.exe
C:\Users\sumesh\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\system32\vmnat.exe
C:\Windows\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Reliance Netconnect+\bin\App.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = about:blank
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [googletalk] c:\users\sumesh\appdata\roaming\google\google talk\googletalk.exe /autostart
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [WordWeb] "c:\program files\wordweb\wweb32.exe" -startup
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [vmware-tray] "c:\program files\vmware\vmware workstation\vmware-tray.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
TCP: Interfaces\{8A57C6E6-97D0-42ED-B201-FEB7B3C6F878} : DhcpNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\sumesh\appdata\roaming\mozilla\firefox\profiles\bworhnp9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mozilla firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor.dll
FF - component: c:\users\sumesh\appdata\roaming\mozilla\firefox\profiles\bworhnp9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\sumesh\appdata\roaming\mozilla\firefox\profiles\bworhnp9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.50106.0\npctrlui.dll
FF - plugin: c:\users\sumesh\appdata\local\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\users\sumesh\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\sumesh\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-8-27 11608]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-8-27 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-8-27 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-8-27 56816]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-2 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-1-27 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-6-17 47640]
R2 UDisk Monitor;UDisk Monitor;c:\program files\reliance netconnect+\bin\MonServiceUDisk.exe [2011-8-25 512000]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2010-5-20 539184]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-14 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-14 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-14 661504]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
R3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [2011-8-25 105472]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\drivers\BthAvrcp.sys [2009-8-13 22528]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-13 1343400]
.
=============== Created Last 30 ================
.
2011-09-20 17:54:39 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe
2011-09-20 17:54:34 399920 ----a-w- c:\windows\system32\vmnat.exe
2011-09-20 17:54:34 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2011-09-20 17:54:30 760368 ----a-w- c:\windows\system32\vnetlib.dll
2011-09-20 17:53:46 24624 ----a-w- c:\windows\system32\drivers\VMkbd.sys
2011-09-20 17:52:52 -------- d-----w- c:\program files\common files\VMware
2011-09-20 17:51:46 -------- d-----w- c:\program files\VMware
2011-09-19 18:20:37 388096 ----a-r- c:\users\sumesh\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-09-19 18:20:37 -------- d-----w- c:\program files\Trend Micro
2011-09-16 03:40:34 -------- d-----w- c:\users\sumesh\appdata\roaming\Malwarebytes
2011-09-16 03:40:29 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-16 03:40:19 -------- d-----w- c:\programdata\Malwarebytes
2011-09-16 03:40:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-04 07:25:22 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-09-04 07:25:21 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-09-04 07:25:21 785368 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-09-04 07:25:21 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-09-04 07:25:21 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-09-04 07:25:21 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-09-04 07:25:21 1846232 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-09-04 07:25:21 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-08-31 05:42:47 -------- d-----w- c:\windows\pss
2011-08-27 12:03:35 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-08-27 12:03:34 -------- d-----w- c:\programdata\Avira
2011-08-27 12:03:34 -------- d-----w- c:\program files\Avira
2011-08-27 10:52:10 -------- d-----w- c:\program files\IVT Corporation
2011-08-25 18:16:43 -------- d-----w- c:\users\sumesh\appdata\roaming\ZTEEVDO
2011-08-25 18:15:39 105472 ----a-w- c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys
2011-08-25 18:15:36 -------- d-----w- c:\program files\Reliance Netconnect+
.
==================== Find3M ====================
.
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
.
============= FINISH: 23:55:24.04 ===============

 

[sumeshmd]

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 4/12/2010 8:07:55 AM
System Uptime: 9/20/2011 11:15:17 PM (0 hours ago)
.
Motherboard: Hewlett-Packard | | 30D9
Processor: Intel(R) Core(TM)2 Duo CPU T5750 @ 2.00GHz | CPU | 2000/667mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 89 GiB total, 48.706 GiB free.
D: is FIXED (NTFS) - 87 GiB total, 33.381 GiB free.
E: is FIXED (NTFS) - 10 GiB total, 2.287 GiB free.
F: is CDROM ()
G: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP27: 5/31/2011 12:34:25 PM - Scheduled Checkpoint
RP28: 8/27/2011 4:21:52 PM - Installed Bluesoleil2.6.0.8 Release 070517
RP29: 8/27/2011 4:44:09 PM - Removed VEVA
RP30: 8/27/2011 4:45:01 PM - Removed Skype Toolbars
RP31: 8/27/2011 4:45:32 PM - Removed Ringomax v9.7
RP32: 8/27/2011 4:46:02 PM - Removed Ringomax Premium
RP34: 8/27/2011 5:33:02 PM - Avira AntiVir Personal - 8/27/2011 17:33
RP35: 9/4/2011 2:13:16 PM - Scheduled Checkpoint
RP36: 9/19/2011 11:50:13 PM - Installed HiJackThis
.
==== Installed Programs ======================
.
2007 Microsoft Office system
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8
AutoUpdate
Avira AntiVir Personal - Free Antivirus
Bluesoleil2.6.0.8 Release 070517
Conexant HD Audio
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Google Chrome
Google Talk (remove only)
Google Talk Plugin
HiJackThis
Intel(R) Graphics Media Accelerator Driver
LogMeIn
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox 6.0.2 (x86 en-US)
MSVCRT
Nero 8
neroxml
OGA Notifier 2.0.0048.0
Picasa 3
Reliance Netconnect+
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Skype™ 4.2
SUPER © Version 2008.bld.32 (July 8, 2008)
tools-freebsd
tools-linux
tools-netware
tools-solaris
tools-windows
tools-winPre2k
Touch Pad Driver
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb979895)
VLC media player 1.0.1
VMware Workstation
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
WinRAR archiver
WordWeb
Yahoo! Messenger
.
==== Event Viewer Messages From Past Week ========
.
9/19/2011 11:58:03 PM, Error: Service Control Manager [7034] - The Hotspot Shield Monitoring Service service terminated unexpectedly. It has done this 1 time(s).
9/19/2011 11:58:02 PM, Error: Service Control Manager [7034] - The Hotspot Shield Routing Service service terminated unexpectedly. It has done this 1 time(s).
9/19/2011 11:11:54 AM, Error: Microsoft-Windows-HAL [12] - The platform firmware has corrupted memory across the previous system power transition. Please check for updated firmware for your system.
9/16/2011 10:00:25 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
9/16/2011 10:00:24 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
9/16/2011 10:00:24 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
9/16/2011 10:00:24 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
9/16/2011 10:00:24 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
9/16/2011 10:00:22 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/16/2011 10:00:15 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
9/16/2011 10:00:11 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb CSC DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr ssmdrv tdx vwififlt Wanarpv6 WfpLwf
9/16/2011 10:00:10 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
9/16/2011 10:00:10 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
9/16/2011 10:00:10 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
9/16/2011 10:00:10 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
9/16/2011 10:00:10 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
9/16/2011 10:00:10 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
9/16/2011 10:00:10 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
9/16/2011 10:00:10 AM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
9/16/2011 10:00:10 AM, Error: Service Control Manager [7001] - The Hotspot Shield Service service depends on the DHCP Client service which failed to start because of the following error: The dependency service or group failed to start.
9/16/2011 10:00:10 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/16/2011 10:00:10 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
9/13/2011 9:46:22 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk2\DR6.
.
==== End Of File ===========================

 

[Bobbye]

Okay, I have some questions:

1. What is the search Window for? Is there any URL in the Address Bar? Or is this just an empty search box? Does the Window have any particular search engine associated with it?

2. The install date for Windows 7 is almost a year and a half ago, but you have no Windows Updates or Security updates. The only updates I see are for MS Office. Is there some reason you aren't getting updates?

3. I note you have Reliance Netconnect+. There are some complaints made about the annoying connections this program makes. Did the search pop up start after you installed this program? Do you see any indication in the search Window of this program?

4. I notice that you're running a remote log-in- are you actively using this now?
=====================================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once installed, you should see a blue screen prompt that says:
  The Recovery Console was successfully installed.
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
==================================

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESETOnlineScan
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  [o] Double click on the
  
  on your desktop.
• Check 'Yes I accept terms of use.'
• Click Start button
• Accept any security warnings from your browser.
  
  
• Uncheck 'Remove found threats'
• Check 'Scan archives/
• Leave remaining settings as is.
• Press the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
• When the scan completes, press List of found threats
• Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
• Push the Back button
• Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
==================================
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me.
• Follow the order of the tasks I give you. Order is crucial in cleaning process.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't use any other cleaning programs or scans while I'm helping you, including a Registry Cleaner or make changes in the Registry.
  [o] Please Do not Attach logs or put in code boxes
  [o] Don't download and install new programs- except those I give you.
• Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.

 

[sumeshmd]

Hi Bobbye,

Thanks for the quick response. first i will answer your questions

1. What is the search Window for? Is there any URL in the Address Bar? Or is this just an empty search box? Does the Window have any particular search engine associated with it?

search window is a blank one. when it opens it will blink all my previous searches on the right corner.

2. The install date for Windows 7 is almost a year and a half ago, but you have no Windows Updates or Security updates. The only updates I see are for MS Office. Is there some reason you aren't getting updates?

i was not using internet for a long time in this laptop. so disabled update

3. I note you have Reliance Netconnect+. There are some complaints made about the annoying connections this program makes. Did the search pop up start after you installed this program? Do you see any indication in the search Window of this program?

no. internet i bought recently. but the problem is there for some time. it was not severe before. only at the startup this problem was there. but it now is coming in between all programs after i took internet

4. I notice that you're running a remote log-in- are you actively using this now?

not using that much

combo log

ComboFix 11-09-20.04 - sumesh 09/21/2011 9:03.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3062.1923 [GMT 5.5:30]
Running from: d:\downloads\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\sumesh\AppData\Roaming\.#
c:\users\sumesh\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
.
.
((((((((((((((((((((((((( Files Created from 2011-08-21 to 2011-09-21 )))))))))))))))))))))))))))))))
.
.
2011-09-21 03:39 . 2011-09-21 03:41 -------- d-----w- c:\users\sumesh\AppData\Local\temp
2011-09-21 03:39 . 2011-09-21 03:39 -------- d-----w- c:\users\LogMeInRemoteUser\AppData\Local\temp
2011-09-21 03:39 . 2011-09-21 03:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-20 17:54 . 2010-05-20 19:26 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe
2011-09-20 17:54 . 2010-05-20 19:26 399920 ----a-w- c:\windows\system32\vmnat.exe
2011-09-20 17:54 . 2010-05-20 19:23 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2011-09-20 17:54 . 2010-05-20 19:25 760368 ----a-w- c:\windows\system32\vnetlib.dll
2011-09-20 17:53 . 2010-05-20 19:25 24624 ----a-w- c:\windows\system32\drivers\VMkbd.sys
2011-09-20 17:52 . 2011-09-20 17:52 -------- d-----w- c:\program files\Common Files\VMware
2011-09-20 17:51 . 2011-09-21 03:41 -------- d-----w- c:\programdata\VMware
2011-09-20 17:51 . 2011-09-20 17:51 -------- d-----w- c:\program files\VMware
2011-09-19 18:20 . 2011-09-19 18:20 388096 ----a-r- c:\users\sumesh\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-19 18:20 . 2011-09-19 18:20 -------- d-----w- c:\program files\Trend Micro
2011-09-16 03:40 . 2011-09-16 03:40 -------- d-----w- c:\users\sumesh\AppData\Roaming\Malwarebytes
2011-09-16 03:40 . 2011-08-31 11:30 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-16 03:40 . 2011-09-16 03:40 -------- d-----w- c:\programdata\Malwarebytes
2011-09-16 03:40 . 2011-09-16 03:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-04 07:25 . 2011-09-09 09:29 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-09-04 07:25 . 2011-09-09 09:29 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-09-04 07:25 . 2011-09-09 09:29 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-09-04 07:25 . 2011-09-09 09:29 785368 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-09-04 07:25 . 2011-09-09 09:29 1846232 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-09-04 07:25 . 2011-09-09 09:29 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-09-04 07:25 . 2011-08-30 19:41 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-09-04 07:25 . 2011-08-30 19:41 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-08-27 12:03 . 2011-08-27 12:32 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-08-27 12:03 . 2009-03-30 05:03 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-08-27 12:03 . 2011-08-27 12:03 -------- d-----w- c:\programdata\Avira
2011-08-27 12:03 . 2011-08-27 12:03 -------- d-----w- c:\program files\Avira
2011-08-27 10:53 . 2011-08-27 10:54 -------- d-----w- c:\programdata\Bluetooth
2011-08-27 10:52 . 2011-08-27 10:52 -------- d-----w- c:\program files\IVT Corporation
2011-08-25 18:16 . 2011-08-25 18:20 -------- d-----w- c:\users\sumesh\AppData\Roaming\ZTEEVDO
2011-08-25 18:15 . 2010-11-04 04:45 105472 ----a-w- c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys
2011-08-25 18:15 . 2011-08-25 18:15 -------- d-----w- c:\program files\Reliance Netconnect+
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:29 . 2011-09-04 07:25 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 09:06 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 10:47 31232 --sh--r- c:\windows\System32\msfDX.dll
2008-03-16 12:30 216064 --sh--r- c:\windows\System32\nbDX.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-01-09 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7600.16385] . . c:\windows\System32\user32.dll
[7] 2009-07-14 . 34B7E222E81FAFA885F0C5F2CFA56861 . 811520 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\users\sumesh\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-03-19 5248312]
"WordWeb"="c:\program files\WordWeb\wweb32.exe" [2009-11-08 65216]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2010-05-20 129584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-04-13 10:31 136176 ----atw- c:\users\sumesh\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-02-28 11:37 1828136 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2010-01-27 06:52 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 12:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2008-02-18 10:59 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-05 22:27 26102056 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
R3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\DRIVERS\BthAvrcp.sys [2009-08-13 22528]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-13 1343400]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-08-27 108289]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2010-12-08 374152]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-01-27 12856]
S2 UDisk Monitor;UDisk Monitor;c:\program files\Reliance Netconnect+\bin\MonServiceUDisk.exe [2011-02-21 512000]
S2 vmci;VMware vmci;c:\windows\system32\Drivers\vmci.sys [2010-05-20 70704]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-05-20 539184]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
S3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\DRIVERS\CT_ZTEMT_U_USBSER.sys [2010-11-04 105472]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2054017810-423255862-2823113913-1000Core.job
- c:\users\sumesh\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-13 10:31]
.
2011-09-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2054017810-423255862-2823113913-1000UA.job
- c:\users\sumesh\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-13 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
FF - ProfilePath - c:\users\sumesh\AppData\Roaming\Mozilla\Firefox\Profiles\bworhnp9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 4
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\AUDIODG.EXE
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\vmnat.exe
c:\program files\VMware\VMware Workstation\vmware-authd.exe
c:\windows\system32\vmnetdhcp.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2011-09-21 09:14:19 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-21 03:44
.
Pre-Run: 53,337,206,784 bytes free
Post-Run: 53,835,780,096 bytes free
.
- - End Of File - - 18911BCB3E651D3A5002D5FEB99CCCDA

 

[sumeshmd]

another problem i have seen is when i open notepad, current date and time is typing on it automatically...

 

[sumeshmd]

C:\System Volume Information\_restore{02331B4C-20DB-4909-A303-D5B72EBA27D8}\RP23\A0002908.exe a variant of Win32/HotSpotShield application
C:\System Volume Information\_restore{02331B4C-20DB-4909-A303-D5B72EBA27D8}\RP24\A0003540.exe a variant of Win32/HotSpotShield application
C:\Windows.old\Program Files\Hotspot Shield\bin\openvpnas.exe a variant of Win32/HotSpotShield application
C:\Windows.old.000\Windows\Temp\hss_update.exe a variant of Win32/HotSpotShield application

 

[Bobbye]

another problem i have seen is when i open notepad, current date and time is typing on it automatically.

Open Notepad> Click on Edit> Uncheck Time and Date at the bottom of the drop down menu> Click on Apply> OK.

It's not really a problem- it was set up that way- easy to change.
==============================================

search window is a blank one. when it opens it will blink all my previous searches on the right corner.

This sounds a bit like a pop-under. Do you have a pop up stopper? The pop-under can be controlled with that> The Pop-under actually comes up under a Window and if you close your current Window, you will them notice the pop-under site.
A pop-under will usually show on the Taskbar> blinking.
================================

i was not using internet for a long time in this laptop. so disabled update

but now you are using it and the system is full of vulnerabilities! Advise bring system current with updates.

9/19/2011 11:11:54 AM, Error: Microsoft-Windows-HAL [12] - The platform firmware has corrupted memory across the previous system power transition. Please check for updated firmware for your system.

This event is reported after detection of memory corruption by firmware after a power transition or sleep event.
Contact your hardware vendor to obtain the updated firmware and BIOS to address this issue.

You can download this Microsoft Document which more fully describer this problem.
=================================

i have run mbam and hijackthis. got some malware, but the problem remains same.

Some information about these programs Mbam will remove malware entries if you have check the line directing the removal. The current Mbam log does not show any malware>

HIjackThis, when run, doesn't remove anything. Most of the entries you see will be for normal, legitimate processes. We can stop some of the entries by repeating the scan and checking specific processes, However, neither of these scans alone will not most likely remove all the malware entries and using both of them cannot be expected to remove all either.
==================================
Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :
  :Files 
  C:\Windows.old\Program Files\Hotspot Shield\bin\openvpnas.exe 
  C:\Windows.old.000\Windows\Temp\hss_update.exe
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
====================================
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

File::
FileLook::
c:\windows\System32\flvDX.dll
c:\windows\System32\msfDX.dll
c:\windows\System32\nbDX.dll
Folder::
c:\users\sumesh\AppData\Local\temp
c:\users\LogMeInRemoteUser\AppData\Local\temp
c:\users\Default\AppData\Local\temp

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================

 

[sumeshmd]

Open Notepad> Click on Edit> Uncheck Time and Date at the bottom of the drop down menu> Click on Apply> OK.

It's not really a problem- it was set up that way- easy to change.
==============================================

it is not typing one time... date and time will fill entire notepad. and that is not checked

This sounds a bit like a pop-under. Do you have a pop up stopper? The pop-under can be controlled with that> The Pop-under actually comes up under a Window and if you close your current Window, you will them notice the pop-under site.
A pop-under will usually show on the Taskbar> blinking.
================================

no pop up blocker except the one in firefox

but now you are using it and the system is full of vulnerabilities! Advise bring system current with updates.


This event is reported after detection of memory corruption by firmware after a power transition or sleep event.
Contact your hardware vendor to obtain the updated firmware and BIOS to address this issue.

You can download this Microsoft Document which more fully describer this problem.
=================================

Some information about these programs Mbam will remove malware entries if you have check the line directing the removal. The current Mbam log does not show any malware>

HIjackThis, when run, doesn't remove anything. Most of the entries you see will be for normal, legitimate processes. We can stop some of the entries by repeating the scan and checking specific processes, However, neither of these scans alone will not most likely remove all the malware entries and using both of them cannot be expected to remove all either.
==================================
Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :
  :Files 
  C:\Windows.old\Program Files\Hotspot Shield\bin\openvpnas.exe 
  C:\Windows.old.000\Windows\Temp\hss_update.exe
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
====================================
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

File::
FileLook::
c:\windows\System32\flvDX.dll
c:\windows\System32\msfDX.dll
c:\windows\System32\nbDX.dll
Folder::
c:\users\sumesh\AppData\Local\temp
c:\users\LogMeInRemoteUser\AppData\Local\temp
c:\users\Default\AppData\Local\temp

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================

 

[sumeshmd]

ComboFix 11-09-20.04 - sumesh 09/27/2011 23:19:05.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3062.1989 [GMT 5.5:30]
Running from: D:\Downloads\ComboFix.exe
Command switches used :: D:\Downloads\cfscript.txt
AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

- REDUCED FUNCTIONALITY MODE -


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


c:\users\Default\AppData\Local\temp
c:\users\LogMeInRemoteUser\AppData\Local\temp
c:\users\sumesh\AppData\Local\temp
c:\users\sumesh\AppData\Local\temp\Av-test.txt
c:\users\sumesh\AppData\Local\temp\FXSAPIDebugLogFile.txt


((((((((((((((((((((((((( Files Created from 2011-08-27 to 2011-09-27 )))))))))))))))))))))))))))))))


2011-09-27 17:49:59 . 2011-09-27 17:49:59 -------- d-----w- C:\Windows\system32\config\systemprofile\AppData\Local\temp
2011-09-27 17:25:06 . 2011-04-09 05:56:38 123904 ----a-w- C:\Windows\system32\poqexec.exe
2011-09-27 17:23:23 . 2011-03-11 05:40:24 1164288 ----a-w- C:\Windows\system32\mfc42u.dll
2011-09-27 17:23:23 . 2011-03-11 05:40:24 1137664 ----a-w- C:\Windows\system32\mfc42.dll
2011-09-27 17:23:15 . 2011-02-23 05:05:41 221696 ----a-w- C:\Windows\system32\drivers\mrxsmb10.sys
2011-09-27 17:23:15 . 2011-02-23 05:05:35 95744 ----a-w- C:\Windows\system32\drivers\mrxsmb20.sys
2011-09-27 17:23:15 . 2011-02-23 05:05:31 123392 ----a-w- C:\Windows\system32\drivers\mrxsmb.sys
2011-09-27 17:23:15 . 2011-02-23 05:05:25 69632 ----a-w- C:\Windows\system32\drivers\bowser.sys
2011-09-22 17:56:49 . 2011-09-22 17:56:49 -------- d-----w- C:\Users\sumesh\AppData\Roaming\Yahoo!
2011-09-21 05:26:31 . 2011-09-22 17:27:38 -------- d-----w- C:\Users\sumesh\AppData\Local\VMware
2011-09-21 05:26:30 . 2011-09-22 17:25:54 -------- d-----w- C:\Users\sumesh\AppData\Roaming\VMware
2011-09-21 04:04:18 . 2011-09-21 04:04:18 -------- d-----w- C:\Program Files\ESET
2011-09-20 17:54:39 . 2010-05-20 19:26:36 334384 ----a-w- C:\Windows\system32\vmnetdhcp.exe
2011-09-20 17:54:34 . 2010-05-20 19:26:18 399920 ----a-w- C:\Windows\system32\vmnat.exe
2011-09-20 17:54:34 . 2010-05-20 19:23:58 26288 ----a-w- C:\Windows\system32\drivers\vmnetuserif.sys
2011-09-20 17:54:30 . 2010-05-20 19:25:24 760368 ----a-w- C:\Windows\system32\vnetlib.dll
2011-09-20 17:53:46 . 2010-05-20 19:25:04 24624 ----a-w- C:\Windows\system32\drivers\VMkbd.sys
2011-09-20 17:52:52 . 2011-09-20 17:52:52 -------- d-----w- C:\Program Files\Common Files\VMware
2011-09-20 17:51:46 . 2011-09-27 17:39:52 -------- d-----w- C:\ProgramData\VMware
2011-09-20 17:51:46 . 2011-09-20 17:51:46 -------- d-----w- C:\Program Files\VMware
2011-09-19 18:20:37 . 2011-09-19 18:20:37 388096 ----a-r- C:\Users\sumesh\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-19 18:20:37 . 2011-09-19 18:20:37 -------- d-----w- C:\Program Files\Trend Micro
2011-09-16 03:40:34 . 2011-09-16 03:40:34 -------- d-----w- C:\Users\sumesh\AppData\Roaming\Malwarebytes
2011-09-16 03:40:29 . 2011-08-31 11:30:50 22216 ----a-w- C:\Windows\system32\drivers\mbam.sys
2011-09-16 03:40:19 . 2011-09-16 03:40:19 -------- d-----w- C:\ProgramData\Malwarebytes
2011-09-16 03:40:16 . 2011-09-16 03:54:34 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2011-09-04 07:25:22 . 2011-09-09 09:29:25 134104 ----a-w- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
2011-09-04 07:25:21 . 2011-09-09 09:29:25 89048 ----a-w- C:\Program Files\Mozilla Firefox\libEGL.dll
2011-09-04 07:25:21 . 2011-09-09 09:29:25 478168 ----a-w- C:\Program Files\Mozilla Firefox\libGLESv2.dll
2011-09-04 07:25:21 . 2011-09-09 09:29:24 785368 ----a-w- C:\Program Files\Mozilla Firefox\mozsqlite3.dll
2011-09-04 07:25:21 . 2011-09-09 09:29:24 1846232 ----a-w- C:\Program Files\Mozilla Firefox\mozjs.dll
2011-09-04 07:25:21 . 2011-09-09 09:29:24 15832 ----a-w- C:\Program Files\Mozilla Firefox\mozalloc.dll
2011-09-04 07:25:21 . 2011-08-30 19:41:03 2106216 ----a-w- C:\Program Files\Mozilla Firefox\D3DCompiler_43.dll
2011-09-04 07:25:21 . 2011-08-30 19:41:03 1998168 ----a-w- C:\Program Files\Mozilla Firefox\d3dx9_43.dll
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-08-27 12:32:19 . 2011-08-27 12:03:35 56816 ----a-w- C:\Windows\system32\drivers\avgntflt.sys
2011-09-09 09:29:25 . 2011-09-04 07:25:22 134104 ----a-w- C:\Program Files\mozilla firefox\components\browsercomps.dll
2006-05-03 09:06:54 163328 --sh--r- C:\Windows\System32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- C:\Windows\System32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- C:\Windows\System32\nbDX.dll


(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))


--- c:\windows\System32\flvDX.dll ---
Company: Gabest
File Description: FLV Splitter
File Version: 1, 0, 0, 1
Product Name: FLV Splitter
Copyright: Copyright (C) 2005-2006 Gabest
Original Filename: FLVSplitter.ax
File size: 163328
Created time: 2010-04-11 16:09:07
Modified time: 2006-05-03 09:06:54
MD5: 8453687A045C926F0291301EBAF50370
SHA1: 8D756345C945B75EF63314FA8992F1B582067FF3


--- c:\windows\System32\msfDX.dll ---
Company: Hans Mayerl
File Description: msfDX.dll
File Version: 2.02.2113
Product Name: msfDX.dll
Copyright:
Original Filename: msfDX.dll
File size: 31232
Created time: 2010-04-11 16:09:07
Modified time: 2007-02-21 10:47:16
MD5: 21D8F42D54598B73C2E1A9571399113B
SHA1: ED711FAA61FDD6D53EACC7A99D60D95DD9137A7D


--- c:\windows\System32\nbDX.dll ---
Company: MONOGRAM Multimedia, s.r.o.
File Description: AMR Filter Pack
File Version: 1, 0, 1, 0
Product Name: MONOGRAM AMR Filter Pack
Copyright: Copyright (C) 2008
Original Filename: mmamr.ax
File size: 216064
Created time: 2010-04-11 16:09:07
Modified time: 2008-03-16 12:30:52
MD5: E4B6B932B6E5CE386627CEEA2A0A0F4C
SHA1: B9BCAAE7BB27161148E1301FC8D8CD3F568C6E22


------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.

[-] 2011-01-09 07:41:39 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7600.16385 (win7_rtm.090713-1255)] . . C:\Windows\System32\user32.dll
[7] 2009-07-14 01:16:17 . 34B7E222E81FAFA885F0C5F2CFA56861 . 811520 . . [6.1.7600.16385 (win7_rtm.090713-1255)] . . C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="C:\Users\sumesh\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 21:22:02 3739648]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2009-07-14 01:14:38 1173504]
"Messenger (Yahoo!)"="C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-03-19 13:27:46 5248312]
"WordWeb"="C:\Program Files\WordWeb\wweb32.exe" [2009-11-08 19:18:00 65216]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-09-27 17:26:55 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2009-09-23 15:30:48 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2009-09-23 15:30:48 173592]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2009-09-23 15:30:48 150552]
"avgnt"="C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 07:38:47 209153]
"Malwarebytes' Anti-Malware (reboot)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 11:30:48 1047208]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2010-05-20 19:26:12 129584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\Windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\Windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-04-13 10:31:51 136176 ----atw- C:\Users\sumesh\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-02-28 11:37:58 1828136 ----a-w- C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2010-01-27 06:52:02 63048 ----a-w- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 12:44:34 3883856 ----a-w- C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2008-02-18 10:59:02 2221352 ----a-w- C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-05 22:27:46 26102056 ----a-r- C:\Program Files\Skype\Phone\Skype.exe

R2 gupdate;Google Update Service (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [2011-09-27 17:22:31 136176]
R2 UDisk Monitor;UDisk Monitor;C:\Program Files\Reliance Netconnect+\bin\MonServiceUDisk.exe [2011-02-21 15:06:34 512000]
R3 BthAvrcp;Bluetooth AVRCP Profile;C:\Windows\system32\DRIVERS\BthAvrcp.sys [2009-08-13 02:53:02 22528]
R3 gupdatem;Google Update Service (gupdatem);C:\Program Files\Google\Update\GoogleUpdate.exe [2011-09-27 17:22:31 136176]
R3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe [2010-04-13 05:16:02 1343400]
S1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys [2009-07-13 23:52:04 48128]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files\Avira\AntiVir Desktop\sched.exe [2011-08-27 12:32:19 108289]
S2 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe [2010-12-08 07:41:32 374152]
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2010-01-27 06:52:02 12856]
S2 vmci;VMware vmci;C:\Windows\system32\Drivers\vmci.sys [2010-05-20 19:26:56 70704]
S2 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-05-20 18:10:20 539184]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 22:13:45 207360]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 22:13:46 980992]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 22:13:45 661504]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys [2009-07-13 23:52:10 14336]
S3 ztemtusbser;ZTEMT Legacy Serial Communication;C:\Windows\system32\DRIVERS\CT_ZTEMT_U_USBSER.sys [2010-11-04 04:45:54 105472]


Contents of the 'Scheduled Tasks' folder

2011-09-27 C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2011-09-27 17:22:37 . 2011-09-27 17:22:31]

2011-09-27 C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2011-09-27 17:22:37 . 2011-09-27 17:22:31]

2011-09-27 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2054017810-423255862-2823113913-1000Core.job
- C:\Users\sumesh\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-13 10:31:53 . 2010-04-13 10:31:51]

2011-09-27 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2054017810-423255862-2823113913-1000UA.job
- C:\Users\sumesh\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-13 10:31:53 . 2010-04-13 10:31:51]


------- Supplementary Scan -------

uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: C:\Program Files\VMware\VMware Workstation\vsocklib.dll
TCP: Interfaces\{2EC73E3C-7EF8-48AF-9305-0FF48457E2D5}: NameServer = 202.138.103.190 220.226.100.40
FF - ProfilePath - C:\Users\sumesh\AppData\Roaming\Mozilla\Firefox\Profiles\bworhnp9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 4
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true


--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)

Completion time: 2011-09-27 23:21:29
ComboFix-quarantined-files.txt 2011-09-27 17:51:28
ComboFix2.txt 2011-09-21 03:44:20

Pre-Run: 66,531,991,552 bytes free
Post-Run: 66,362,544,128 bytes free

- - End Of File - - 9C377C5F99318DC493F66D52C67A1E7A

 

[sumeshmd]

Error: Unable to interpret <:> in the current context!
========== FILES ==========
File/Folder C:\Windows.old\Program Files\Hotspot Shield\bin\openvpnas.exe not found.
File/Folder C:\Windows.old.000\Windows\Temp\hss_update.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LogMeInRemoteUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Public
->Temp folder emptied: 0 bytes

User: sumesh
->Temp folder emptied: 7608264 bytes
->Temporary Internet Files folder emptied: 132439179 bytes
->FireFox cache emptied: 67768770 bytes
->Google Chrome cache emptied: 29719155 bytes
->Flash cache emptied: 16001 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 7808192 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 234.00 mb


OTM by OldTimer - Version 3.1.18.0 log created on 09272011_230721

Files moved on Reboot...
C:\Windows\temp\vmware-SYSTEM\vmware-usbarb-SYSTEM-1856.log moved successfully.
File C:\Windows\temp\MPENGINE.DLL not found!
File C:\Windows\temp\TMP000000018DAA5311956F992F not found!

Registry entries deleted on Reboot...

 

[Bobbye]

Combofix ran in REDUCED FUNCTIONALITY MODE . We will have to try and determine why:

Please run the MGA Diagnostics tool

• You will be prompted to either “Run” or “Save” the tool. Choose to “Run” the tool and follow the on-screen prompts.
• You will receive an Internet Explorer-Security Warning dialog box for the Windows Genuine Advantage Diagnostic Tool>
• You must choose to Run this tool when prompted.
• Once you are presented with the Diagnostics tool choose Continue to run the diagnostic report.
• If the RESOLVE button is available after running the diagnostics, please click RESOLVE to allow the diagnostic tool to attempt a repair.
• After running the MGA Diagnostic tool, click on the Windows tab and then click on Copy
• Please return to this thread and Paste the results here for review.

------------------------------------------
This tool will is to look on the computer itself, in the documentation you received with the computer or with your retail purchase of Windows to see if you have a Certificate of Authenticity (COA). If you have one, tell us about the COA. Tell us:

1. What edition of Windows XP is it for, Home, Pro, or Media Center, or another version of Windows?
2. Does it read "OEM Software" or "OEM Product" in black lettering?
3. Or, does it have the computer manufacturer's name in black lettering?
4. DO NOT post the Product Key.

NOTE: The data collected with the Genuine Diagnostics Tool does NOT contain any information that can personally identify you and can be fully reviewed, by you, before being posted.

 

[sumeshmd]

when i run combofix, it said newer version is available and asked me to download. i selected no. then the message came that combofix is expired and it will run in reduced functionality mode.

 

[Bobbye]

newer version is available and asked me to download. i selected no.

Allow the update please.

 

[sumeshmd]

please see the new combo file after update

ComboFix 11-09-29.06 - sumesh 10/01/2011 9:14.3.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3062.2211 [GMT 5.5:30]
Running from: d:\downloads\ComboFix.exe
Command switches used :: d:\downloads\cfscript.txt
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\google\common\google updater\googleupdaterservice.exe
c:\users\Default\AppData\Local\temp
c:\users\LogMeInRemoteUser\AppData\Local\temp
c:\users\sumesh\AppData\Local\temp
c:\users\sumesh\AppData\Local\temp\catchme.dll
c:\users\sumesh\AppData\Local\temp\FXSAPIDebugLogFile.txt
c:\users\sumesh\AppData\Local\temp\nro.log\log\ShellManager_Log.txt
c:\users\sumesh\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
.
.
((((((((((((((((((((((((( Files Created from 2011-09-01 to 2011-10-01 )))))))))))))))))))))))))))))))
.
.
2011-10-01 03:51 . 2011-10-01 03:51 -------- d-----w- c:\users\sumesh\AppData\Local\Temp
2011-10-01 03:49 . 2011-10-01 03:49 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-09-27 17:25 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-09-27 17:23 . 2011-03-11 05:40 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-09-27 17:23 . 2011-03-11 05:40 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-09-27 17:23 . 2011-02-23 05:05 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-09-27 17:23 . 2011-02-23 05:05 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-09-27 17:23 . 2011-02-23 05:05 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-09-27 17:23 . 2011-02-23 05:05 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-09-22 17:56 . 2011-09-22 17:56 -------- d-----w- c:\users\sumesh\AppData\Roaming\Yahoo!
2011-09-21 05:26 . 2011-09-22 17:27 -------- d-----w- c:\users\sumesh\AppData\Local\VMware
2011-09-21 05:26 . 2011-09-22 17:25 -------- d-----w- c:\users\sumesh\AppData\Roaming\VMware
2011-09-21 04:04 . 2011-09-21 04:04 -------- d-----w- c:\program files\ESET
2011-09-20 17:54 . 2010-05-20 19:26 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe
2011-09-20 17:54 . 2010-05-20 19:26 399920 ----a-w- c:\windows\system32\vmnat.exe
2011-09-20 17:54 . 2010-05-20 19:23 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2011-09-20 17:54 . 2010-05-20 19:25 760368 ----a-w- c:\windows\system32\vnetlib.dll
2011-09-20 17:53 . 2010-05-20 19:25 24624 ----a-w- c:\windows\system32\drivers\VMkbd.sys
2011-09-20 17:52 . 2011-09-20 17:52 -------- d-----w- c:\program files\Common Files\VMware
2011-09-20 17:51 . 2011-10-01 03:51 -------- d-----w- c:\programdata\VMware
2011-09-20 17:51 . 2011-09-20 17:51 -------- d-----w- c:\program files\VMware
2011-09-19 18:20 . 2011-09-19 18:20 388096 ----a-r- c:\users\sumesh\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-19 18:20 . 2011-09-19 18:20 -------- d-----w- c:\program files\Trend Micro
2011-09-16 03:40 . 2011-09-16 03:40 -------- d-----w- c:\users\sumesh\AppData\Roaming\Malwarebytes
2011-09-16 03:40 . 2011-08-31 11:30 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-16 03:40 . 2011-09-16 03:40 -------- d-----w- c:\programdata\Malwarebytes
2011-09-16 03:40 . 2011-09-16 03:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-04 07:25 . 2011-09-09 09:29 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-09-04 07:25 . 2011-09-09 09:29 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-09-04 07:25 . 2011-09-09 09:29 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-09-04 07:25 . 2011-09-09 09:29 785368 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-09-04 07:25 . 2011-09-09 09:29 1846232 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-09-04 07:25 . 2011-09-09 09:29 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-09-04 07:25 . 2011-08-30 19:41 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-09-04 07:25 . 2011-08-30 19:41 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-27 12:32 . 2011-08-27 12:03 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-09-09 09:29 . 2011-09-04 07:25 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 09:06 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 10:47 31232 --sh--r- c:\windows\System32\msfDX.dll
2008-03-16 12:30 216064 --sh--r- c:\windows\System32\nbDX.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--- c:\windows\System32\flvDX.dll ---
Company: Gabest
File Description: FLV Splitter
File Version: 1, 0, 0, 1
Product Name: FLV Splitter
Copyright: Copyright (C) 2005-2006 Gabest
Original Filename: FLVSplitter.ax
File size: 163328
Created time: 2010-04-11 16:09
Modified time: 2006-05-03 09:06
MD5: 8453687A045C926F0291301EBAF50370
SHA1: 8D756345C945B75EF63314FA8992F1B582067FF3
.
.
--- c:\windows\System32\msfDX.dll ---
Company: Hans Mayerl
File Description: msfDX.dll
File Version: 2.02.2113
Product Name: msfDX.dll
Copyright:
Original Filename: msfDX.dll
File size: 31232
Created time: 2010-04-11 16:09
Modified time: 2007-02-21 10:47
MD5: 21D8F42D54598B73C2E1A9571399113B
SHA1: ED711FAA61FDD6D53EACC7A99D60D95DD9137A7D
.
.
--- c:\windows\System32\nbDX.dll ---
Company: MONOGRAM Multimedia, s.r.o.
File Description: AMR Filter Pack
File Version: 1, 0, 1, 0
Product Name: MONOGRAM AMR Filter Pack
Copyright: Copyright (C) 2008
Original Filename: mmamr.ax
File size: 216064
Created time: 2010-04-11 16:09
Modified time: 2008-03-16 12:30
MD5: E4B6B932B6E5CE386627CEEA2A0A0F4C
SHA1: B9BCAAE7BB27161148E1301FC8D8CD3F568C6E22
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-01-09 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7600.16385] . . c:\windows\System32\user32.dll
[7] 2009-07-14 . 34B7E222E81FAFA885F0C5F2CFA56861 . 811520 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\users\sumesh\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-03-19 5248312]
"WordWeb"="c:\program files\WordWeb\wweb32.exe" [2009-11-08 65216]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-09-27 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2010-05-20 129584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-04-13 10:31 136176 ----atw- c:\users\sumesh\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-02-28 11:37 1828136 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2010-01-27 06:52 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 12:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2008-02-18 10:59 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-05 22:27 26102056 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-09-27 136176]
R3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\DRIVERS\BthAvrcp.sys [2009-08-13 22528]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-09-27 136176]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-13 1343400]
R3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\DRIVERS\CT_ZTEMT_U_USBSER.sys [2010-11-04 105472]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-08-27 108289]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2010-12-08 374152]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-01-27 12856]
S2 UDisk Monitor;UDisk Monitor;c:\program files\Reliance Netconnect+\bin\MonServiceUDisk.exe [2011-02-21 512000]
S2 vmci;VMware vmci;c:\windows\system32\Drivers\vmci.sys [2010-05-20 70704]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-05-20 539184]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-27 17:22]
.
2011-09-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-27 17:22]
.
2011-09-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2054017810-423255862-2823113913-1000Core.job
- c:\users\sumesh\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-13 10:31]
.
2011-10-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2054017810-423255862-2823113913-1000UA.job
- c:\users\sumesh\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-13 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
FF - ProfilePath - c:\users\sumesh\AppData\Roaming\Mozilla\Firefox\Profiles\bworhnp9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 4
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\AUDIODG.EXE
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\windows\system32\taskhost.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\vmnat.exe
c:\program files\VMware\VMware Workstation\vmware-authd.exe
c:\windows\system32\vmnetdhcp.exe
c:\windows\System32\rundll32.exe
c:\windows\system32\conhost.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2011-10-01 09:24:21 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-01 03:54
ComboFix2.txt 2011-09-27 17:51
ComboFix3.txt 2011-09-21 03:44
.
Pre-Run: 66,974,113,792 bytes free
Post-Run: 66,759,970,816 bytes free
.
- - End Of File - - EA1E150F3EB6A789DB8C55EEDBEA1D46

 

[Bobbye]

Please run the MGA Diagnostics tool as requested in my Reply #14.

 

[sumeshmd]

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0
Cached Online Validation Code: 0xc004c4ab
Windows Product Key: *****-*****-X92GV-V7DCV-P4K27
Windows Product Key Hash: aU2z1/fnhnLHmhBm699qYZT2E6s=
Windows Product ID: 00426-OEM-8992662-00400
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7600.2.00010100.0.0.001
ID: {4F709DBD-1593-4960-BC1C-EE51832AB9C2}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Ultimate
Architecture: 0x00000000
Build lab: 7600.win7_gdr.091207-1941
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: 2.0.48.0
OGAExec.exe Signed By: Microsoft
OGAAddin.dll Signed By: Microsoft

OGA Data-->
Office Status: 100 Genuine
2007 Microsoft Office system - 100 Genuine
OGA Version: Registered, 2.0.48.0
Signed By: Microsoft
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7600.16385], Hr = 0x800b0100

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{4F709DBD-1593-4960-BC1C-EE51832AB9C2}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7600.2.00010100.0.0.001</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-P4K27</PKey><PID>00426-OEM-8992662-00400</PID><PIDType>2</PIDType><SID>S-1-5-21-2054017810-423255862-2823113913</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>Compaq Presario C700 Notebook PC</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>F.33</Version><SMBIOSVersion major="2" minor="4"/><Date>20080429000000.000000+000</Date></BIOS><HWID>EFBB3607018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>India Standard Time(GMT+05:30)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>QA09 </OEMTableID></OEM><GANotification><File Name="OGAAddin.dll" Version="2.0.48.0"/></GANotification></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-0031-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>2007 Microsoft Office system</Name><Ver>12</Ver><Val>8A2069E2CF8B42</Val><Hash>j384Xd3/PRRqo0hihFoMRPYhES4=</Hash><Pid>89451-417-1305973-66714</Pid><PidType>1</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
Input Error: Can not find script file "C:\Windows\system32\slmgr.vbs".

Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0xC004C4AB
HealthStatus: 0x0000000000000000
Event Time Stamp: 10:14:2010 14:57
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Not Registered - 0x80070005
HealthStatus Bitmask Output:


HWID Data-->
HWID Hash Current: PAAAAAEAAgABAAMAAAADAAAABQABAAEAeqjwQMwi/JDUr4ZwwlDOcPxTsEEOrzjd0K4gZmbrcorgmyqF

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC HPQOEM SLIC-MPC
FACP HP SPARTAN
HPET HPQOEM SLIC-MPC
BOOT HPQOEM SLIC-MPC
MCFG HPQOEM SLIC-MPC
ASF! HPQOEM SLIC-MPC
SLIC DELL QA09
SSDT PmRef CpuPm

 

[Bobbye]

Question:
You have an unsigned driver for c:\windows\System32\user32.dll

This file is also showing as a 'mismatch'.

Have you upgraded the Win 7 version?