BleepingComputer.com: Became Infected with "Windows System Repair" Malware

I am running Windows Vista Home Premium Service Pack 2 on a Compaq Presario F700 Notebook w/ 2 GB RAM.

Several weeks ago, after launching a link on Facebook, I my laptop was taken over by Windows System Repair rootkit. I was able to reboot in safe mode and run Malwarebytes and get back control of my laptop but have been having continuous problems. Right after running malarebytes I started having Multiple Iexplore.exe processes running invisibly, causing audio clips of commercials, such as Slim Jim commercials and other random ads and a sports broadcast from 2010. Very wierd.

I think I had other infections, prior to this one, that I was unaware of. At some point last year my Task manager was all but disabled, showing on the processes window. I also lost the function of my optical disk drive. And the Shockwave Flash plug-in began to regularly crash spontaneously (I have discovered I can recreate that event by ending the plug-in container process in Taskmanager.) At that time I was running IObit and Avira and thought I was protected.

Since the Windows Vista Repair attack I have added Avast and run several completet scans, including boot scans. i have uncovered some infections but continue to have problems.

I have runn CCleaner and Super Anti-Spyware.

I run Mozilla Firefox 5.1 having recently upgraded from 3.6, thinking that might solve my problems.

My current problem is IE spontaneously opening a hidden window with the ultimate effect of shutting down my sound. Restarting Firefox re-enables the sound. Occasionaly, upon reboot, no sound drivers will load at all and the system will report "no device installed".

When IE starts malwarebytes reports an alarm that it is blocking a malicious URL with a IP address of 64.111.211.172. A WHOIS search revelas nothing much about that IP address.

It appears that a when a new internet session is initiated by a program IE starts up spontaeously in the background, w no visible window (and malwarebytes blocks the maicious URL) but I can see and kill the process in task manager.

The Chrome browser will no longer load webpages. Also, I am being plauged with a google redirect virus that I cannot get rid of. So I need some help.

Now, I've just re-started firefox and the bleepingcomputer site will not load unless I copy a new URL from a google search.

After doing a google search for solutions I came across this thread on bleepingcomputer.com

http://www.bleepingcomputer.com/forums/topic335239.html

I have run MBR Check and this is the log from the first run:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 166):
0x85814000 \SystemRoot\system32\ntkrnlpa.exe
0x85BCE000 \SystemRoot\system32\hal.dll
0x80605000 \SystemRoot\system32\kdcom.dll
0x8060C000 \SystemRoot\system32\PSHED.dll
0x8061D000 \SystemRoot\system32\BOOTVID.dll
0x80625000 \SystemRoot\system32\CLFS.SYS
0x80666000 \SystemRoot\system32\CI.dll
0x80746000 \SystemRoot\system32\drivers\Wdf01000.sys
0x807B7000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x85E0A000 \SystemRoot\system32\drivers\acpi.sys
0x85E50000 \SystemRoot\system32\drivers\WMILIB.SYS
0x85E59000 \SystemRoot\system32\drivers\msisadrv.sys
0x85E61000 \SystemRoot\system32\drivers\pci.sys
0x85E88000 \SystemRoot\System32\drivers\partmgr.sys
0x85E97000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x85E9A000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x85EA4000 \SystemRoot\system32\drivers\volmgr.sys
0x85EB3000 \SystemRoot\System32\drivers\volmgrx.sys
0x85EFD000 \SystemRoot\system32\drivers\pciide.sys
0x85F04000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x85F12000 \SystemRoot\System32\drivers\mountmgr.sys
0x85F22000 \SystemRoot\system32\drivers\atapi.sys
0x85F2A000 \SystemRoot\system32\drivers\ataport.SYS
0x85F48000 \SystemRoot\system32\drivers\fltmgr.sys
0x85F7A000 \SystemRoot\system32\drivers\fileinfo.sys
0x85F8A000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8AC09000 \SystemRoot\system32\drivers\ndis.sys
0x8AD14000 \SystemRoot\system32\drivers\msrpc.sys
0x8AD3F000 \SystemRoot\system32\drivers\NETIO.SYS
0x8AE08000 \SystemRoot\System32\drivers\tcpip.sys
0x8AEF2000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8AF0D000 \SystemRoot\system32\DRIVERS\scmndisp.sys
0x8B008000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8B118000 \SystemRoot\system32\drivers\volsnap.sys
0x8B151000 \SystemRoot\System32\Drivers\spldr.sys
0x8B159000 \SystemRoot\system32\speedfan.sys
0x8B15B000 \SystemRoot\system32\DRIVERS\Soluto.sys
0x8B16A000 \SystemRoot\System32\Drivers\mup.sys
0x8B179000 \SystemRoot\system32\giveio.sys
0x8B17A000 \SystemRoot\System32\drivers\ecache.sys
0x8B1A1000 \SystemRoot\system32\drivers\disk.sys
0x8B1B2000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x8B1D3000 \SystemRoot\system32\drivers\crcdisk.sys
0x8AF16000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8AF21000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x8AF2A000 \SystemRoot\system32\DRIVERS\amdk8.sys
0x8B1FC000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8B000000 \SystemRoot\system32\DRIVERS\cpqbttn.sys
0x8AF3A000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x8AF4A000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8AF51000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x8B003000 \SystemRoot\system32\DRIVERS\nvsmu.sys
0x8AF5A000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x8AF64000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8AFA2000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8F205000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8F292000 \SystemRoot\system32\DRIVERS\sdbus.sys
0x8F2AC000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0x8F2BD000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0x8F2D1000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0x8F402000 \SystemRoot\system32\DRIVERS\nvmfdx32.sys
0x8F603000 \SystemRoot\system32\DRIVERS\ts_athw.sys
0x8F800000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x8FF46000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8FFE6000 \SystemRoot\System32\drivers\watchdog.sys
0x8F74D000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8FFF2000 \SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
0x8F760000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8F76B000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x8FFF7000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8F7A6000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8F7B1000 \SystemRoot\System32\Drivers\tosrfcom.sys
0x8F7C1000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8F503000 \SystemRoot\system32\DRIVERS\storport.sys
0x8F7F0000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8F544000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8F55B000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8F566000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8F589000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8F598000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8F5AC000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8F5C1000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8FFF9000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8F5D1000 \SystemRoot\system32\DRIVERS\ks.sys
0x8F323000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8F32D000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8F33A000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x8F343000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8F378000 \SystemRoot\system32\DRIVERS\tosporte.sys
0x8F383000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8F39D000 \SystemRoot\system32\drivers\CHDRT32.sys
0x8F3D0000 \SystemRoot\system32\drivers\portcls.sys
0x8AFB1000 \SystemRoot\system32\drivers\drmk.sys
0x8AD7A000 \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
0x95A09000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
0x95B0C000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0x95BC1000 \SystemRoot\system32\drivers\modem.sys
0x95608000 \SystemRoot\System32\Drivers\aswSnx.SYS
0x95678000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x95681000 \SystemRoot\System32\Drivers\Null.SYS
0x95688000 \SystemRoot\System32\Drivers\Beep.SYS
0x9568F000 \SystemRoot\System32\drivers\vga.sys
0x9569B000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x956BC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x956C4000 \SystemRoot\system32\drivers\rdpencdd.sys
0x956CC000 \SystemRoot\System32\Drivers\Msfs.SYS
0x956D7000 \SystemRoot\System32\Drivers\Npfs.SYS
0x956E5000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x956EE000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x956F7000 \SystemRoot\system32\DRIVERS\tdx.sys
0x9570D000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x95715000 \SystemRoot\System32\Drivers\aswTdi.SYS
0x9571E000 \SystemRoot\system32\DRIVERS\smb.sys
0x95732000 \SystemRoot\system32\drivers\afd.sys
0x9577A000 \SystemRoot\System32\Drivers\aswRdr.SYS
0x9577F000 \SystemRoot\System32\DRIVERS\netbt.sys
0x957B1000 \SystemRoot\system32\DRIVERS\pacer.sys
0x957C7000 \SystemRoot\system32\DRIVERS\jswpslwf.sys
0x957CC000 \SystemRoot\system32\DRIVERS\netbios.sys
0x957DA000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8ADB8000 \SystemRoot\System32\drivers\truecrypt.sys
0x957ED000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0x95BCE000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0x957F3000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0x9620C000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x96248000 \SystemRoot\system32\drivers\nsiproxy.sys
0x96252000 \SystemRoot\System32\Drivers\dfsc.sys
0x96269000 \SystemRoot\system32\DRIVERS\avipbb.sys
0x96290000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0x96292000 \SystemRoot\System32\Drivers\aswSP.SYS
0x962DC000 \SystemRoot\System32\Drivers\crashdmp.sys
0x962E9000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x962F4000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xA2400000 \SystemRoot\System32\win32k.sys
0x962FC000 \SystemRoot\System32\drivers\Dxapi.sys
0x96306000 \SystemRoot\system32\DRIVERS\monitor.sys
0xA2620000 \SystemRoot\System32\TSDDD.dll
0xA2640000 \SystemRoot\System32\cdd.dll
0x96315000 \SystemRoot\system32\drivers\luafv.sys
0x96330000 \??\C:\Windows\system32\drivers\aswMonFlt.sys
0x96368000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0x9637F000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0x96382000 \??\C:\Program Files\IObit\Protected Folder\pffilter.sys
0x83607000 \SystemRoot\system32\drivers\spsys.sys
0x836B7000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x836C7000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x836F1000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x836FB000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x8370E000 \SystemRoot\system32\drivers\HTTP.sys
0x8377B000 \SystemRoot\system32\DRIVERS\bowser.sys
0x83794000 \SystemRoot\System32\drivers\mpsdrv.sys
0x837A9000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x963A7000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x837C8000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x837F8000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xAA209000 \SystemRoot\system32\drivers\peauth.sys
0xAA2E7000 \SystemRoot\System32\Drivers\secdrv.SYS
0xAA2F1000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xAA30E000 \SystemRoot\System32\drivers\tcpipreg.sys
0xAA31A000 \SystemRoot\system32\DRIVERS\xaudio.sys
0xAA322000 \SystemRoot\System32\DRIVERS\srv2.sys
0xAA34A000 \SystemRoot\System32\DRIVERS\srv.sys
0xAA399000 \??\C:\Program Files\IObit\IObit Malware Fighter\drivers\wlh_x86\regfilter.sys
0xAA3A3000 \??\C:\Program Files\IObit\IObit Malware Fighter\Drivers\wlh_x86\FileMonitor.sys
0xAA3E0000 \??\C:\Program Files\IObit\IObit Malware Fighter\drivers\wlh_x86\UrlFilter.sys
0x77710000 \WINDOWS\System32\ntdll.dll

Processes (total 74):
0 System Idle Process
4 System
508 C:\WINDOWS\System32\smss.exe
580 csrss.exe
632 C:\WINDOWS\System32\wininit.exe
640 csrss.exe
676 C:\WINDOWS\System32\services.exe
692 C:\WINDOWS\System32\lsass.exe
700 C:\WINDOWS\System32\lsm.exe
764 C:\WINDOWS\System32\winlogon.exe
904 C:\WINDOWS\System32\svchost.exe
980 C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
1012 C:\WINDOWS\System32\svchost.exe
1068 C:\WINDOWS\System32\svchost.exe
1136 C:\WINDOWS\System32\svchost.exe
1180 C:\WINDOWS\System32\svchost.exe
1216 C:\WINDOWS\System32\svchost.exe
1300 C:\WINDOWS\System32\audiodg.exe
1332 C:\WINDOWS\System32\SLsvc.exe
1384 C:\WINDOWS\System32\svchost.exe
1512 C:\WINDOWS\System32\svchost.exe
1668 C:\Program Files\AVAST Software\Avast\AvastSvc.exe
2024 C:\WINDOWS\System32\spoolsv.exe
124 C:\Program Files\Avira\AntiVir Desktop\sched.exe
208 C:\WINDOWS\System32\svchost.exe
424 C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
1476 C:\Program Files\Soluto\Soluto.exe
1488 C:\WINDOWS\System32\dwm.exe
1732 C:\WINDOWS\explorer.exe
804 C:\WINDOWS\System32\taskeng.exe
2124 C:\WINDOWS\System32\taskeng.exe
2312 C:\Program Files\Windows Defender\MSASCui.exe
2356 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
2420 C:\WINDOWS\System32\rundll32.exe
2460 C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
2468 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
2520 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
2536 C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
2592 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
2608 C:\WINDOWS\System32\svchost.exe
2624 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2640 C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe
2680 C:\WINDOWS\System32\svchost.exe
2816 C:\Program Files\Soluto\SolutoService.exe
2840 C:\Program Files\HP\HP Software Update\hpwuschd2.exe
3132 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
3140 C:\Program Files\AVAST Software\Avast\AvastUI.exe
3164 C:\Users\jsampson\AppData\Local\Google\Update\GoogleUpdate.exe
3196 C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe
3232 C:\WINDOWS\System32\svchost.exe
3248 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
3284 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
3380 C:\WINDOWS\System32\vds.exe
3416 C:\WINDOWS\System32\svchost.exe
3432 C:\Program Files\Windows Media Player\wmpnetwk.exe
3552 C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
1740 C:\Program Files\IObit\IObit Malware Fighter\IMF.exe
2668 WmiPrvSE.exe
4088 C:\WINDOWS\System32\taskeng.exe
1108 C:\WINDOWS\System32\wbem\unsecapp.exe
2232 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
4296 C:\WINDOWS\System32\svchost.exe
5116 C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
5188 C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
4040 C:\WINDOWS\System32\wuauclt.exe
5176 C:\WINDOWS\System32\taskmgr.exe
4944 C:\Program Files\IObit\Advanced SystemCare 4\ASC.exe
4064 C:\WINDOWS\System32\sdclt.exe
4476 C:\WINDOWS\System32\svchost.exe
2700 C:\Program Files\Mozilla Firefox\firefox.exe
4276 C:\Program Files\Mozilla Firefox\plugin-container.exe
5420 C:\Users\jsampson\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
5840 C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
1088 C:\Users\jsampson\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000037`55393a00 (NTFS)

PhysicalDrive0 Model Number: HitachiHTS542525K9SA00, Rev: BBFOC32P

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: D94F393960D1CD66C2071F2D7260A5196DF105AC


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

Following the instruction in the thread I ran MBRCheck again, this time following the instructions to repair a Vista MBR. here is the log from that:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 166):
0x85814000 \SystemRoot\system32\ntkrnlpa.exe
0x85BCE000 \SystemRoot\system32\hal.dll
0x80605000 \SystemRoot\system32\kdcom.dll
0x8060C000 \SystemRoot\system32\PSHED.dll
0x8061D000 \SystemRoot\system32\BOOTVID.dll
0x80625000 \SystemRoot\system32\CLFS.SYS
0x80666000 \SystemRoot\system32\CI.dll
0x80746000 \SystemRoot\system32\drivers\Wdf01000.sys
0x807B7000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x85E0A000 \SystemRoot\system32\drivers\acpi.sys
0x85E50000 \SystemRoot\system32\drivers\WMILIB.SYS
0x85E59000 \SystemRoot\system32\drivers\msisadrv.sys
0x85E61000 \SystemRoot\system32\drivers\pci.sys
0x85E88000 \SystemRoot\System32\drivers\partmgr.sys
0x85E97000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x85E9A000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x85EA4000 \SystemRoot\system32\drivers\volmgr.sys
0x85EB3000 \SystemRoot\System32\drivers\volmgrx.sys
0x85EFD000 \SystemRoot\system32\drivers\pciide.sys
0x85F04000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x85F12000 \SystemRoot\System32\drivers\mountmgr.sys
0x85F22000 \SystemRoot\system32\drivers\atapi.sys
0x85F2A000 \SystemRoot\system32\drivers\ataport.SYS
0x85F48000 \SystemRoot\system32\drivers\fltmgr.sys
0x85F7A000 \SystemRoot\system32\drivers\fileinfo.sys
0x85F8A000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8AC09000 \SystemRoot\system32\drivers\ndis.sys
0x8AD14000 \SystemRoot\system32\drivers\msrpc.sys
0x8AD3F000 \SystemRoot\system32\drivers\NETIO.SYS
0x8AE08000 \SystemRoot\System32\drivers\tcpip.sys
0x8AEF2000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8AF0D000 \SystemRoot\system32\DRIVERS\scmndisp.sys
0x8B008000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8B118000 \SystemRoot\system32\drivers\volsnap.sys
0x8B151000 \SystemRoot\System32\Drivers\spldr.sys
0x8B159000 \SystemRoot\system32\speedfan.sys
0x8B15B000 \SystemRoot\system32\DRIVERS\Soluto.sys
0x8B16A000 \SystemRoot\System32\Drivers\mup.sys
0x8B179000 \SystemRoot\system32\giveio.sys
0x8B17A000 \SystemRoot\System32\drivers\ecache.sys
0x8B1A1000 \SystemRoot\system32\drivers\disk.sys
0x8B1B2000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x8B1D3000 \SystemRoot\system32\drivers\crcdisk.sys
0x8AF16000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8AF21000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x8AF2A000 \SystemRoot\system32\DRIVERS\amdk8.sys
0x8B1FC000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8B000000 \SystemRoot\system32\DRIVERS\cpqbttn.sys
0x8AF3A000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x8AF4A000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8AF51000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x8B003000 \SystemRoot\system32\DRIVERS\nvsmu.sys
0x8AF5A000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x8AF64000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8AFA2000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8F205000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8F292000 \SystemRoot\system32\DRIVERS\sdbus.sys
0x8F2AC000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0x8F2BD000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0x8F2D1000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0x8F402000 \SystemRoot\system32\DRIVERS\nvmfdx32.sys
0x8F603000 \SystemRoot\system32\DRIVERS\ts_athw.sys
0x8F800000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x8FF46000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8FFE6000 \SystemRoot\System32\drivers\watchdog.sys
0x8F74D000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8FFF2000 \SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
0x8F760000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8F76B000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x8FFF7000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8F7A6000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8F7B1000 \SystemRoot\System32\Drivers\tosrfcom.sys
0x8F7C1000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8F503000 \SystemRoot\system32\DRIVERS\storport.sys
0x8F7F0000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8F544000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8F55B000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8F566000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8F589000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8F598000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8F5AC000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8F5C1000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8FFF9000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8F5D1000 \SystemRoot\system32\DRIVERS\ks.sys
0x8F323000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8F32D000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8F33A000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x8F343000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8F378000 \SystemRoot\system32\DRIVERS\tosporte.sys
0x8F383000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8F39D000 \SystemRoot\system32\drivers\CHDRT32.sys
0x8F3D0000 \SystemRoot\system32\drivers\portcls.sys
0x8AFB1000 \SystemRoot\system32\drivers\drmk.sys
0x8AD7A000 \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
0x95A09000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
0x95B0C000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0x95BC1000 \SystemRoot\system32\drivers\modem.sys
0x95608000 \SystemRoot\System32\Drivers\aswSnx.SYS
0x95678000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x95681000 \SystemRoot\System32\Drivers\Null.SYS
0x95688000 \SystemRoot\System32\Drivers\Beep.SYS
0x9568F000 \SystemRoot\System32\drivers\vga.sys
0x9569B000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x956BC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x956C4000 \SystemRoot\system32\drivers\rdpencdd.sys
0x956CC000 \SystemRoot\System32\Drivers\Msfs.SYS
0x956D7000 \SystemRoot\System32\Drivers\Npfs.SYS
0x956E5000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x956EE000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x956F7000 \SystemRoot\system32\DRIVERS\tdx.sys
0x9570D000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x95715000 \SystemRoot\System32\Drivers\aswTdi.SYS
0x9571E000 \SystemRoot\system32\DRIVERS\smb.sys
0x95732000 \SystemRoot\system32\drivers\afd.sys
0x9577A000 \SystemRoot\System32\Drivers\aswRdr.SYS
0x9577F000 \SystemRoot\System32\DRIVERS\netbt.sys
0x957B1000 \SystemRoot\system32\DRIVERS\pacer.sys
0x957C7000 \SystemRoot\system32\DRIVERS\jswpslwf.sys
0x957CC000 \SystemRoot\system32\DRIVERS\netbios.sys
0x957DA000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8ADB8000 \SystemRoot\System32\drivers\truecrypt.sys
0x957ED000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0x95BCE000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0x957F3000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0x9620C000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x96248000 \SystemRoot\system32\drivers\nsiproxy.sys
0x96252000 \SystemRoot\System32\Drivers\dfsc.sys
0x96269000 \SystemRoot\system32\DRIVERS\avipbb.sys
0x96290000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0x96292000 \SystemRoot\System32\Drivers\aswSP.SYS
0x962DC000 \SystemRoot\System32\Drivers\crashdmp.sys
0x962E9000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x962F4000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xA2400000 \SystemRoot\System32\win32k.sys
0x962FC000 \SystemRoot\System32\drivers\Dxapi.sys
0x96306000 \SystemRoot\system32\DRIVERS\monitor.sys
0xA2620000 \SystemRoot\System32\TSDDD.dll
0xA2640000 \SystemRoot\System32\cdd.dll
0x96315000 \SystemRoot\system32\drivers\luafv.sys
0x96330000 \??\C:\Windows\system32\drivers\aswMonFlt.sys
0x96368000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0x9637F000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0x96382000 \??\C:\Program Files\IObit\Protected Folder\pffilter.sys
0x83607000 \SystemRoot\system32\drivers\spsys.sys
0x836B7000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x836C7000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x836F1000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x836FB000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x8370E000 \SystemRoot\system32\drivers\HTTP.sys
0x8377B000 \SystemRoot\system32\DRIVERS\bowser.sys
0x83794000 \SystemRoot\System32\drivers\mpsdrv.sys
0x837A9000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x963A7000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x837C8000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x837F8000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xAA209000 \SystemRoot\system32\drivers\peauth.sys
0xAA2E7000 \SystemRoot\System32\Drivers\secdrv.SYS
0xAA2F1000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xAA30E000 \SystemRoot\System32\drivers\tcpipreg.sys
0xAA31A000 \SystemRoot\system32\DRIVERS\xaudio.sys
0xAA322000 \SystemRoot\System32\DRIVERS\srv2.sys
0xAA34A000 \SystemRoot\System32\DRIVERS\srv.sys
0xAA399000 \??\C:\Program Files\IObit\IObit Malware Fighter\drivers\wlh_x86\regfilter.sys
0xAA3A3000 \??\C:\Program Files\IObit\IObit Malware Fighter\Drivers\wlh_x86\FileMonitor.sys
0xAA3E0000 \??\C:\Program Files\IObit\IObit Malware Fighter\drivers\wlh_x86\UrlFilter.sys
0x77710000 \WINDOWS\System32\ntdll.dll

Processes (total 74):
0 System Idle Process
4 System
508 C:\WINDOWS\System32\smss.exe
580 csrss.exe
632 C:\WINDOWS\System32\wininit.exe
640 csrss.exe
676 C:\WINDOWS\System32\services.exe
692 C:\WINDOWS\System32\lsass.exe
700 C:\WINDOWS\System32\lsm.exe
764 C:\WINDOWS\System32\winlogon.exe
904 C:\WINDOWS\System32\svchost.exe
980 C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
1012 C:\WINDOWS\System32\svchost.exe
1068 C:\WINDOWS\System32\svchost.exe
1136 C:\WINDOWS\System32\svchost.exe
1180 C:\WINDOWS\System32\svchost.exe
1216 C:\WINDOWS\System32\svchost.exe
1300 C:\WINDOWS\System32\audiodg.exe
1332 C:\WINDOWS\System32\SLsvc.exe
1384 C:\WINDOWS\System32\svchost.exe
1512 C:\WINDOWS\System32\svchost.exe
1668 C:\Program Files\AVAST Software\Avast\AvastSvc.exe
2024 C:\WINDOWS\System32\spoolsv.exe
124 C:\Program Files\Avira\AntiVir Desktop\sched.exe
208 C:\WINDOWS\System32\svchost.exe
424 C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
1476 C:\Program Files\Soluto\Soluto.exe
1488 C:\WINDOWS\System32\dwm.exe
1732 C:\WINDOWS\explorer.exe
804 C:\WINDOWS\System32\taskeng.exe
2124 C:\WINDOWS\System32\taskeng.exe
2312 C:\Program Files\Windows Defender\MSASCui.exe
2356 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
2420 C:\WINDOWS\System32\rundll32.exe
2460 C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
2468 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
2520 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
2536 C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
2592 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
2608 C:\WINDOWS\System32\svchost.exe
2624 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2640 C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe
2680 C:\WINDOWS\System32\svchost.exe
2816 C:\Program Files\Soluto\SolutoService.exe
2840 C:\Program Files\HP\HP Software Update\hpwuschd2.exe
3132 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
3140 C:\Program Files\AVAST Software\Avast\AvastUI.exe
3196 C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe
3232 C:\WINDOWS\System32\svchost.exe
3248 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
3284 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
3380 C:\WINDOWS\System32\vds.exe
3416 C:\WINDOWS\System32\svchost.exe
3432 C:\Program Files\Windows Media Player\wmpnetwk.exe
3552 C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
1740 C:\Program Files\IObit\IObit Malware Fighter\IMF.exe
2668 WmiPrvSE.exe
4088 C:\WINDOWS\System32\taskeng.exe
1108 C:\WINDOWS\System32\wbem\unsecapp.exe
2232 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
4296 C:\WINDOWS\System32\svchost.exe
5116 C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
5188 C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
4040 C:\WINDOWS\System32\wuauclt.exe
5176 C:\WINDOWS\System32\taskmgr.exe
4944 C:\Program Files\IObit\Advanced SystemCare 4\ASC.exe
4064 C:\WINDOWS\System32\sdclt.exe
4476 C:\WINDOWS\System32\svchost.exe
2700 C:\Program Files\Mozilla Firefox\firefox.exe
4276 C:\Program Files\Mozilla Firefox\plugin-container.exe
5420 C:\Users\jsampson\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
5840 C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
4772 C:\WINDOWS\System32\svchost.exe
6388 C:\Users\jsampson\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000037`55393a00 (NTFS)

PhysicalDrive0 Model Number: HitachiHTS542525K9SA00, Rev: BBFOC32P

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: D94F393960D1CD66C2071F2D7260A5196DF105AC


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): 0Available MBR codes:
[ 0] Default (Windows Vista)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive: 3
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: yes
Successfully wrote new MBR code!
Please reboot your computer to complete the fix.


Done!

I've rebooted the laptop but am still experiencing all of the problems I've already described. So, before going on to Combofix I thought I better reach out to an expert before I go any further along with this solution.

I hope I've been able to supply enough detail for you to get a handle on my problem. Thanks.

Jack

This post has been edited by hamluis: 22 July 2011 - 12:05 PM
Reason for edit: Moved from Vista to Am I Infected.

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you!

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

First, I need to know if you still need help! To tell me this, please click on http://www.bleepingcomputer.com/logreply/410696 and follow the instructions there. If you no longer need help, this is all you need to do. If you do need help please continue below.

***************************************************

If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

• If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  
• A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
  
  • Please do this even if you have previously posted logs for us.
    
  • If you were unable to produce the logs originally please try once more.
    
  • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    
  • If you are unsure about any of these characteristics just post what you can and we will guide you.
  
  
• Please tell us if you have your original Windows CD/DVD available.
  
• Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

• Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • DDS.scr
    
  • DDS.pif
  
  
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  
• Notepad will open with the results.
  
• Follow the instructions that pop up for posting the results.
  
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:



As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

This is a description of the current state of affairs 10 days ago: "A couple of weeks ago my laptop was infected by a FakeHDD rogue anti-spyware program. I was able to regain contriol of my system by booting into safe mode and downloading and running Malwarebytes. I also downloaded and ran Avast. Both Malwarebytes and Avast scans revealed many infected files, which I had deleted or quarantined. I have also run several Avast boot scans and deleted whatever was was reported as a virus. Unfortunately, in my panic to regain control of my system I things thiongs that resulted in my %Temp%\smtmp files being deleted. I have made visible my files.

Before this occurrence, some time ago, Task Manager changed I I was only able to open it showing the Processes tab. After I ran Malwarebytes and Avast the full Task Manager came back.

My current situation:

On startup I recieve a taskbar message, "Windows has blocked some start up programs..." (This message reappears randomly); my CD/DVD drivers fail to load (nor is that drive visible in explorer); a Windows Explorer window opens to my Documents folder;

The sound drivers have failed to load several times and the sound will cut out spontaneously while a firefox browser is open. Restarting the browser re-enables the sound. it appears that by ending the iexplore.exe process I can avoid the sound cutting out in the browser, but I have to be vigilant and as the process starts itself at very short intervals.

At startup an iexplore.exe process starts and runs in the background, concurrently Avast Network Shield blocks a malicious URL (at 64.111.211.172) if I end the process or process tree iexplore.exe runs again spontaneously within in a few minutes, though at random intervals (I have logged 3 cycles and it does appear to be random; if I let iexplore.exe process continue to run it appears to randomly seek to open a connection to the malicious URL and occupies more memory (I've monitored this with task manager.

At startup and again at what appears to be random intervals, what appears to a Windows Network Diagnostics windows opens, scans and returns a window with a "Windows did not find any problems with this computer's network connection." and asks if I want to report the problem to Microsft and provides a hotlink so a report may "be sent the next time you go online." . This appears to be in sync with iexplore.exe process starting and attempting to open a connection to the malicious URL.

Both Firefox and Lunascape crash spontaneously. The laptop appears to be unstable and has bluescreened, on startup, and other times spontaneously. often it will just hang forcing me to power cycle the machine;

I also have a google re-direct issue."

Currently, Google re-direct seems to be resolves. I'm not sure what I did to resolve this. Optical drive device drivers still don't load. Don't know if this is hardware or software related. Sound device drivers fail to load intermittently. Sound device will cut out unexpectedly, when the drivers do load and I am using Firefox.. I can get sound back by shutting Firefox down and reloading. Eventually, the sound will stop for good (until the next re-boot, that is if the sound device drivers load.)

I currently experience continuous and spontaneous Adobe Flash driver crashes when using Firefox. It is at the point where Adobe Flash Plug in will not work at all. I am ready to try to reset the laptop to its original factory condition but I want to save a rather extensive collection of bookmarks. Unfortunately, whatever has control of my laptop has locked me out of my applicationdata directory, among many others. I have taken screenshots of this but am unable to upload them for some reason. My laptop has become near unusable and I do need some help.

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

• Do not run any other tool untill instructed to do so!
  
• please Do not Attach logs or put in code boxes.
  
• Tell me about any problems that have occurred during the fix.
  
• Tell me of any other symptoms you may be having as these can help also.
  
• Do not run anything while running a fix.
  
• Do not run any other tool untill instructed to do so!

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following


• Log from Combofix
  
• let me know of any problems you may have had
  
• How is the computer doing now?

Gringo

Attached is the combofix log file. After the log file was written I rebooted my laptop. My sound drivers did load but the sound became disabled after about 5 minutes of uptime. Previous to this, the sound drivers did not load at all. They did not load when I booted to run combofix, nor did they load when combofix rebooted the laptop to write the log file. My optical drive is still not recognized by the system (it should show as my E: drive.) I can't honestly say that this isn't a hardware issue, but I want to remove every other possibility before I commit sparse dollars to new hardware.

I am still locked out of some of my username folders. I have captured a screenshot and saved it in an .rtf file but am not able to upload it to the forum/




As it stands, I am denied access to the following shared directories in my username directory when viewing them in explorer:
Application Data
Cookies
Local Settings
My Documents
NetHood
printhood
sendto
startmenu
templates

Your assistance is very much appreciated.

ComboFix 11-08-04.02 - jsampson 08/04/2011 21:59:05.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1918.843 [GMT -4:00]
Running from: c:\users\jsampson\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
ADS - system32: deleted 12 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\jsampson\AppData\Roaming\Microsoft\AdjMmsVista.dll
c:\users\jsampson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Vista Repair
c:\users\jsampson\g2mdlhlpx.exe
c:\windows\system32\KBL.LOG
c:\windows\system32\winservice.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_SCM_Service
.
.
((((((((((((((((((((((((( Files Created from 2011-07-05 to 2011-08-05 )))))))))))))))))))))))))))))))
.
.
2011-08-05 01:46 . 2011-08-05 01:47 -------- d-----w- C:\comfix
2011-08-03 23:05 . 2011-08-03 23:05 -------- d-----w- c:\programdata\!SASCORE
2011-08-03 22:57 . 2011-07-13 03:39 6881616 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DEEC5926-32EB-4801-B8C2-DE6136B89924}\mpengine.dll
2011-07-23 22:17 . 2011-07-24 01:38 -------- d-----w- c:\users\jsampson\AppData\Local\gtk-2.0
2011-07-23 22:11 . 2011-08-02 14:22 -------- d-----w- c:\users\jsampson\.zenmap
2011-07-23 22:09 . 2011-07-23 22:09 -------- d-----w- c:\program files\WinPcap
2011-07-23 22:08 . 2011-07-23 22:21 -------- d-----w- c:\program files\Nmap
2011-07-23 21:41 . 2011-07-23 21:41 -------- d-----w- c:\program files\Foundstone
2011-07-23 21:40 . 1998-02-07 02:37 299520 ----a-w- c:\windows\uninst.exe
2011-07-23 16:09 . 2011-07-23 16:09 -------- d-----w- c:\users\jsampson\AppData\Roaming\Lunascape
2011-07-23 16:08 . 2011-07-23 16:08 -------- d-----w- c:\program files\Lunascape
2011-07-22 02:40 . 2011-07-22 02:40 -------- d-----w- c:\users\jsampson\AppData\Roaming\SUPERAntiSpyware.com
2011-07-22 02:40 . 2011-07-22 02:40 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-07-22 02:38 . 2011-08-03 23:05 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-07-20 02:49 . 2011-07-20 02:49 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-07-20 02:49 . 2011-07-20 02:49 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-07-20 02:49 . 2011-07-20 02:49 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-07-20 02:48 . 2011-07-20 02:48 508416 ----a-w- c:\windows\system32\drivers\bthport.sys
2011-07-20 02:48 . 2011-07-20 02:48 30208 ----a-w- c:\windows\system32\drivers\BTHUSB.SYS
2011-07-19 23:26 . 2011-07-08 07:16 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-07-19 23:26 . 2011-07-08 07:16 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-07-19 23:26 . 2011-07-08 07:16 1850328 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-07-19 23:26 . 2011-07-08 07:16 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-07-19 23:26 . 2011-07-08 07:16 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-07-19 23:26 . 2011-07-08 07:16 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-07-19 23:26 . 2010-01-01 08:00 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-07-19 23:26 . 2010-01-01 08:00 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-07-13 03:23 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-13 03:22 . 2011-07-21 03:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-12 12:54 . 2011-07-12 12:54 -------- d-----w- c:\program files\Soluto
2011-07-10 23:34 . 2011-07-10 23:35 -------- d-----w- c:\program files\CCleaner
2011-07-10 19:12 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-07-10 19:12 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-07-10 19:12 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-07-10 19:12 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-07-10 19:12 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-07-10 19:12 . 2011-07-04 11:32 54104 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-07-10 19:10 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
2011-07-10 19:10 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-07-10 19:10 . 2011-07-10 19:10 -------- d-----w- c:\programdata\AVAST Software
2011-07-10 19:10 . 2011-07-10 19:10 -------- d-----w- c:\program files\AVAST Software
2011-07-10 15:09 . 2011-07-23 14:22 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-07 12:34 . 2011-05-20 23:09 51144 ----a-w- c:\windows\system32\drivers\Soluto.sys
2011-07-05 13:40 . 2010-02-21 16:42 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-07-05 13:40 . 2010-02-21 16:42 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-06-29 03:40 . 2011-06-29 03:40 96784 ----a-w- c:\windows\system32\Packet.dll
2011-06-29 03:40 . 2011-06-29 03:40 53299 ----a-w- c:\windows\system32\pthreadVC.dll
2011-06-29 03:40 . 2011-06-29 03:40 35088 ----a-w- c:\windows\system32\drivers\npf.sys
2011-06-29 03:40 . 2011-06-29 03:40 281104 ----a-w- c:\windows\system32\wpcap.dll
2011-05-24 23:14 . 2009-10-05 22:42 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-07-08 07:16 . 2011-07-19 23:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ---ha-w- c:\users\jsampson\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ---ha-w- c:\users\jsampson\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ---ha-w- c:\users\jsampson\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 4"="c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe" [2011-05-28 412560]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-03 4599680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-10-09 86016]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-05-28 1721640]
"PrnStatusMX"="c:\program files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe" [2007-08-29 1077248]
"BYRUA_AGENT"="c:\programdata\LGMOBILEAX\BYR_Client\VZWUAAgent.exe" [2011-01-28 382904]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-12-06 202032]
"IObit Malware Fighter"="c:\program files\IObit\IObit Malware Fighter\IMF.exe" [2011-06-01 4385112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
.
c:\users\jsampson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\jsampson\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
Lunascape6.lnk - g:\lunascapr\Luna.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-03 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SolutoService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 135664]
R3 DNIMp50;DNIMp50 NDIS Protocol Driver;c:\windows\system32\Drivers\DNIMp50.sys [2006-11-16 21504]
R3 DNISp50;DNISp50 NDIS Protocol Driver;c:\windows\system32\Drivers\DNISp50.sys [2006-11-16 20480]
R3 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wlh_x86\FileMonitor.sys [2011-04-27 18768]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 135664]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [x]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\NETGEAR\WN111v2\jswpsapi.exe [x]
R3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\drivers\wlh_x86\regfilter.sys [2011-03-23 30600]
R3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\drivers\wlh_x86\UrlFilter.sys [2011-03-23 19280]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\DRIVERS\lgandbus.sys [2010-08-02 14336]
R4 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\DRIVERS\lganddiag.sys [2010-08-02 20864]
R4 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\DRIVERS\lgandgps.sys [2010-08-02 19968]
R4 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\DRIVERS\lgandmodem.sys [2010-08-02 24960]
R4 AndNetDiag;LG AndroidNet USB Serial Port;c:\windows\system32\DRIVERS\lgandnetdiag.sys [2010-10-04 23040]
R4 AndNetGps;LG AndroidNet USB GPS NMEA Port;c:\windows\system32\DRIVERS\lgandnetgps.sys [2010-10-04 22144]
R4 ANDNetModem;LG AndroidNet USB Modem;c:\windows\system32\DRIVERS\lgandnetmodem.sys [2010-10-04 27776]
R4 andnetndis;LG AndroidNet NDIS Ethernet Adapter;c:\windows\system32\DRIVERS\lgandnetndis.sys [2010-10-04 67456]
S0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\DRIVERS\scmndisp.sys [2007-01-19 21728]
S0 Soluto;Soluto;c:\windows\system32\DRIVERS\Soluto.sys [2011-07-07 51144]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-10-01 20384]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-08-03 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-03 123264]
S2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [2011-05-28 353168]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-05-02 136360]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-07-04 54104]
S2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [2011-06-01 821080]
S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2011-06-29 35088]
S2 PfFilter;PfFilter;c:\program files\IObit\Protected Folder\pffilter.sys [2011-03-16 32672]
S2 SolutoService;Soluto PCGenome Core Service;c:\program files\Soluto\SolutoService.exe [2011-07-07 376352]
S3 TS_AR5416;[CommView] Atheros AR5008 Wireless Network Adapter Service;c:\windows\system32\DRIVERS\ts_athw.sys [2009-05-08 00:57 1351104]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-13 22:10]
.
2011-06-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 15:21]
.
2011-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 15:21]
.
2011-08-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2042539376-2815519404-3412456218-1000Core.job
- c:\users\jsampson\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-11 02:36]
.
2011-08-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2042539376-2815519404-3412456218-1000UA.job
- c:\users\jsampson\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-11 02:36]
.
2011-08-01 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-11-19 23:08]
.
2011-04-15 c:\windows\Tasks\User_Feed_Synchronization-{BE811ADA-D337-4642-B8D5-1F2129EDBE36}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: iorad.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\jsampson\AppData\Roaming\Mozilla\Firefox\Profiles\sp3i30sk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\users\jsampson\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4040)
c:\users\jsampson\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\System32\vds.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
.
**************************************************************************
.
Completion time: 2011-08-04 22:47:21 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-05 02:46
.
Pre-Run: 98,980,687,872 bytes free
Post-Run: 98,568,441,856 bytes free
.
- - End Of File - - BB3D178BBE18571D347E11F9BA1EAFA1

This post has been edited by gringo_pr: 04 August 2011 - 11:23 PM

Hello

what you discribe does not sound like malware but maybe the profile has been corrupted

I want you to try and make a new account and see if you still have the same problems - http://windows.microsoft.com/en-US/windows-vista/fix-a-corrupted-user-profile




Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 8.3.0

and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.


If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.

Your Java is out of date.

It can be updated by the Java control panel

• click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  
• An update should begin;
  
• follow the prompts

Clear your Java Cache

• click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
  
  • On the General tab, under Temporary Internet Files, click the Settings button.
    
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    Applications and Applets
    Trace and Log Files
    
    
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    
  • Click OK to leave the Temporary Files Window
    
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

• Please download TFC to your desktop,
  
• Save any unsaved work. TFC will close all open application windows.
  
• Double-click TFC.exe to run the program.
  
• If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

I would like you to rerun MBAM


• Double-click mbam icon
  
• go to the update tab at the top
  
• click on check for updates
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

• Go Here to download HijackThis Installer
  
• Save HijackThis Installer to your desktop.
  
• Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
  
• Click on Install.
  
• It will create a HijackThis icon on the desktop.
  
• Once installed it will launch Hijackthis.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  
• Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  
• Come back here to this thread and Paste the log in your next reply.
  
• DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  
• DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

In your next post I need the following


• Log From MBAM
  
• report from Hijackthis
  
• let me know of any problems you may have had
  
• How is the computer doing now?

Gringo

Hello

48 Hour bump

It has been more than 48 hours since my last post.

• do you still need help with this?
  
• do you need more time?
  
• are you having problems following my instructions?
  
• if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

Hi Gringo,
Sorry for the delay in replying to you. Yes, I am still having problems. My sound driver on loads intermittently, or when it does load will spontaneously fail. I followed all of the instructions to regarding fixing a corrupted user profile. Not all of the data was able to copy to the new user profile. Specifically, I received a message that I did not have the proper privileges to for access to the User Application folder. Access was denied.

I am also experiencing crashes of the flash plug-in in both firefox and iexplorer.

I've followed all of your other instructions. Something new: when I try to run Hijack This as an admin, that option is no longer available on the drop down menu for the icon. This is new as I was able to run apps as an admin as recently as last week. As a result, I have not posted the hijack this log as I don't know if it will be of any use to you. Please advise.

Jack

Here is the malwarebytes scan log:

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7400

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

8/7/2011 10:15:11 AM
mbam-log-2011-08-07 (10-15-11).txt

Scan type: Quick scan
Objects scanned: 195173
Time elapsed: 12 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hello

Sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

Gringo

Thanks. Sometimes we lose sight of the forest for the trees. That was one of those times. Here is the hijack this log file:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:07:50 PM, on 8/8/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Program Files\Soluto\soluto.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Program Files\Soluto\soluto.exe /userinit
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Print Clips - {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PrnStatusMX] C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe
O4 - HKLM\..\Run: [BYRUA_AGENT] C:\ProgramData\LGMOBILEAX\BYR_Client\VZWUAAgent.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClient Control) - https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Advanced SystemCare Service (AdvancedSystemCareService) - IObit - C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Unknown owner - C:\Program Files\NETGEAR\WN111v2\jswpsapi.exe (file missing)
O23 - Service: Maxtor Service (Maxtor Sync Service) - Unknown owner - C:\Program Files\Maxtor\Sync\SyncServices.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Soluto PCGenome Core Service (SolutoService) - Soluto - C:\Program Files\Soluto\SolutoService.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 8967 bytes


Thanks again for your help.

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

• Run HijackThis
  
• Click on the Scan button
  
• Put a check beside all of the items listed below (if present):
  
  
  O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
  O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
  O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
  O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
  O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
  O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
  O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
  O4 - HKCU\..\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
  
  
  
  
• Close all open windows and browsers/email, etc...
  
• Click on the "Fix Checked" button
  
• When completed, close the application.
  
  
  NOTE**You can research each of those lines >here< and see if you want to keep them or not
  just copy the name between the brakets and paste into the search space
  O4 - HKLM\..\Run: [IntelliPoint]

If you have any problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
  
• click on the ESET Online Scanner button
  
• Tick the box next to YES, I accept the Terms of Use.
  
  • Click Start
• When asked, allow the activex control to install
  
  • Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  
• Click on Advanced Settings, ensure the options
  
  Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
  
• Wait for the scan to finish
  
• Click on copy to clipboard and paste the results here in this topic
  
• you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt

Copy and paste that log as a reply to this topic

Gringo

Hello

48 Hour bump

It has been more than 48 hours since my last post.

• do you still need help with this?
  
• do you need more time?
  
• are you having problems following my instructions?
  
• if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

Hi,
This is what was found in the Eset on line scanner log file:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=49153

Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:

To re-enable your Emulation drivers, double click DeFogger to run the tool.

• The application window will appear
  
• Click the Re-enable button to re-enable your CD Emulation drivers
  
• Click Yes to continue
  
• A 'Finished!' message will appear
  
• Click OK
  
• DeFogger will now ask to reboot the machine - click OK

Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:

• turn off all active protection software
  
• push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  
• please copy and past the following into the box ComboFix /Uninstall and click OK.
  
• Note the space between the X and the /Uninstall, it needs to be there.
  
• 

:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.

• Double-click OTCleanIt.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it by yourself.
  
• If asked to restart the computer, please do so

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


:Make your Internet Explorer more secure:

• From within Internet Explorer click on the Tools menu and then click on Options.
  
• Click once on the Security tab
  
• Click once on the Internet icon so it becomes highlighted.
  
• Click once on the Custom Level button.
  
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialise and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• When all these settings have been made, click on the OK button.
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
  Next press the Apply button and then the OK to exit the Internet Properties page.

:Make Firefox more secure:

please visit this page to explain how to make Firefox more secure - How to Secure Firefox

Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector


:Turn On Automatic Updates:

Turn On Automatic Updates
1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

• WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  
  
• Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  
  
• Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
  totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

Here is some great reading about how to be safer online:

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum
and
COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.

Gringo

I still have the issue of the flash player plug-in crashing. I have created two other user profiles on my laptop and have been logging on to the laptop with these other profiles. I still suffer from the flash plug-in crashing. Is this a Firefox issue? Can you recommend a stable browser for viewing flash content? Am I asking the right questions?

Jack