WiredWX Hobby Weather ToolsLog in

 


Redirects etc...

3 posters

descriptionRedirects etc... EmptyRedirects etc...

more_horiz
I've been having redirects for quite a while but have been having extensive problems the last few days...the computer has been shutting down on its own, windows have been freezing, the internet has stopped and started working etc... Here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:32:16 PM, on 5/4/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\HP_Administrator\Application Data\dwm.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\conhost.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\csrss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\DISC\DiscGui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\eHome\ehRec.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\HP_Administrator\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\rarliw32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:54283
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\csrss.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Increase performance and video formats for your HTML5

descriptionRedirects etc... EmptyRe: Redirects etc...

more_horiz
Hi.Welcome to the forum.This should fix the problem


Please run all these programs..


Download the TDSSKiller.exe and extract to your Desktop.


Execute TDSSKiller.exe by doubleclicking on it. You may be prompted to restart your machine. Type Y at the prompt.

Once complete, a log will be produced at root. It will be named

UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_27.1.2010_15.31.43_log.txt.


Attach that log here please.



====================================================


Please download Malwarebytes' Anti-Malware from one of these places:

Majorgeeks or Besttechie


Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.

* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.Do so.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply.



===============================================



Download Combofix from Bleepingcomputer or Geekstogo and place it on your Desktop

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Combofix may be slow to start and appear to be doing nothing before it starts scanning.Just leave it,it will start.

You can get help on disabling your protection programs here : http://www.bleepingcomputer.com/forums/topic114351.html

Please include the C:\ComboFix.txt in your next reply for further review.


Caution.....
Never use this program to remove files.Only use it with help from an experienced user.Wrongful use can damage your computer.This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a qualified helper







descriptionRedirects etc... EmptyRe: Redirects etc...

more_horiz
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

5/4/2011 11:09:25 PM
mbam-log-2011-05-04 (22-46-14).txt

Scan type: Quick Scan
Objects scanned: 158837
Time elapsed: 25 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\HP_Administrator\Local Settings\temp\csrss.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\HP_Administrator\Application Data\avdrn.dat (Malware.Trace) -> No action taken.

descriptionRedirects etc... EmptyRe: Redirects etc...

more_horiz
ComboFix 11-05-04.02 - HP_Administrator 05/04/2011 23:37:33.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1407 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\e6d571031he03p0h7blm0cx
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\HP_Administrator\Application Data\avdrn.dat
c:\documents and settings\HP_Administrator\Application Data\dwm.exe
c:\documents and settings\HP_Administrator\Application Data\Microsoft\conhost.exe
c:\documents and settings\HP_Administrator\Application Data\OfferBox
c:\documents and settings\HP_Administrator\Application Data\OfferBox\config.dat
c:\documents and settings\HP_Administrator\Application Data\OfferBox\config.xml
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{62782400-020B-45A1-B172-379CD74D936B}
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{62782400-020B-45A1-B172-379CD74D936B}\chrome.manifest
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{62782400-020B-45A1-B172-379CD74D936B}\chrome\content\_cfg.js
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{62782400-020B-45A1-B172-379CD74D936B}\chrome\content\overlay.xul
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{62782400-020B-45A1-B172-379CD74D936B}\install.rdf
c:\documents and settings\HP_Administrator\Local Settings\Application Data\lsh.exe
c:\documents and settings\HP_Administrator\Local Settings\Application Data\yjd.exe
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\rarliw32.exe
c:\documents and settings\HP_Administrator\WINDOWS
C:\Microsoft
c:\program files\OfferBox
c:\program files\OfferBox\offerboxffx@offerbox.com\components\OfferBoxXpCom.dll
C:\Recycle.Bin
c:\recycle.bin\Recycle.Bin.exe
c:\windows\idijeleh.dll
c:\windows\system32\54178.dll
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\svrwsc.exe
c:\windows\Wagdil6.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SVRWSC
-------\Service_SvrWsc
.
.
((((((((((((((((((((((((( Files Created from 2011-04-05 to 2011-05-05 )))))))))))))))))))))))))))))))
.
.
2011-05-04 21:33 . 2011-04-14 16:26 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-05-04 21:33 . 2011-04-14 16:25 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-04 21:33 . 2011-04-14 16:25 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-04 21:33 . 2011-04-14 16:25 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-04 21:33 . 2011-04-14 16:25 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-04 21:33 . 2011-04-14 16:25 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-04 21:33 . 2010-01-01 08:00 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-04 21:33 . 2010-01-01 08:00 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-01 19:03 . 2011-05-02 15:11 179712 ----a-w- c:\program files\Windows NT\dwm.exe
2011-05-01 19:03 . 2011-05-02 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\lJ28601CbNcC28601
2011-05-01 19:03 . 2011-05-01 19:03 170496 ----a-w- c:\program files\Internet Explorer\conhost.exe
2011-04-29 00:24 . 2011-04-29 00:24 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-29 00:24 . 2011-04-29 00:24 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-04 18:57 . 2010-10-22 01:40 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-03-17 05:31 . 2010-10-17 16:01 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-02-04 22:48 . 2004-08-10 04:00 456192 ------w- c:\windows\system32\encdec.dll
2011-02-04 22:48 . 2004-08-10 04:00 291840 ----a-w- c:\windows\system32\sbe.dll
2011-04-14 16:26 . 2011-05-04 21:33 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2011-01-11 395640]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-13 68856]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-11-12 1064960]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-11-12 61440]
"DMAScheduler"="c:\program files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe" [2005-11-01 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-10 249856]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 1358384]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 281768]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2011-03-06 6449984]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-12-08 1226608]
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe.vir [2006-3-2 36903]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-3-2 27136]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-28 23:34 87352 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\HP_Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/17/2010 12:01 PM 136360]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\HP_ADM~1\LOCALS~1\Temp\SuperAntiSpyware\SASDIFSV.SYS --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\SuperAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\HP_ADM~1\LOCALS~1\Temp\SuperAntiSpyware\SASKUTIL.SYS --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\SuperAntiSpyware\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/18/2010 7:54 PM 135664]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [12/3/2010 5:04 PM 16512]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2/18/2010 9:29 PM 23456]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/18/2010 7:54 PM 135664]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [10/21/2010 9:40 PM 16968]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [9/2/2009 7:57 AM 627072]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/8/2010 5:22 PM 691696]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-18 23:54]
.
2011-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-18 23:54]
.
2011-05-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1423768027-2586421752-2192907715-1008Core.job
- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-03 19:30]
.
2011-05-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1423768027-2586421752-2192907715-1008UA.job
- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-03 19:30]
.
2011-05-03 c:\windows\Tasks\Norton Security Scan for HP_Administrator.job
- c:\progra~1\NORTON~2\Engine\301~1.8\Nss.exe [2011-01-19 07:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:54283
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: trymedia.com
TCP: {4DC2EB99-A323-4564-AD7D-5D29046CCD1C} = 213.109.64.5,213.109.72.21
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\jadnwcli.default\
FF - prefs.js: browser.startup.homepage - gmail.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 54283
FF - prefs.js: network.proxy.type - 1
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Dyuvumamumuset - c:\windows\Wagdil6.dll
HKCU-Run-SvrWsc - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
HKLM-Run-Ozubetalajoq - c:\windows\idijeleh.dll
HKLM-Run-conhost - c:\documents and settings\HP_Administrator\Application Data\Microsoft\conhost.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-04 23:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\uttC.tmp 0 bytes
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(3620)
c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ARPWRMSG.EXE
c:\windows\eHome\ehmsas.exe
c:\program files\DISC\DiscGui.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\rundll32.exe
c:\program files\DISC\DiscStreamHub.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-05-04 23:59:25 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-05 03:59
.
Pre-Run: 373,841,920 bytes free
Post-Run: 1,447,030,784 bytes free
.
- - End Of File - - AD16C4F1DFB25409BDA72FAD9E6B552B

descriptionRedirects etc... EmptyRe: Redirects etc...

more_horiz
Ran TDSSKiller before the other two but the computer froze and it didn't produce a log..the computer also froze while MalwareBytes was trying to quarantine the files

descriptionRedirects etc... EmptyRe: Redirects etc...

more_horiz
Ok.Looking good.Just this to do and we are done.


WARNING these fixes are designed for this user only and may cause damage if run on any other machine.


Please download the OTM.exe by OldTimer.

Save it to your Desktop.
Please double-click OTM.exe to run it.
Copy the commands with file paths below to the clipboard by highlighting ALL of the green text and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


Code:


:Processes
explorer.exe
:otl
:files
:reg
:services
:Commands
ipconfig /flushdns /c
c:\recycler\
f:\recycler\
g:\recycler\
[clearallrestorepoints]
[createrestorepoint]
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]


Return to OTM.exe, right click in the "Paste Instructions for Items to be Moved" window (under the light yellow bar) and choose Paste.
Click the red Moveit! button.
A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM.exe

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

descriptionRedirects etc... EmptyRe: Redirects etc...

more_horiz
All processes killed
Error: Unable to interpret ~[Filtered]~ in the current context!
========== PROCESSES ==========
No active process named explorer.exe was found!
Error: Unable to interpret <:otl> in the current context!
========== FILES ==========
========== REGISTRY ==========
========== SERVICES/DRIVERS ==========
========== COMMANDS ==========

Restore points cleared and new OTM Restore Point set!
Error starting restore point: System Restore is disabled.
Error closing restore point: System Restore is disabled.
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 31285 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: HP_Administrator
->Temp folder emptied: 1258234 bytes
->Temporary Internet Files folder emptied: 4765063 bytes
->Java cache emptied: 958118 bytes
->FireFox cache emptied: 139903653 bytes
->Google Chrome cache emptied: 225073626 bytes
->Flash cache emptied: 167424 bytes

User: LocalService
->Temp folder emptied: 65536 bytes
->Temporary Internet Files folder emptied: 32835 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 13732 bytes
->Flash cache emptied: 3425 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16384 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 236678 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 355.00 mb


OTM by OldTimer - Version 3.1.17.2 log created on 05052011_024408

Files moved on Reboot...
C:\WINDOWS\temp\Perflib_Perfdata_8f4.dat moved successfully.

Registry entries deleted on Reboot...

descriptionRedirects etc... EmptyRe: Redirects etc...

more_horiz
Ok.All done.I see no more malware.Log looks good! All those detections are either in quarantine or system restore, both of which we'll be cleaning out in just a minute. Congratulations, well done.


Go to :
Start > Run then copy and paste the following highlighted (blue) text below into the box and click OK.


ComboFix /uninstall






Over the course of the fix you've used a variety of special tools to help with the cleaning process - none of these are of any use to you now that you're clean, and it's best not to have them hanging around on your computer. OTC is a small program that removes all the leftover tools and logs from cleanup of malware.


Please download OTC to your desktop.


Double-click OTC to run it. (Vista users, please right click on OTC and select "Run as an Administrator")

Click on the CleanUp! button and follow the prompts.

You will be asked to reboot the machine to finish the Cleanup process, choose Yes.

After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.


Here are some tips to reduce the potential for malware infection in the future; I strongly suggest that you read them and take them to heart so that you don't have to endure the process of cleaning your computer again.

Afterwork

Malware Prevention

How Did I Get Infected

More Tips on Prevention

=============================


descriptionRedirects etc... EmptyRe: Redirects etc...

more_horiz
Maybe this is not fault for not cleaning everything up at the end, but I got infected again. My computer when into "XP Recovery mode" and my desktop went black and everything on the desktop and task bar was hidden. I managed to temporarily get rid of the fake antivirus software. Right now, everything in the taskbar is still hidden, but I managed to unhide the stuff on my desktop even though the background is still black.

Here is a quick Malwarebytes' scan I just did:


Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

5/14/2011 10:20:36 AM
mbam-log-2011-05-14 (10-20-36).txt

Scan type: Quick Scan
Objects scanned: 125532
Time elapsed: 13 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\HP_Administrator\Local Settings\temp\0.09649997064303062.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

And here is the OTL scan:

OTL logfile created on: 5/14/2011 10:23:38 AM - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\HP_Administrator\My Documents\Downloads
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 56.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 270.99 Gb Total Space | 0.86 Gb Free Space | 0.32% Space Free | Partition Type: NTFS
Drive D: | 8.45 Gb Total Space | 0.46 Gb Free Space | 5.43% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
Drive F: | 261.24 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: EVAN
Current User Name: HP_Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2011/04/27 17:05:33 | 000,136,360 | -H-- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2011/04/14 12:25:55 | 000,016,856 | -H-- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2011/04/14 12:25:41 | 000,924,632 | -H-- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/03/17 01:31:15 | 000,269,480 | -H-- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/02/18 16:37:16 | 000,037,664 | -H-- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2011/01/10 22:46:07 | 000,395,640 | -H-- | M] (BitTorrent, Inc.) -- C:\Program Files\uTorrent\uTorrent.exe
PRC - [2010/12/08 17:15:44 | 000,063,360 | -H-- | M] (DivX, LLC) -- C:\Program Files\DivX\DivX Plus Web Player\DDMService.exe
PRC - [2010/12/08 15:17:46 | 001,226,608 | -H-- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2010/11/03 15:24:45 | 000,281,768 | -H-- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/06/13 23:11:24 | 000,572,416 | -H-- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\My Documents\Downloads\OTL.exe
PRC - [2010/01/14 22:11:00 | 000,076,968 | -H-- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2010/01/07 17:07:10 | 001,394,000 | -H-- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2009/10/12 21:20:22 | 000,068,856 | -H-- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2009/09/28 19:34:22 | 000,116,032 | -H-- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2009/09/28 19:34:16 | 000,378,176 | -H-- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardian.exe
PRC - [2009/02/16 05:44:55 | 001,358,384 | RH-- | M] (Linksys, LLC) -- C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
PRC - [2008/12/12 18:06:40 | 000,642,856 | -H-- | M] (Cisco Systems, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
PRC - [2008/12/12 18:06:40 | 000,642,856 | -H-- | M] (Cisco Systems, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
PRC - [2008/08/11 12:41:00 | 000,063,040 | -H-- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/04/16 16:28:22 | 000,577,536 | -H-- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\soundman.exe
PRC - [2007/01/08 16:08:10 | 000,094,208 | -H-- | M] () -- C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
PRC - [2005/11/12 00:11:12 | 000,237,568 | -H-- | M] (Digital Interactive Systems Corporation, Inc.) -- C:\Program Files\DISC\DiscGui.exe
PRC - [2005/11/12 00:11:04 | 001,064,960 | -H-- | M] (Digital Interactive Systems Corporation) -- C:\Program Files\DISC\DISCover.exe
PRC - [2005/11/12 00:10:00 | 000,061,440 | -H-- | M] (Digital Interactive Systems Corporation, Inc.) -- C:\Program Files\DISC\DISCUpdateMgr.exe
PRC - [2005/11/12 00:10:00 | 000,049,152 | -H-- | M] (Digital Interactive Systems Corporation, Inc.) -- C:\Program Files\DISC\DiscStreamHub.exe
PRC - [2005/11/09 20:29:16 | 000,249,856 | -H-- | M] (Hewlett-Packard Company) -- C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
PRC - [2005/11/01 13:01:00 | 000,090,112 | -H-- | M] (Sonic Solutions) -- C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
PRC - [2005/08/11 15:30:30 | 000,081,920 | -H-- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2005/08/03 03:19:16 | 000,077,312 | -H-- | M] (Microsoft) -- C:\WINDOWS\arpwrmsg.exe
PRC - [2005/08/03 03:19:16 | 000,058,880 | -H-- | M] (Microsoft) -- C:\WINDOWS\arservice.exe


========== Modules (SafeList) ==========

MOD - [2010/08/23 12:12:02 | 001,054,208 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2010/06/13 23:11:24 | 000,572,416 | -H-- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\My Documents\Downloads\OTL.exe
MOD - [2008/04/13 20:12:08 | 000,118,784 | -H-- | M] () -- C:\WINDOWS\Wagdil6.dll
MOD - [2008/04/13 20:10:20 | 000,110,592 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2011/04/27 17:05:33 | 000,136,360 | -H-- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2011/03/17 01:31:15 | 000,269,480 | -H-- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/02/18 16:37:16 | 000,037,664 | -H-- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/09/28 19:34:22 | 000,116,032 | -H-- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
SRV - [2008/12/12 18:06:40 | 000,642,856 | -H-- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe -- (nmservice)
SRV - [2008/08/11 12:41:00 | 000,063,040 | -H-- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2007/01/08 16:08:10 | 000,094,208 | -H-- | M] () [Auto | Running] -- C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe -- (MA_CMIDI_InstallerService)
SRV - [2005/08/03 03:19:16 | 000,058,880 | -H-- | M] (Microsoft) [Auto | Running] -- C:\WINDOWS\arservice.exe -- (ARSVC)
SRV - [2004/09/29 23:14:36 | 000,069,632 | -H-- | M] (HP) [Boot | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2011/05/04 14:57:06 | 000,016,968 | -H-- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hitmanpro35.sys -- (hitmanpro35)
DRV - [2011/03/17 01:31:16 | 000,137,656 | -H-- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/11/22 21:53:05 | 000,061,960 | -H-- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/09/08 17:22:56 | 000,691,696 | -H-- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2010/01/07 17:07:14 | 000,038,224 | -H-- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2009/12/17 12:35:44 | 000,023,456 | -H-- | M] (Phoenix Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\DrvAgent32.sys -- (DrvAgent32)
DRV - [2009/09/28 19:34:48 | 000,083,288 | -H-- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2009/05/11 12:49:19 | 000,011,608 | -H-- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 10:12:49 | 000,028,520 | -H-- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2008/12/12 18:05:20 | 000,025,264 | -H-- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\purendis.sys -- (purendis)
DRV - [2008/12/12 18:05:18 | 000,023,984 | -H-- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\pnarp.sys -- (pnarp)
DRV - [2008/12/04 09:17:15 | 000,627,072 | RH-- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WUSB54GCv3.sys -- (WUSB54GCv3)
DRV - [2008/09/24 11:40:22 | 004,122,368 | RH-- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2008/08/11 12:41:00 | 000,047,640 | -H-- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2008/08/11 12:41:00 | 000,012,856 | -H-- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2008/04/13 14:45:34 | 000,046,592 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\irbus.sys -- (IrBus)
DRV - [2008/04/13 14:45:12 | 000,060,032 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2006/08/16 09:23:46 | 000,021,888 | -H-- | M] (M-Audio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ma_cmidi.sys -- (MA_CMIDI)
DRV - [2005/12/12 19:27:00 | 000,019,072 | -H-- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)
DRV - [2005/10/20 19:01:56 | 001,095,009 | -H-- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2005/09/30 14:11:42 | 000,078,720 | -H-- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2005/08/14 00:35:00 | 001,313,792 | -H-- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/07/28 21:07:58 | 000,156,800 | -H-- | M] (Hauppauge Computer Works, Inc.) [23|25|26]xxx) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hcwPP2.sys -- (hcwPP2)
DRV - [2005/06/29 20:03:18 | 000,175,104 | -H-- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ftsata2.sys -- (ftsata2)
DRV - [2005/06/17 09:33:40 | 000,872,064 | -H-- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2005/03/09 16:53:00 | 000,036,352 | -H-- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2004/08/03 17:31:34 | 000,020,992 | -H-- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/11/05 10:45:12 | 000,017,408 | -H-- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\bb-run.sys -- (bb-run)
DRV - [2002/07/17 10:05:10 | 000,016,512 | -H-- | M] (Adaptec) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ASPI32.SYS -- (ASPI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:54283

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "gmail.com"
FF - prefs.js..extensions.enabledItems: DTToolbar@toolbarnet.com:1.1.2.0185
FF - prefs.js..extensions.enabledItems: {6904342A-8307-11DF-A508-4AE2DFD72085}:2.1.0.900
FF - prefs.js..extensions.enabledItems: {23fcfd51-4958-4f00-80a3-ae97e717ed8b}:2.1.0.900
FF - prefs.js..extensions.enabledItems: {F8CC37C3-CBEB-4A00-8CBF-26A88693F0C5}:2.2010.1.5
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: vshare@toolbar:1.0.0
FF - prefs.js..extensions.enabledItems: {a95d8332-e4b4-6e7f-98ac-20b733364387}:0.5
FF - prefs.js..extensions.enabledItems: {62782400-020B-45A1-B172-379CD74D936B}:1.9.1
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.6
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 54283
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Firefox\extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2010/12/14 00:55:08 | 000,000,000 | -H-D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2010/12/14 00:55:09 | 000,000,000 | -H-D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{9F72BFEA-BB26-45AE-ABA8-792038F5CED1}: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\{9F72BFEA-BB26-45AE-ABA8-792038F5CED1} [2011/05/14 00:05:42 | 000,000,000 | -H-D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/04 17:33:36 | 000,000,000 | -H-D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/04 17:33:35 | 000,000,000 | -H-D | M]
FF - HKLM\software\mozilla\Netscape Browser 8.0.3.4\Extensions\\Components: C:\Program Files\Netscape\Netscape Browser\Components [2011/03/16 01:07:29 | 000,000,000 | -H-D | M]
FF - HKLM\software\mozilla\Netscape Browser 8.0.3.4\Extensions\\Plugins: C:\Program Files\Netscape\Netscape Browser\Plugins [2011/03/16 01:07:28 | 000,000,000 | -H-D | M]
FF - HKLM\software\mozilla\Netscape Browser 8.0.3.4 \Extensions\\Components: C:\PROGRA~1\NETSCAPE\NETSCA~1\Components [2011/03/16 01:07:29 | 000,000,000 | -H-D | M]
FF - HKLM\software\mozilla\Netscape Browser 8.0.3.4 \Extensions\\Plugins: C:\PROGRA~1\NETSCAPE\NETSCA~1\Plugins [2011/03/16 01:07:28 | 000,000,000 | -H-D | M]

[2009/09/02 00:03:34 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Extensions
[2011/05/14 10:08:27 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\jadnwcli.default\extensions
[2010/02/18 21:29:24 | 000,000,000 | -H-D | M] (DriverAgent Plugin for Firefox and Opera) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\jadnwcli.default\extensions\{F8CC37C3-CBEB-4A00-8CBF-26A88693F0C5}
[2011/05/10 08:15:20 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\jadnwcli.default\extensions\DTToolbar@toolbarnet.com
[2010/10/24 13:07:24 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\jadnwcli.default\extensions\vshare@toolbar
[2011/05/04 17:33:36 | 000,000,000 | -H-D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/12/28 19:14:18 | 000,000,000 | -H-D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/04/14 12:26:02 | 000,142,296 | -H-- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/12/28 19:14:05 | 000,472,808 | -H-- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/01/01 04:00:00 | 000,002,252 | -H-- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/05/05 02:44:16 | 000,000,098 | -H-- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (DivX Plus Web Player HTML5

descriptionRedirects etc... EmptyRe: Redirects etc...

more_horiz
Hello.
Pancake is away so I will take over from here. We need to use Combofix again.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Code:


    File::
    c:\program files\Windows NT\dwm.exe
    c:\program files\Internet Explorer\conhost.exe

    Folder::
    c:\documents and settings\All Users\Application Data\lJ28601CbNcC28601

    DDS::
    uInternet Settings,ProxyOverride = *.local
    uInternet Settings,ProxyServer = http=127.0.0.1:54283

    Firefox::
    FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\jadnwcli.default\
    FF - prefs.js: browser.startup.homepage - gmail.com
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 54283
    FF - prefs.js: network.proxy.type - 1

  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    Redirects etc... Cfscriptb4i

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

descriptionRedirects etc... EmptyRe: Redirects etc...

more_horiz
ComboFix 11-05-13.03 - HP_Administrator 05/14/2011 11:44:20.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1340 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FILE ::
"c:\program files\Internet Explorer\conhost.exe"
"c:\program files\Windows NT\dwm.exe"


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\All Users\Application Data\15064868.exe
c:\documents and settings\All Users\Application Data\lJ28601CbNcC28601
c:\documents and settings\All Users\Application Data\lJ28601CbNcC28601\lJ28601CbNcC28601
C:\Documents and Settings\All Users\Application Data\vKLuVrOIsaEYCN.exe
C:\Documents and Settings\HP_Administrator\Application Data\Adobe\plugs
C:\Documents and Settings\HP_Administrator\Application Data\Adobe\plugs\mmc141.exe
C:\Documents and Settings\HP_Administrator\Application Data\Adobe\plugs\mmc254797890.txt
C:\Documents and Settings\HP_Administrator\Application Data\Adobe\plugs\mmc50.exe
C:\Documents and Settings\HP_Administrator\Application Data\Adobe\shed
C:\Documents and Settings\HP_Administrator\Application Data\Adobe\shed\thr1.chm
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\{9F72BFEA-BB26-45AE-ABA8-792038F5CED1}
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\{9F72BFEA-BB26-45AE-ABA8-792038F5CED1}\chrome.manifest
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\{9F72BFEA-BB26-45AE-ABA8-792038F5CED1}\chrome\content\_cfg.js
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\{9F72BFEA-BB26-45AE-ABA8-792038F5CED1}\chrome\content\overlay.xul
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\{9F72BFEA-BB26-45AE-ABA8-792038F5CED1}\install.rdf
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\e6d571031he03p0h7blm0cx
c:\program files\Windows NT\dwm.exe
C:\WINDOWS\eniqegepazo.dll
C:\WINDOWS\Wagdil6.dll


((((((((((((((((((((((((( Files Created from 2011-04-14 to 2011-05-14 )))))))))))))))))))))))))))))))


2011-05-05 06:44:08 . 2011-05-05 06:44:08 -------- d-----w- C:\_OTM
2011-05-04 21:33:36 . 2011-04-14 16:26:02 142296 ---ha-w- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
2011-05-04 21:33:35 . 2011-04-14 16:25:48 781272 ---ha-w- C:\Program Files\Mozilla Firefox\mozsqlite3.dll
2011-05-04 21:33:35 . 2011-04-14 16:25:47 1874904 ---ha-w- C:\Program Files\Mozilla Firefox\mozjs.dll
2011-05-04 21:33:35 . 2011-04-14 16:25:45 15832 ---ha-w- C:\Program Files\Mozilla Firefox\mozalloc.dll
2011-05-04 21:33:35 . 2011-04-14 16:25:44 465880 ---ha-w- C:\Program Files\Mozilla Firefox\libGLESv2.dll
2011-05-04 21:33:35 . 2011-04-14 16:25:43 89048 ---ha-w- C:\Program Files\Mozilla Firefox\libEGL.dll
2011-05-04 21:33:35 . 2010-01-01 08:00:00 1974616 ---ha-w- C:\Program Files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-04 21:33:35 . 2010-01-01 08:00:00 1892184 ---ha-w- C:\Program Files\Mozilla Firefox\d3dx9_42.dll
2011-04-29 00:24:06 . 2011-04-29 00:24:06 -------- d--h--w- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-29 00:24:03 . 2011-04-29 00:24:03 -------- d--h--w- C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-05-04 18:57:06 . 2010-10-22 01:40:52 16968 ---ha-w- C:\WINDOWS\system32\drivers\hitmanpro35.sys
2011-03-17 05:31:16 . 2010-10-17 16:01:38 137656 ---ha-w- C:\WINDOWS\system32\drivers\avipbb.sys
2011-03-07 05:33:50 . 2004-08-10 04:00:00 692736 ---h--w- C:\WINDOWS\system32\inetcomm.dll
2011-03-04 06:45:07 . 2004-08-10 04:00:00 434176 ---h--w- C:\WINDOWS\system32\vbscript.dll
2011-03-03 13:21:11 . 2004-08-10 04:00:00 1857920 ---ha-w- C:\WINDOWS\system32\win32k.sys
2011-02-17 13:51:57 . 2004-08-10 04:00:00 81920 ---h--w- C:\WINDOWS\system32\ieencode.dll
2011-02-17 13:51:57 . 2004-08-10 04:00:00 667136 ---ha-w- C:\WINDOWS\system32\wininet.dll
2011-02-17 13:51:57 . 2004-08-10 04:00:00 61952 ---h--w- C:\WINDOWS\system32\tdc.ocx
2011-02-17 13:18:24 . 2004-08-10 04:00:00 455936 ---ha-w- C:\WINDOWS\system32\drivers\mrxsmb.sys
2011-02-17 13:18:03 . 2004-08-10 04:00:00 357888 ---h--w- C:\WINDOWS\system32\drivers\srv.sys
2011-02-17 12:37:38 . 2004-08-10 04:00:00 369664 ---h--w- C:\WINDOWS\system32\html.iec
2011-02-17 12:32:12 . 2009-09-02 04:46:59 5120 ---ha-w- C:\WINDOWS\system32\xpsp4res.dll
2011-02-15 12:56:39 . 2004-08-10 04:00:00 290432 ---ha-w- C:\WINDOWS\system32\atmfd.dll
2011-04-14 16:26:02 . 2011-05-04 21:33:36 142296 ---ha-w- C:\Program Files\mozilla firefox\components\browsercomps.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19:44 94208 ---ha-w- C:\Documents and Settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19:44 94208 ---ha-w- C:\Documents and Settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19:44 94208 ---ha-w- C:\Documents and Settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2011-01-11 02:46:07 395640]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-13 01:20:22 68856]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 09:16:20 357696]
"Dyuvumamumuset"="C:\WINDOWS\Wagdil6.dll" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 04:56:34 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 07:19:16 77312]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 06:35:56 49152]
"DISCover"="C:\Program Files\DISC\DISCover.exe" [2005-11-12 04:11:04 1064960]
"DiscUpdateManager"="C:\Program Files\DISC\DiscUpdateMgr.exe" [2005-11-12 04:10:00 61440]
"DMAScheduler"="c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe" [2005-11-01 17:01:00 90112]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-23 06:14:00 237568]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-10 00:29:16 249856]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2004-12-14 10:23:44 663552]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 14:12:54 49152]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 22:06:40 642856]
"Linksys Wireless Manager"="C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 09:44:55 1358384]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 16:41:00 63048]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 15:44:34 31072]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 19:30:30 249856]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 20:47:52 57344]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 20:28:22 577536]
"avgnt"="C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 19:24:45 281768]
"HitmanPro35"="C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" [2011-03-06 22:23:03 6449984]
"DivXUpdate"="C:\Program Files\DivX\DivX Update\DivXUpdate.exe" [2010-12-08 19:17:46 1226608]
"DivX Download Manager"="C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 21:15:44 63360]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 17:49:36 35736]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 17:49:34 932288]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2010-11-29 21:38:18 421888]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2011-03-07 19:33:40 421160]
"Ozubetalajoq"="C:\WINDOWS\eniqegepazo.dll" [BU]

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
Dropbox.lnk - C:\Documents and Settings\HP_Administrator\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
Updates From HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe.vir [2006-3-2 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-28 23:34:30 87352 ---ha-w- C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\DISC\\DISCover.exe"=
"C:\\Program Files\\DISC\\DiscStreamHub.exe"=
"C:\\Program Files\\DISC\\myFTP.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Documents and Settings\\HP_Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files\Avira\AntiVir Desktop\sched.exe [10/17/2010 12:01:41 PM 136360]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41:00 PM 12856]
R3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;C:\WINDOWS\system32\drivers\WUSB54GCv3.sys [9/2/2009 7:57:03 AM 627072]
S1 SASDIFSV;SASDIFSV;\??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\SuperAntiSpyware\SASDIFSV.SYS --> C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\SuperAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\SuperAntiSpyware\SASKUTIL.SYS --> C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\SuperAntiSpyware\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [1/18/2010 7:54:47 PM 135664]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\system32\drivers\ASPI32.SYS [12/3/2010 5:04:13 PM 16512]
S3 DrvAgent32;DrvAgent32;C:\WINDOWS\system32\drivers\DrvAgent32.sys [2/18/2010 9:29:55 PM 23456]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files\Google\Update\GoogleUpdate.exe [1/18/2010 7:54:47 PM 135664]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;C:\WINDOWS\system32\drivers\hitmanpro35.sys [10/21/2010 9:40:52 PM 16968]
S4 sptd;sptd;C:\WINDOWS\system32\drivers\sptd.sys [9/8/2010 5:22:56 PM 691696]

Contents of the 'Scheduled Tasks' folder

2011-05-07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50:20 . 2009-10-22 15:50:20]

2011-05-14 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-01-18 23:54:47 . 2010-01-18 23:54:41]

2011-05-14 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-01-18 23:54:47 . 2010-01-18 23:54:41]

2011-05-13 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1423768027-2586421752-2192907715-1008Core.job
- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-03 19:30:42 . 2009-10-03 19:30:38]

2011-05-14 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1423768027-2586421752-2192907715-1008UA.job
- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-03 19:30:42 . 2009-10-03 19:30:38]

2011-05-14 C:\WINDOWS\Tasks\Norton Security Scan for HP_Administrator.job
- C:\PROGRA~1\NORTON~2\Engine\301~1.8\Nss.exe [2011-01-19 20:59:52 . 2011-04-01 07:23:58]


------- Supplementary Scan -------

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: trymedia.com
TCP: {4DC2EB99-A323-4564-AD7D-5D29046CCD1C} = 213.109.64.5,213.109.72.21
FF - ProfilePath - C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\jadnwcli.default\

descriptionRedirects etc... EmptyRe: Redirects etc...

more_horiz
Hello.
The malware tried to reinstall itself so a few leftovers got left behind, need to get them now.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Code:


    KILLALL::

    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Dyuvumamumuset"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Ozubetalajoq"=-

  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    Redirects etc... Cfscriptb4i

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

descriptionRedirects etc... EmptyRe: Redirects etc...

more_horiz
ComboFix 11-05-13.03 - HP_Administrator 05/14/2011 13:46:09.9.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1420 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


---- Previous Run -------

C:\Documents and Settings\All Users\Application Data\15064868.exe
c:\documents and settings\All Users\Application Data\lJ28601CbNcC28601\lJ28601CbNcC28601
C:\Documents and Settings\All Users\Application Data\vKLuVrOIsaEYCN.exe
C:\Documents and Settings\HP_Administrator\Application Data\Adobe\plugs\mmc141.exe
C:\Documents and Settings\HP_Administrator\Application Data\Adobe\plugs\mmc254797890.txt
C:\Documents and Settings\HP_Administrator\Application Data\Adobe\plugs\mmc50.exe
C:\Documents and Settings\HP_Administrator\Application Data\Adobe\shed\thr1.chm
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\{9F72BFEA-BB26-45AE-ABA8-792038F5CED1}\chrome.manifest
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\{9F72BFEA-BB26-45AE-ABA8-792038F5CED1}\chrome\content\_cfg.js
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\{9F72BFEA-BB26-45AE-ABA8-792038F5CED1}\chrome\content\overlay.xul
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\{9F72BFEA-BB26-45AE-ABA8-792038F5CED1}\install.rdf
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\e6d571031he03p0h7blm0cx
c:\program files\Windows NT\dwm.exe
C:\WINDOWS\eniqegepazo.dll
C:\WINDOWS\Wagdil6.dll


((((((((((((((((((((((((( Files Created from 2011-04-14 to 2011-05-14 )))))))))))))))))))))))))))))))


2011-05-05 06:44:08 . 2011-05-05 06:44:08 -------- d-----w- C:\_OTM
2011-05-04 21:33:36 . 2011-04-14 16:26:02 142296 ---ha-w- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
2011-05-04 21:33:35 . 2011-04-14 16:25:48 781272 ---ha-w- C:\Program Files\Mozilla Firefox\mozsqlite3.dll
2011-05-04 21:33:35 . 2011-04-14 16:25:47 1874904 ---ha-w- C:\Program Files\Mozilla Firefox\mozjs.dll
2011-05-04 21:33:35 . 2011-04-14 16:25:45 15832 ---ha-w- C:\Program Files\Mozilla Firefox\mozalloc.dll
2011-05-04 21:33:35 . 2011-04-14 16:25:44 465880 ---ha-w- C:\Program Files\Mozilla Firefox\libGLESv2.dll
2011-05-04 21:33:35 . 2011-04-14 16:25:43 89048 ---ha-w- C:\Program Files\Mozilla Firefox\libEGL.dll
2011-05-04 21:33:35 . 2010-01-01 08:00:00 1974616 ---ha-w- C:\Program Files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-04 21:33:35 . 2010-01-01 08:00:00 1892184 ---ha-w- C:\Program Files\Mozilla Firefox\d3dx9_42.dll
2011-04-29 00:24:06 . 2011-04-29 00:24:06 -------- d--h--w- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-29 00:24:03 . 2011-04-29 00:24:03 -------- d--h--w- C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-05-04 18:57:06 . 2010-10-22 01:40:52 16968 ---ha-w- C:\WINDOWS\system32\drivers\hitmanpro35.sys
2011-03-17 05:31:16 . 2010-10-17 16:01:38 137656 ---ha-w- C:\WINDOWS\system32\drivers\avipbb.sys
2011-03-07 05:33:50 . 2004-08-10 04:00:00 692736 ---h--w- C:\WINDOWS\system32\inetcomm.dll
2011-03-04 06:45:07 . 2004-08-10 04:00:00 434176 ---h--w- C:\WINDOWS\system32\vbscript.dll
2011-03-03 13:21:11 . 2004-08-10 04:00:00 1857920 ---ha-w- C:\WINDOWS\system32\win32k.sys
2011-02-17 13:51:57 . 2004-08-10 04:00:00 81920 ---h--w- C:\WINDOWS\system32\ieencode.dll
2011-02-17 13:51:57 . 2004-08-10 04:00:00 667136 ----a-w- C:\WINDOWS\system32\wininet.dll
2011-02-17 13:51:57 . 2004-08-10 04:00:00 61952 ---h--w- C:\WINDOWS\system32\tdc.ocx
2011-02-17 13:18:24 . 2004-08-10 04:00:00 455936 ---ha-w- C:\WINDOWS\system32\drivers\mrxsmb.sys
2011-02-17 13:18:03 . 2004-08-10 04:00:00 357888 ---h--w- C:\WINDOWS\system32\drivers\srv.sys
2011-02-17 12:37:38 . 2004-08-10 04:00:00 369664 ---h--w- C:\WINDOWS\system32\html.iec
2011-02-17 12:32:12 . 2009-09-02 04:46:59 5120 ---ha-w- C:\WINDOWS\system32\xpsp4res.dll
2011-02-15 12:56:39 . 2004-08-10 04:00:00 290432 ---ha-w- C:\WINDOWS\system32\atmfd.dll
2011-04-14 16:26:02 . 2011-05-04 21:33:36 142296 ---ha-w- C:\Program Files\mozilla firefox\components\browsercomps.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19:44 94208 ---ha-w- C:\Documents and Settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19:44 94208 ---ha-w- C:\Documents and Settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19:44 94208 ---ha-w- C:\Documents and Settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2011-01-11 02:46:07 395640]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-13 01:20:22 68856]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 09:16:20 357696]
"vKLuVrOIsaEYCN"="C:\Documents and Settings\All Users\Application Data\vKLuVrOIsaEYCN.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 04:56:34 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 07:19:16 77312]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 06:35:56 49152]
"DISCover"="C:\Program Files\DISC\DISCover.exe" [2005-11-12 04:11:04 1064960]
"DiscUpdateManager"="C:\Program Files\DISC\DiscUpdateMgr.exe" [2005-11-12 04:10:00 61440]
"DMAScheduler"="c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe" [2005-11-01 17:01:00 90112]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-23 06:14:00 237568]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-10 00:29:16 249856]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2004-12-14 10:23:44 663552]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 14:12:54 49152]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 22:06:40 642856]
"Linksys Wireless Manager"="C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 09:44:55 1358384]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 16:41:00 63048]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 15:44:34 31072]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 19:30:30 249856]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 20:47:52 57344]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 20:28:22 577536]
"avgnt"="C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 19:24:45 281768]
"HitmanPro35"="C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" [2011-03-06 22:23:03 6449984]
"DivXUpdate"="C:\Program Files\DivX\DivX Update\DivXUpdate.exe" [2010-12-08 19:17:46 1226608]
"DivX Download Manager"="C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 21:15:44 63360]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 17:49:36 35736]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 17:49:34 932288]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2010-11-29 21:38:18 421888]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2011-03-07 19:33:40 421160]

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
Dropbox.lnk - C:\Documents and Settings\HP_Administrator\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
Updates From HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe.vir [2006-3-2 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-28 23:34:30 87352 ---ha-w- C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\DISC\\DISCover.exe"=
"C:\\Program Files\\DISC\\DiscStreamHub.exe"=
"C:\\Program Files\\DISC\\myFTP.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Documents and Settings\\HP_Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files\Avira\AntiVir Desktop\sched.exe [10/17/2010 12:01:41 PM 136360]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41:00 PM 12856]
R3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;C:\WINDOWS\system32\drivers\WUSB54GCv3.sys [9/2/2009 7:57:03 AM 627072]
S1 SASDIFSV;SASDIFSV;\??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\SuperAntiSpyware\SASDIFSV.SYS --> C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\SuperAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\SuperAntiSpyware\SASKUTIL.SYS --> C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\SuperAntiSpyware\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [1/18/2010 7:54:47 PM 135664]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\system32\drivers\ASPI32.SYS [12/3/2010 5:04:13 PM 16512]
S3 DrvAgent32;DrvAgent32;C:\WINDOWS\system32\drivers\DrvAgent32.sys [2/18/2010 9:29:55 PM 23456]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files\Google\Update\GoogleUpdate.exe [1/18/2010 7:54:47 PM 135664]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;C:\WINDOWS\system32\drivers\hitmanpro35.sys [10/21/2010 9:40:52 PM 16968]
S4 sptd;sptd;C:\WINDOWS\system32\drivers\sptd.sys [9/8/2010 5:22:56 PM 691696]

Contents of the 'Scheduled Tasks' folder

2011-05-14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50:20 . 2009-10-22 15:50:20]

2011-05-14 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-01-18 23:54:47 . 2010-01-18 23:54:41]

2011-05-14 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-01-18 23:54:47 . 2010-01-18 23:54:41]

2011-05-13 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1423768027-2586421752-2192907715-1008Core.job
- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-03 19:30:42 . 2009-10-03 19:30:38]

2011-05-14 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1423768027-2586421752-2192907715-1008UA.job
- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-03 19:30:42 . 2009-10-03 19:30:38]

2011-05-14 C:\WINDOWS\Tasks\Norton Security Scan for HP_Administrator.job
- C:\PROGRA~1\NORTON~2\Engine\301~1.8\Nss.exe [2011-01-19 20:59:52 . 2011-04-01 07:23:58]


------- Supplementary Scan -------

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: trymedia.com
TCP: {4DC2EB99-A323-4564-AD7D-5D29046CCD1C} = 213.109.64.5,213.109.72.21
FF - ProfilePath - C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\jadnwcli.default\

descriptionRedirects etc... EmptyRe: Redirects etc...

more_horiz
Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.

descriptionRedirects etc... EmptyRe: Redirects etc...

more_horiz
I'm having problems starting the scanner...I open it and can read the license & agreement. I can check the box that says Yes, I accept the Terms of Use, but the Start button remains gray and unclickable even if I scroll down on the contract

descriptionRedirects etc... EmptyRe: Redirects etc...

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum