Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

wsock32.dll Error

This is a discussion on wsock32.dll Error within the Resolved HJT Threads forums, part of the Tech Support Forum category. Ordinal 1112 in the WSOCK32.dll Ordinal 1112 in the WSOCK32.dll I was trying to update my McAfee virus scanner (VirusScan


 
 
Thread Tools Search this Thread
Old 04-11-2012, 02:50 PM   #1
Registered Member
 
Join Date: Apr 2012
Location: Ottawa, Canada
Posts: 12
OS: Windows 7 Home Premium Sp1



Ordinal 1112 in the WSOCK32.dll

Ordinal 1112 in the WSOCK32.dll
I was trying to update my McAfee virus scanner (VirusScan Enterprise 8.5.0i) and got this error message
"The ordinal 1112 could not be located in the dynamic link...


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by HP_Owner at 9:44:09 on 2012-04-11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1527.492 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Winamp\winampa.exe
C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
svchost.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Freemake\CaptureLib\CaptureLibService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Documents and Settings\HP_Owner\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar =
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://search.myheritage.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*Yahoo!
uURLSearchHooks: H - No File
mURLSearchHooks: MHURLSearchHook Class: {1c4ab6a5-595f-4e86-b15f-f93cce2bbd48} - c:\program files\family toolbar\tbhelper.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: MHTBPos00 Class: {0c37b053-fd68-456a-82e1-d788ee342e6f} - c:\program files\family toolbar\tbcore3.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\Scriptcl.dll
BHO: {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - No File
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: Family Toolbar: {fd2fd708-1f6f-4b68-b141-c5778f0c19bb} - c:\program files\family toolbar\tbcore3.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\ahead\neroph~1\data\xtras\mssysmgr.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVD.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"
mRun: [HP Lamp] "c:\program files\hewlett-packard\hp precisionscan\precisionscan pro\hplamp.exe"
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Family Tree Builder Update] c:\program files\myheritage\bin\FTBCheckUpdates.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [UpdReg] c:\windows\Updreg.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Ad-Aware Browsing Protection] "c:\documents and settings\all users\application data\ad-aware browsing protection\adawarebp.exe"
StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\hp_owner\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cpeupd~1.lnk - l:\media\xtras\shareins\cpeupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: <NO NAME> =
IE: Free YouTube Download - c:\documents and settings\hp_owner\application data\dvdvideosoftiehelpers\freeyoutubedownload.htm
IE: Free YouTube to MP3 Converter - c:\documents and settings\hp_owner\application data\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234375887593
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234378343390
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 64.71.255.198
TCP: Interfaces\{4A4CFA72-4779-430D-B077-240682A88DEC} : DhcpNameServer = 64.71.255.198
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: intu-tt2010 - {97A0575E-2309-4e75-8509-B1F9390C4DE7} - c:\program files\turbotax 2010\ic2010pp.dll
Handler: intu-tt2011 - {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - c:\program files\turbotax 2011\ic2011pp.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2009-2-24 4064]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2009-11-6 8768]
R2 FreemakeVideoCapture;FreemakeVideoCapture;c:\program files\freemake\capturelib\CaptureLibService.exe [2011-11-18 8704]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-2-11 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2011-2-11 35088]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-2-11 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-2-11 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-2-11 168776]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-8-19 136176]
S2 ndasscsi;Rimusb;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 PMP;Password Manager Pro;"c:\program files\pmp\bin\wrapper.exe" -s "c:\program files\pmp\conf\wrapper.conf" --> c:\program files\pmp\bin\wrapper.exe [?]
S3 2a60e5cf-b147-4f51-8105-f27ceeb83f5d;2a60e5cf-b147-4f51-8105-f27ceeb83f5d;\??\e:\cds300\cds300.dll --> e:\cds300\cds300.dll [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-8-19 136176]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys --> c:\windows\system32\drivers\ivusb.sys [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2011-5-8 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-04-10 22:28:37 6636 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-04-10 22:23:23 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-04-10 22:23:23 -------- d-----w- c:\windows\system32\wbem\Repository
2012-04-10 13:22:39 -------- d-----w- C:\temp
2012-04-10 03:36:25 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-04-06 17:38:01 -------- d-----w- c:\program files\Creative
2012-03-16 04:02:46 -------- dc-h--w- c:\windows\ie8
2012-03-16 03:24:16 -------- d-----w- c:\documents and settings\hp_owner\application data\PCPro
2012-03-16 03:24:16 -------- d-----w- c:\documents and settings\hp_owner\application data\PC Cleaners
2012-03-16 03:24:08 -------- d-----w- c:\documents and settings\all users\application data\PC1Data
2012-03-16 02:13:58 -------- d-----w- c:\documents and settings\hp_owner\local settings\application data\LogiShrd
2012-03-16 02:11:23 2687512 ----a-w- c:\windows\system32\drivers\LV302V32.SYS
2012-03-16 02:10:40 199192 ----a-w- c:\windows\system32\lvci1201278.dll
2012-03-15 04:01:07 -------- d-----w- c:\program files\Emsisoft Anti-Malware
.
==================== Find3M ====================
.
2012-03-16 03:23:48 3979536 ----a-w- c:\windows\uninst.exe
2012-02-24 14:13:55 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-19 05:30:59 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-01-19 05:30:57 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 9:45:24.71 ===============



Ark.zip

dds.txt

__________________
Molly052 is offline  
Old 04-13-2012, 11:36 AM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,494
OS: XP SP3; Win7 32/64-bit



Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan/rootkit.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please refer to Microsoft's Online Safety article for tips on creating a strong password.

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Emergency Backup Procedure - Tech Support Forum

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

Disable all antivirus and antispyware programs. Get help here

Double-click ComboFix.exe and follow the prompts to run it.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  • With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
  • It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:


  • Please click Yes to continue scanning for malware.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done.
  • ComboFix may reboot your machine. This is normal. For some infections, it may do this multiple times.
  • When the tool is finished, it will produce a log for you.

Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------

__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 04-13-2012, 09:45 PM   #3
Registered Member
 
Join Date: Apr 2012
Location: Ottawa, Canada
Posts: 12
OS: Windows 7 Home Premium Sp1



Thanks

Ran requested program Combofix.

Log attached


Thanks for your assistance

Ted

ComboFix 12-04-13.01 - HP_Owner 04/13/2012 22:47:37.1.1 - x86
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\DragToDiscUserNameE.txt
c:\documents and settings\All Users\Application Data\DragToDiscUserNameL.txt
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\HP_Owner\Application Data\inst.exe
c:\documents and settings\HP_Owner\Application Data\PriceGong
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\1.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\1.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\10.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\1029.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\1730.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\2256.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\3631.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\4378.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\a.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\a.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\b.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\b.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\c.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\c.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\d.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\d.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\e.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\e.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\f.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\f.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\g.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\g.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\h.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\h.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\i.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\i.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\j.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\J.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\k.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\k.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\l.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\l.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\m.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\m.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\n.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\n.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\o.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\o.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\p.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\p.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\q.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\q.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\r.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\r.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\s.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\s.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\t.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\t.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\u.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\u.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\v.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\v.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\w.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\w.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\x.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\x.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\y.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\y.xml
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\z.txt
c:\documents and settings\HP_Owner\Application Data\PriceGong\Data\z.xml
c:\documents and settings\HP_Owner\Application Data\vso_ts_preview.xml
c:\documents and settings\HP_Owner\System
c:\documents and settings\HP_Owner\System\win_qs8.jqx
c:\documents and settings\HP_Owner\WINDOWS
C:\prefs.js
c:\program files\Adware Lite
c:\program files\Adware Lite\noadware4_112509.na
c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
c:\windows\$NtUninstallKB10083$\1200384182
c:\windows\$NtUninstallKB10083$\1703101152\@
c:\windows\$NtUninstallKB10083$\1703101152\cfg.ini
c:\windows\$NtUninstallKB10083$\1703101152\Desktop.ini
c:\windows\$NtUninstallKB10083$\1703101152\L\beuximqp
c:\windows\$NtUninstallKB10083$\1703101152\oemid
c:\windows\$NtUninstallKB10083$\1703101152\U\00000001.@
c:\windows\$NtUninstallKB10083$\1703101152\U\00000002.@
c:\windows\$NtUninstallKB10083$\1703101152\U\00000004.@
c:\windows\$NtUninstallKB10083$\1703101152\U\80000000.@
c:\windows\$NtUninstallKB10083$\1703101152\U\80000004.@
c:\windows\$NtUninstallKB10083$\1703101152\U\80000032.@
c:\windows\$NtUninstallKB10083$\1703101152\version
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\ps2.bat
D:\Autorun.inf
.
Infected copy of c:\windows\system32\drivers\redbook.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MYWEBSEARCHSERVICE
.
.
((((((((((((((((((((((((( Files Created from 2012-03-14 to 2012-04-14 )))))))))))))))))))))))))))))))
.
.
2012-04-14 02:43 . 2008-04-13 18:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2012-04-13 01:31 . 2012-04-13 01:31 -------- d-----w- c:\documents and settings\HP_Owner\AppData
2012-04-10 22:23 . 2012-04-10 22:23 -------- d-----w- c:\windows\system32\wbem\Repository
2012-04-10 13:22 . 2012-04-10 13:22 -------- d-----w- C:\temp
2012-04-10 04:04 . 2012-04-10 04:04 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-04-06 17:38 . 2012-04-06 17:39 -------- d-----w- c:\program files\Creative
2012-03-16 04:02 . 2012-03-16 04:04 -------- dc-h--w- c:\windows\ie8
2012-03-16 03:24 . 2012-03-16 03:24 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\PCPro
2012-03-16 03:24 . 2012-03-16 03:24 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\PC Cleaners
2012-03-16 03:24 . 2012-03-16 03:24 -------- d-----w- c:\documents and settings\All Users\Application Data\PC1Data
2012-03-16 02:13 . 2012-03-16 02:13 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\LogiShrd
2012-03-16 02:11 . 2009-04-30 22:55 2687512 ----a-w- c:\windows\system32\drivers\LV302V32.SYS
2012-03-16 02:10 . 2009-04-30 22:57 199192 ----a-w- c:\windows\system32\lvci1201278.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-16 03:23 . 2009-02-24 00:27 3979536 ----a-w- c:\windows\uninst.exe
2012-03-01 11:01 . 2004-08-04 11:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2004-08-04 11:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2004-08-04 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2004-08-04 18:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 14:10 . 2004-08-04 11:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 12:17 . 2004-08-04 11:00 385024 ------w- c:\windows\system32\html.iec
2012-02-24 14:13 . 2012-01-07 07:11 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22 . 2004-08-04 11:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-19 05:30 . 2009-02-12 11:51 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-01-19 05:30 . 2010-06-21 21:09 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C37B053-FD68-456a-82E1-D788EE342E6F}]
2009-05-07 21:46 2642432 ----a-w- c:\program files\Family Toolbar\tbcore3.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}"= "c:\program files\Family Toolbar\tbcore3.dll" [2009-05-07 2642432]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{fd2fd708-1f6f-4b68-b141-c5778f0c19bb}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}"= "c:\program files\Family Toolbar\tbcore3.dll" [2009-05-07 2642432]
.
[HKEY_CLASSES_ROOT\clsid\{fd2fd708-1f6f-4b68-b141-c5778f0c19bb}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\HP_Owner\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\HP_Owner\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\HP_Owner\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\HP_Owner\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe" [2004-05-12 196608]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-31 39408]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVD.exe" [2007-11-21 1625024]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-18 61952]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-05-26 180269]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"SoundMan"="SOUNDMAN.EXE" [2004-10-13 77824]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-13 2742272]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 69632]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-01-13 757760]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-01-09 253952]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Family Tree Builder Update"="c:\program files\MyHeritage\Bin\FTBCheckUpdates.exe" [2011-11-06 229376]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2011-07-11 74752]
"Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2011-10-21 198032]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-2-16 113664]
cpeupdate.lnk - l:\media\Xtras\ShareIns\cpeupdate.exe [N/A]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Alexandria v5 Folder\\Alexandria.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\Freemake\\Freemake Video Downloader\\FreemakeVD.exe"=
"c:\\Documents and Settings\\HP_Owner\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2/24/2009 12:05 AM 4064]
R2 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [11/6/2009 7:24 PM 8768]
R2 FreemakeVideoCapture;FreemakeVideoCapture;c:\program files\Freemake\CaptureLib\CaptureLibService.exe [11/18/2011 10:02 AM 8704]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2/11/2011 5:23 PM 35088]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/19/2011 11:49 PM 136176]
S2 PMP;Password Manager Pro;"c:\program files\PMP\bin\wrapper.exe" -s "c:\program files\PMP\conf\wrapper.conf" --> c:\program files\PMP\bin\wrapper.exe [?]
S3 2a60e5cf-b147-4f51-8105-f27ceeb83f5d;2a60e5cf-b147-4f51-8105-f27ceeb83f5d;\??\e:\cds300\cds300.dll --> e:\cds300\cds300.dll [?]
S3 cpuz134;cpuz134;\??\c:\docume~1\HP_Owner\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\HP_Owner\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/19/2011 11:49 PM 136176]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys --> c:\windows\system32\DRIVERS\ivusb.sys [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 7:00 AM 14336]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [10/20/2009 9:52 PM 47360]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/8/2011 8:30 PM 11520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
NETSVCS REQUIRES REPAIRS - current entries shown
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Messenger
Netman
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
remotelyanywhere
ndasscsi
P16X
xpadminserver
ooclevercacheagent
wanminiportservice
SRTSP
mxssvr
enecbpth
AsIO
kpfwsvc
hpwirelessmgr
SetupNT
slabser
SABProcEnum
sffp_sd
USB28xxOEM
ikfilesec
qconsvc
mrpostman
gotomypc
mldserv
RESMGR
nsctop
mi-raysat_3dsmax9_32
W700obex
LMouFilt
p17xfilt
SED133x
svv
W700bus
NAL
DumaNT
dlaudfam
LMIRfsDriver
vncmirror
CnxtHdAudService
wpsscannersvc
clsched
aksusb
STV680
itmrtsvc
epsonbidirectionalservice
sisperf
wlancig
licensemanagersocket
aswupdsv
atitool
smartlinkservice
giveio
se59nd5
plsremotesvc
rampartsvc
ssoftservice
iaimfp0
thpsrv
NOWMEMDF
Blfp
sdhelper
StickyMesger
superproserver
k750obex
apache2
mpfirewl
deltafw
ntrtscan
nsm1mdm
vpctcom
eskerlicensecontrol
RTSTOR
hf30service
isdrv120
bdss
pavdrv
sit_bus
ibmsmbus
BCM43XV
bdrsdrv
elservice
eliservice
s116mgmt
mclserviceatl
tvald
tvtnetwk
oracleorahomepagingserver
RR2IOMod
se44mgmt
comhost
s3ssavage
tng-dts
gemserv
macformatservice
minilog
elosystemservice
rt73
ngserver
keriomailserver
db2
SE2Dmgmt
catchme
a016mdm
LHidKe
prtg4service
SNC
mdvrmng
NWSIPX32
vmauthdservice
PSSdk21
PSI_SVC_2
PSDFilter
CAMCAUD
DcPTP
s117mgmt
se59bus
mssql$sqlexpress
backupexecrpcservice
SISNICXP
rtm
U81xmgmt
tones
se45obex
a8djavs
HBtnKey
ACDaemon
roxupnprenderer
netcfgsvr
PPPoEWin
DMUSBUSBDCam
savrtpel
ngdbserv
rrspy
lvtuner
rnadirectory
stcagent
nsm1mdfl
SANDRA
nim32
sdcoreservice
as32svc
LoopBeMidi1
incdpass
pdagent
symappcore
ikhfile
bgsvcgen
idechndr
acs
serenum
SPFDRV
inort
tdsmapi
pdlnatcm
NICM
kbfiltr
UimBus
scanexplicit
https-nassry
CTEAPSFX.DLL
Freedom
bdselfpr
tosrfsnd
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
TrkWks
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
wscsvc
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc
WmdmPmSN
napagent
hkmsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
.
2012-04-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-31 23:21]
.
2012-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-20 03:49]
.
2012-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-20 03:49]
.
2011-01-18 c:\windows\Tasks\mixpadShakeIcon.job
- c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-09-21 00:57]
.
2012-04-14 c:\windows\Tasks\User_Feed_Synchronization-{B4CA62CA-3590-442A-BC81-E6C22B42EA06}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
2011-02-11 c:\windows\Tasks\wavepadDowngrade.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-07-31 23:18]
.
2011-01-06 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-07-31 23:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://search.myheritage.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*Yahoo!
IE: Free YouTube Download - c:\documents and settings\HP_Owner\Application Data\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to MP3 Converter - c:\documents and settings\HP_Owner\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
TCP: DhcpNameServer = 64.71.255.198
Handler: intu-tt2011 - {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - c:\program files\TurboTax 2011\ic2011pp.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - (no file)
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Toolbar-{6c97a91e-4524-4019-86af-2aa2d567bf5c} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-HP Lamp - c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
SafeBoot-Lavasoft Ad-Aware Service
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2012-04-13 23:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB10083$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9a,fe,17,f2,7f,96,05,45,a1,84,26,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9a,fe,17,f2,7f,96,05,45,a1,84,26,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4052)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.dll
c:\documents and settings\HP_Owner\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\devldr32.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\AGRSMMSG.exe
c:\windows\SOUNDMAN.EXE
c:\windows\ALCWZRD.EXE
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\HPZipm12.exe
c:\documents and settings\HP_Owner\Application Data\Dropbox\bin\Dropbox.exe
c:\program files\HP\hpcoretech\comp\hptskmgr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2012-04-13 23:31:03 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-14 03:30
.
Pre-Run: 94,904,041,472 bytes free
Post-Run: 95,461,847,040 bytes free
.
- - End Of File - - 0F2C0DBA6C34A61BA35FD42A7E1FDA6E
Attached Files
File Type: txt ComboFix.txt (25.8 KB, 10 views)
__________________
Molly052 is offline  
Old 04-14-2012, 02:50 PM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,494
OS: XP SP3; Win7 32/64-bit



Hello Ted. Please tell us how your system is behaving.

No need to attach logs going forward. Just copy/paste them directly into the Reply to Thread window. Thanks.

------------------------------------------------------

I noticed you have Ask Toolbar installed.

Please read this and decide if you want to keep it >> Current Practices of IAC/Ask Toolbars

You can uninstall it via Add or Remove Programs in your Control Panel.

If you decide to uninstall it, please delete the following Folder if it still exists:

C:\Program Files\Ask.com

------------------------------------------------------

CCleaner

We do not recommend the use of registry cleaners, or the registry cleaner feature of CCleaner. Our colleague miekiemoes has an excellent writeup here

------------------------------------------------------

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
SecCenter::
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

DelDomains::

Folder::
c:\documents and settings\hp_owner\application data\PCPro
c:\documents and settings\hp_owner\application data\PC Cleaners
c:\documents and settings\all users\application data\PC1Data

DDS::
uURLSearchHooks: H - No File

ClearJavaCache::

NetSvc::
remotelyanywhere
ndasscsi
P16X
xpadminserver
ooclevercacheagent
wanminiportservice
SRTSP
mxssvr
enecbpth
AsIO
kpfwsvc
hpwirelessmgr
SetupNT
slabser
SABProcEnum
sffp_sd
USB28xxOEM
ikfilesec
qconsvc
mrpostman
gotomypc
mldserv
RESMGR
nsctop
mi-raysat_3dsmax9_32
W700obex
LMouFilt
p17xfilt
SED133x
svv
W700bus
NAL
DumaNT
dlaudfam
LMIRfsDriver
vncmirror
CnxtHdAudService
wpsscannersvc
clsched
aksusb
STV680
itmrtsvc
epsonbidirectionalservice
sisperf
wlancig
licensemanagersocket
aswupdsv
atitool
smartlinkservice
giveio
se59nd5
plsremotesvc
rampartsvc
ssoftservice
iaimfp0
thpsrv
NOWMEMDF
Blfp
sdhelper
StickyMesger
superproserver
k750obex
apache2
mpfirewl
deltafw
ntrtscan
nsm1mdm
vpctcom
eskerlicensecontrol
RTSTOR
hf30service
isdrv120
bdss
pavdrv
sit_bus
ibmsmbus
BCM43XV
bdrsdrv
elservice
eliservice
s116mgmt
mclserviceatl
tvald
tvtnetwk
oracleorahomepagingserver
RR2IOMod
se44mgmt
comhost
s3ssavage
tng-dts
gemserv
macformatservice
minilog
elosystemservice
rt73
ngserver
keriomailserver
db2
SE2Dmgmt
catchme
a016mdm
LHidKe
prtg4service
SNC
mdvrmng
NWSIPX32
vmauthdservice
PSSdk21
PSI_SVC_2
PSDFilter
CAMCAUD
DcPTP
s117mgmt
se59bus
mssql$sqlexpress
backupexecrpcservice
SISNICXP
rtm
U81xmgmt
tones
se45obex
a8djavs
HBtnKey
ACDaemon
roxupnprenderer
netcfgsvr
PPPoEWin
DMUSBUSBDCam
savrtpel
ngdbserv
rrspy
lvtuner
rnadirectory
stcagent
nsm1mdfl
SANDRA
nim32
sdcoreservice
as32svc
LoopBeMidi1
incdpass
pdagent
symappcore
ikhfile
bgsvcgen
idechndr
acs
serenum
SPFDRV
inort
tdsmapi
pdlnatcm
NICM
kbfiltr
UimBus
scanexplicit
https-nassry
CTEAPSFX.DLL
Freedom
bdselfpr
tosrfsnd

Driver::
Lavasoft Kernexplorer
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix.

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 04-15-2012, 07:51 AM   #5
Registered Member
 
Join Date: Apr 2012
Location: Ottawa, Canada
Posts: 12
OS: Windows 7 Home Premium Sp1



Hello Chemist

My system seems to be working a little better. I am no longer getting the wsock32 error and was able to update McAfee.


Tried removing Ask toolbar. Program is listed in Control panel but was not able to locate the files.

Here is the latest logo file from compofix

Thanks again

Ted

ComboFix 12-04-13.01 - HP_Owner 04/15/2012 9:10.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1527.959 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
.
((((((((((((((((((((((((( Files Created from 2012-03-15 to 2012-04-15 )))))))))))))))))))))))))))))))
.
.
2012-04-15 12:42 . 2012-04-15 12:42 63115 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2012-04-15 12:42 . 2012-04-15 12:42 4599 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2012-04-15 12:42 . 2012-04-15 12:42 9310 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2012-04-15 12:42 . 2012-04-15 12:42 8646 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2012-04-15 12:42 . 2012-04-15 12:42 6429 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2012-04-15 12:42 . 2012-04-15 12:42 5927 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2012-04-15 12:42 . 2012-04-15 12:42 8613 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2012-04-15 12:42 . 2012-04-15 12:42 1651 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2012-04-15 12:41 . 2012-04-15 12:41 6910 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2012-04-15 12:41 . 2012-04-15 12:41 18541 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2012-04-15 12:41 . 2012-04-15 12:41 8288 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2012-04-15 12:41 . 2012-04-15 12:41 6208 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2012-04-15 12:41 . 2012-04-15 12:41 51852 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2012-04-15 12:41 . 2012-04-15 12:41 20719 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2012-04-15 12:41 . 2012-04-15 12:41 8782 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2012-04-15 12:41 . 2012-04-15 12:41 7271 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2012-04-15 12:41 . 2012-04-15 12:41 23327 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2012-04-14 02:43 . 2008-04-13 18:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2012-04-13 01:31 . 2012-04-13 01:31 -------- d-----w- c:\documents and settings\HP_Owner\AppData
2012-04-10 22:23 . 2012-04-10 22:23 -------- d-----w- c:\windows\system32\wbem\Repository
2012-04-10 13:22 . 2012-04-10 13:22 -------- d-----w- C:\temp
2012-04-10 04:04 . 2012-04-10 04:04 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-04-06 17:38 . 2012-04-06 17:39 -------- d-----w- c:\program files\Creative
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-16 03:23 . 2009-02-24 00:27 3979536 ----a-w- c:\windows\uninst.exe
2012-03-01 11:01 . 2004-08-04 11:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2004-08-04 11:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2004-08-04 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2004-08-04 18:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 14:10 . 2004-08-04 11:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 12:17 . 2004-08-04 11:00 385024 ------w- c:\windows\system32\html.iec
2012-02-24 14:13 . 2012-01-07 07:11 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22 . 2004-08-04 11:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-19 05:30 . 2009-02-12 11:51 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-01-19 05:30 . 2010-06-21 21:09 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-14_03.06.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-15 12:40 . 2012-04-15 12:40 16384 c:\windows\Temp\Perflib_Perfdata_668.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C37B053-FD68-456a-82E1-D788EE342E6F}]
2009-05-07 21:46 2642432 ----a-w- c:\program files\Family Toolbar\tbcore3.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}"= "c:\program files\Family Toolbar\tbcore3.dll" [2009-05-07 2642432]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{fd2fd708-1f6f-4b68-b141-c5778f0c19bb}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}"= "c:\program files\Family Toolbar\tbcore3.dll" [2009-05-07 2642432]
.
[HKEY_CLASSES_ROOT\clsid\{fd2fd708-1f6f-4b68-b141-c5778f0c19bb}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\HP_Owner\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\HP_Owner\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\HP_Owner\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\HP_Owner\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe" [2004-05-12 196608]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-31 39408]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVD.exe" [2007-11-21 1625024]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-18 61952]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-05-26 180269]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"SoundMan"="SOUNDMAN.EXE" [2004-10-13 77824]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-13 2742272]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 69632]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-01-13 757760]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-01-09 253952]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Family Tree Builder Update"="c:\program files\MyHeritage\Bin\FTBCheckUpdates.exe" [2011-11-06 229376]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2011-07-11 74752]
"Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2011-10-21 198032]
.
c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\HP_Owner\Application Data\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-2-16 113664]
cpeupdate.lnk - l:\media\Xtras\ShareIns\cpeupdate.exe [N/A]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Alexandria v5 Folder\\Alexandria.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\Freemake\\Freemake Video Downloader\\FreemakeVD.exe"=
"c:\\Documents and Settings\\HP_Owner\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2/24/2009 12:05 AM 4064]
R2 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [11/6/2009 7:24 PM 8768]
R2 FreemakeVideoCapture;FreemakeVideoCapture;c:\program files\Freemake\CaptureLib\CaptureLibService.exe [11/18/2011 10:02 AM 8704]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2/11/2011 5:23 PM 35088]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/19/2011 11:49 PM 136176]
S2 PMP;Password Manager Pro;"c:\program files\PMP\bin\wrapper.exe" -s "c:\program files\PMP\conf\wrapper.conf" --> c:\program files\PMP\bin\wrapper.exe [?]
S3 2a60e5cf-b147-4f51-8105-f27ceeb83f5d;2a60e5cf-b147-4f51-8105-f27ceeb83f5d;\??\e:\cds300\cds300.dll --> e:\cds300\cds300.dll [?]
S3 cpuz134;cpuz134;\??\c:\docume~1\HP_Owner\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\HP_Owner\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/19/2011 11:49 PM 136176]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys --> c:\windows\system32\DRIVERS\ivusb.sys [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 7:00 AM 14336]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [10/20/2009 9:52 PM 47360]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/8/2011 8:30 PM 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
.
2012-04-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-31 23:21]
.
2012-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-20 03:49]
.
2012-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-20 03:49]
.
2011-01-18 c:\windows\Tasks\mixpadShakeIcon.job
- c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-09-21 00:57]
.
2012-04-15 c:\windows\Tasks\User_Feed_Synchronization-{B4CA62CA-3590-442A-BC81-E6C22B42EA06}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
2011-02-11 c:\windows\Tasks\wavepadDowngrade.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-07-31 23:18]
.
2011-01-06 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-07-31 23:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://search.myheritage.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*Yahoo!
IE: Free YouTube Download - c:\documents and settings\HP_Owner\Application Data\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to MP3 Converter - c:\documents and settings\HP_Owner\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
TCP: DhcpNameServer = 64.71.255.198
Handler: intu-tt2011 - {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - c:\program files\TurboTax 2011\ic2011pp.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2012-04-15 09:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3592)
c:\windows\system32\WININET.dll
c:\documents and settings\HP_Owner\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-04-15 09:19:21
ComboFix-quarantined-files.txt 2012-04-15 13:19
ComboFix2.txt 2012-04-15 05:16
ComboFix3.txt 2012-04-14 03:31
.
Pre-Run: 95,592,800,256 bytes free
Post-Run: 95,581,450,240 bytes free
.
- - End Of File - - 35B822A89BAC04FF42E428A21F007049
__________________
Molly052 is offline  
Old 04-15-2012, 02:50 PM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,494
OS: XP SP3; Win7 32/64-bit



Hello again, Ted. Good job! Please tell us how your system is behaving. Any remaining problems?

------------------------------------------------------
  • Download ASK Remover.zip and save it to your desktop.
  • Double-click ASK Remover.zip and extract the file to your desktop.
  • Double-click ASK Remover.exe then exit any browser windows that open.
  • Click Execute Removal
  • Delete ASK Remover.exe and ASK Remover.zip from your desktop.
------------------------------------------------------

Please download Malwarebytes' Anti-Malware and Save it to your Desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Under the Scanner tab, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad and you may be prompted to Restart your computer.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy/Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


------------------------------------------------------

Your Java is out of date.

Java(TM) 6 Update 30 can be updated from the Java Control Panel. Go Start > Control Panel(Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

Make sure you untick the box next to whatever free program they prompt you to install, unless you want it.
  • After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button.
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window.
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window.
    • Click OK to leave the Java Control Panel.
------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Go here and click 'ESET Online Scanner'.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If using Internet Explorer, allow the ActiveX control to install when asked.
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change.. button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Start
  • Wait for the scan to finish, then click 'Finish'.
  • Use Notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Copy/paste that log as a reply to this topic.
------------------------------------------------------

Please post the following in your next reply:

MBAM log
ESET report
report on system behavior
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 04-16-2012, 07:10 AM   #7
Registered Member
 
Join Date: Apr 2012
Location: Ottawa, Canada
Posts: 12
OS: Windows 7 Home Premium Sp1



Hello Chemist

Computer seems to be working much better. Thank You

Here are the logs you requested

Ted


MBAM LOG
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Database version: v2012.04.15.07
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
HP_Owner :: RACINE [administrator]
4/15/2012 5:30:46 PM
mbam-log-2012-04-15 (17-30-46).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 207871
Time elapsed: 7 minute(s), 46 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
---------------------------------------------

ESET REPORT
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=ac540be61e77f74fa4a34f20652ce87c
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-04-15 10:56:41
# local_time=2012-04-15 06:56:41 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 25191939 25191939 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=17242
# found=6
# cleaned=0
# scan_time=1893
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch1.zip Win32/Bagle.gen.zip worm (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch4.zip Win32/Bagle.gen.zip worm (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\HP_Owner\Application Data\OpenCandy\OpenCandy_9C9AA552AF4444CFB79FB4EFC4C4B12E\registrybooster(1).exe a variant of Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\HP_Owner\Desktop\Teds Stuff\Ted\Progs\avi-to-dvd-converter6.exe Win32/Toolbar.Zugo application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\HP_Owner\Desktop\Teds Stuff\Ted\Progs\SoftonicDownloader39076.exe a variant of Win32/SoftonicDownloader.A application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\HP_Owner\Desktop\Teds Stuff\Ted\Progs\SoftonicDownloader_for_sothink-dvd-movie-maker.exe a variant of Win32/SoftonicDownloader.A application (unable to clean) 00000000000000000000000000000000 I
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=ac540be61e77f74fa4a34f20652ce87c
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-04-16 05:53:09
# local_time=2012-04-16 01:53:09 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 25208308 25208308 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=244659
# found=26
# cleaned=0
# scan_time=10512
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch1.zip Win32/Bagle.gen.zip worm (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch4.zip Win32/Bagle.gen.zip worm (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\HP_Owner\Application Data\OpenCandy\OpenCandy_9C9AA552AF4444CFB79FB4EFC4C4B12E\registrybooster(1).exe a variant of Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\HP_Owner\Desktop\Teds Stuff\Ted\Progs\avi-to-dvd-converter6.exe Win32/Toolbar.Zugo application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\HP_Owner\Desktop\Teds Stuff\Ted\Progs\SoftonicDownloader39076.exe a variant of Win32/SoftonicDownloader.A application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\HP_Owner\Desktop\Teds Stuff\Ted\Progs\SoftonicDownloader_for_sothink-dvd-movie-maker.exe a variant of Win32/SoftonicDownloader.A application (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\redbook.sys.vir Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP1170\A0163162.exe a variant of Win32/SoftonicDownloader.A application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP1170\A0163163.exe a variant of Win32/SoftonicDownloader.A application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP1170\A0163189.exe Win32/Toolbar.Zugo application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP1245\A0168506.exe a variant of Win32/PCCleaners application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP1269\A0170579.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP1269\A0170637.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP1270\A0170687.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP1271\A0170710.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP1271\A0170750.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP1272\A0170781.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP1272\A0170810.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP1274\A0171173.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP1274\A0171211.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP1275\A0171286.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP1275\A0171307.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP1275\A0171343.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
T:\ZZ - Backup Files April 2012\HP_Owner\Desktop\Teds Stuff\Ted\Progs\avi-to-dvd-converter6.exe Win32/Toolbar.Zugo application (unable to clean) 00000000000000000000000000000000 I
T:\ZZ - Backup Files April 2012\HP_Owner\Desktop\Teds Stuff\Ted\Progs\SoftonicDownloader39076.exe a variant of Win32/SoftonicDownloader.A application (unable to clean) 00000000000000000000000000000000 I
T:\ZZ - Backup Files April 2012\HP_Owner\Desktop\Teds Stuff\Ted\Progs\SoftonicDownloader_for_sothink-dvd-movie-maker.exe a variant of Win32/SoftonicDownloader.A application (unable to clean) 00000000000000000000000000000000 I

---------------------------------
__________________
Molly052 is offline  
Old 04-16-2012, 09:52 AM   #8
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,494
OS: XP SP3; Win7 32/64-bit



Hello again, Ted. Were you able to uninstall Weatherbug?

------------------------------------------------------

Qoobox is ComboFix's quarantine folder.

System Volume Information is where Windows keeps old system restore points.

Both will get deleted when we uninstall ComboFix.

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch1.zip"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch4.zip"
"C:\Documents and Settings\HP_Owner\Application Data\OpenCandy\OpenCandy_9C9AA552AF4444CFB79FB4EFC4C4B12E\registrybooster(1).exe"
"C:\Documents and Settings\HP_Owner\Desktop\Teds Stuff\Ted\Progs\avi-to-dvd-converter6.exe"
"C:\Documents and Settings\HP_Owner\Desktop\Teds Stuff\Ted\Progs\SoftonicDownloader39076.exe"
"C:\Documents and Settings\HP_Owner\Desktop\Teds Stuff\Ted\Progs\SoftonicDownloader_for_sothink-dvd-movie-maker.exe"
"T:\ZZ - Backup Files April 2012\HP_Owner\Desktop\Teds Stuff\Ted\Progs\avi-to-dvd-converter6.exe"
"T:\ZZ - Backup Files April 2012\HP_Owner\Desktop\Teds Stuff\Ted\Progs\SoftonicDownloader39076.exe"
"T:\ZZ - Backup Files April 2012\HP_Owner\Desktop\Teds Stuff\Ted\Progs\SoftonicDownloader_for_sothink-dvd-movie-maker.exe"


) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)


if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0
Save this Notepad file as fix.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.bat to run it.

Tell me what it says in your next reply. Press any key to continue.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 04-17-2012, 07:20 AM   #9
Registered Member
 
Join Date: Apr 2012
Location: Ottawa, Canada
Posts: 12
OS: Windows 7 Home Premium Sp1



Hi Chemist

Weatherbug is deleted

Am I to delete combofix then run bat file or vice versa?

Have noticed that at startup, the "dragtoDsk" was using 99% of resources and hanging there forever. I am not sure what is copying and to where.
Ended up selecting "End Process" to kill it.
Computer works fine afterwards.


Thanks

Ted
__________________
Molly052 is offline  
Old 04-17-2012, 12:20 PM   #10
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,494
OS: XP SP3; Win7 32/64-bit



Hello again, Ted. No, please don't delete ComboFix yet. Just run the bat file and let me know what it says. I will then give you some final instructions.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 04-17-2012, 08:57 PM   #11
Registered Member
 
Join Date: Apr 2012
Location: Ottawa, Canada
Posts: 12
OS: Windows 7 Home Premium Sp1



Hi Chemist

Ran fix.bat
reply was "deleted successfully"

file disappeared after pressing "any key"


Ted
__________________
Molly052 is offline  
Old 04-17-2012, 10:26 PM   #12
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,494
OS: XP SP3; Win7 32/64-bit



Hello again, Ted. You're welcome.

Over the last day, I meant AskToolbar not Weatherbug.

------------------------------------------------------

Congratulations. Well done! Your logs appear clean. You should be good to go.

As far as those infected objects listed in the ESET report, those are safely tucked away in ComboFix's quarantine folder or in old System Restore Points, which we will be taking care of now.

Please disable McAfee before uninstalling ComboFix and then re-enable it after doing so.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

combofix /uninstall

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore Points which contain previous infections, and create a fresh, clean System Restore Point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

Empty your Recycle Bin if it does not do so automatically.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

Also, support is ending for some versions of Windows > Windows End of Support Information - Windows Help & How-to

Make sure all your applications and browsers are up-to-date by visiting Secunia Online Software Inspector here:

Free Online Computer Scan - Online Software Inspector (OSI) - Secunia
  • Click 'Start Scanner'
  • Wait for Status/Currently Processing: at the lower left to say 'Java Applet loaded successfully. Press "Start" to begin.'
  • Click 'Start'.
  • The scan should take less than a minute or so.
  • When done, download and install all the recommended updates.
  • This will help ensure the malware writers cannot use exploits(bugs) in older versions of your applications to infect your computer in the future.
------------------------------------------------------

SPYWARE PREVENTION
In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read this well written article: To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an add-on available for both Firefox and IE.
  • SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites. See tutorial here
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
    • Download Host.zip and Save it to your Desktop.
    • Right-click hosts.zip and select 'Extract all files' or 'Extract files...'.
    • Follow the prompts and click 'Finish'.
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 04-20-2012, 04:11 PM   #13
Registered Member
 
Join Date: Apr 2012
Location: Ottawa, Canada
Posts: 12
OS: Windows 7 Home Premium Sp1



Hello

I ran Microsoft updates and Secunia as suggested.
For whatever reason, I cannot load Adobe Flash Player
It loads as far as 54% then I get the message "Error: Failed to Register"

Any suggestions ?


Thanks

Ted
__________________
Molly052 is offline  
Old 04-20-2012, 05:13 PM   #14
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,494
OS: XP SP3; Win7 32/64-bit



Hello again, Ted. Try uninstalling Flash Player completely, reboot then reinstall it. Let me know.

Adobe - Install Adobe Flash Player
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 04-20-2012, 07:04 PM   #15
Registered Member
 
Join Date: Apr 2012
Location: Ottawa, Canada
Posts: 12
OS: Windows 7 Home Premium Sp1



I tried that last night ... and again today, inluding using the downloadable uninstaller from Adobe. I tried reinstalling with and without McAfee running.
Same error message


Ted
__________________
Molly052 is offline  
Old 04-20-2012, 08:23 PM   #16
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,494
OS: XP SP3; Win7 32/64-bit



Hello again Ted. Try the steps listed here:

Adobe Forums: How do I fix Windows permission problems with Flash Player?

Let me know.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 04-20-2012, 10:27 PM   #17
Registered Member
 
Join Date: Apr 2012
Location: Ottawa, Canada
Posts: 12
OS: Windows 7 Home Premium Sp1



Hell again

I found a solution to my Flash Player problem. I installed Google Chrome.
It seems Flash is already installed in Google Chrome and runs perfectly.
For whatever reason, it now works on regular Google as well

Thank you again for all your help in getting my computer back up and running and virus free.



Ted.
__________________
Molly052 is offline  
Old 04-20-2012, 10:32 PM   #18
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,494
OS: XP SP3; Win7 32/64-bit



You're very welcome, Molly052! Glad to have helped.

__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 06:17 AM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts