StanB Posted June 7, 2010 (edited) My browser gets redirected to different web sites when I click on a Google search result. This happens with both IE 6.0 and Firefox. In addition to the Google search redirect, occasionally Firefox will open a new tab for a random web site. Also, I can not access the Windows Update site. I have used Malwarebytes' Anti-Malware and Avast Free Antivirus to scan my hard drive several times. The first time I scanned my hard drive, Malwarebytes and Avast both found many problem files which I removed. However the problem continued. SuperAntiSpyware Free Edition found a few additional problem files which I quarantined. The last time I scanned my hard drive, neither Malwarebytes nor Avast found any infected files, but the browser redirect problem is still here. ** hijackthis.log ** Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 4:57:32 PM, on 6/5/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast5\AvastSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\Program Files\Common Files\Motive\McciCMService.exe C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\Explorer.EXE c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\AT&T\Internet Security Wizard\ISW.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\HPQ\SHARED\HPQWMI.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe C:\WINDOWS\system32\SearchProtocolHost.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=laptop R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing) O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll O2 - BHO: (no name) - {6a2025e6-a562-4884-ac76-c1d75533a67a} - gahiboru.dll (file missing) O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100604222733.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [soundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [iSW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-18\..\Run: [security Guard] "C:\Documents and Settings\All Users\Application Data\a656eba\SGa656.exe" /s /d (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [security Guard] "C:\Documents and Settings\All Users\Application Data\a656eba\SGa656.exe" /s /d (User 'Default user') O4 - S-1-5-18 Startup: AutoMailer.lnk = C:\Troopmaster Software\AutoMailer\AutoMailer.exe (User 'SYSTEM') O4 - .DEFAULT Startup: AutoMailer.lnk = C:\Troopmaster Software\AutoMailer\AutoMailer.exe (User 'Default user') O4 - Startup: AutoMailer.lnk = C:\Troopmaster Software\AutoMailer\AutoMailer.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=laptop O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1246076119625 O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195712640453 O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} (Java Plug-in 1.6.0_14) - O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} (Java Plug-in 1.6.0_15) - O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O20 - AppInit_DLLs: binuvete.dll c:\windows\system32\muvetuvo.dll c:\windows\system32\nudewolu.dll c:\windows\system32\pumotozi.dll c:\windows\system32\tobamiwo.dll c:\windows\system32\telonapi.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O21 - SSODL: mebokileg - {00e72e38-0b35-47e4-b227-148fb079e63b} - c:\windows\system32\nudewolu.dll (file missing) O21 - SSODL: mezeyomaz - {cf4cf8bf-0115-4dcf-b490-ceed73bad989} - c:\windows\system32\nudewolu.dll (file missing) O21 - SSODL: dobigodop - {d439027e-50d1-489d-98d6-25693f7f7291} - c:\windows\system32\pumotozi.dll (file missing) O21 - SSODL: gafodalol - {8f0f85b0-fc7a-44fd-8b85-32e25c768385} - c:\windows\system32\tobamiwo.dll (file missing) O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: mujuzedij - {00e72e38-0b35-47e4-b227-148fb079e63b} - c:\windows\system32\nudewolu.dll (file missing) O22 - SharedTaskScheduler: mujuzedij - {cf4cf8bf-0115-4dcf-b490-ceed73bad989} - c:\windows\system32\nudewolu.dll (file missing) O22 - SharedTaskScheduler: jugezatag - {d439027e-50d1-489d-98d6-25693f7f7291} - c:\windows\system32\pumotozi.dll (file missing) O22 - SharedTaskScheduler: tokatiluy - {8f0f85b0-fc7a-44fd-8b85-32e25c768385} - c:\windows\system32\tobamiwo.dll (file missing) O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe O23 - Service: McAfee Personal Firewall (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\Program Files\McAfee\MPF\MPFSrv.exe (file missing) O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing) O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 16251 bytes ** DOS.txt ** DDS (Ver_10-03-17.01) - NTFSx86 Run by Stan Beson at 19:56:09.34 on Sat 06/05/2010 Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.211 [GMT -7:00] AV: Security Guard *On-access scanning enabled* (Updated) {15963F2F-11E0-41F4-9077-8648C685CC01} AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: Security Guard *enabled* {B0BB15C4-0E0D-49F9-B1A7-9BE247C8F539} FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Alwil Software\Avast5\AvastSvc.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\Program Files\Common Files\Motive\McciCMService.exe C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\Explorer.EXE c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\system32\igfxtray.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\AT&T\Internet Security Wizard\ISW.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\HPQ\SHARED\HPQWMI.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\WINDOWS\system32\rundll32.exe C:\Documents and Settings\Stan Beson\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = about:blank uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=laptop mDefault_Search_URL = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll BHO: {6a2025e6-a562-4884-ac76-c1d75533a67a} - gahiboru.dll BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100604222733.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe mRun: [soundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray mRun: [AGRSMMSG] AGRSMMSG.exe mRun: [Apoint] c:\program files\apoint2k\Apoint.exe mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [iSW.exe] "c:\program files\at&t\internet security wizard\ISW.exe" /AUTORUN mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui dRun: [security Guard] "c:\documents and settings\all users\application data\a656eba\SGa656.exe" /s /d StartupFolder: c:\docume~1\stanbe~1\startm~1\programs\startup\automa~1.lnk - c:\troopmaster software\automailer\AutoMailer.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monito~1.lnk - c:\program files\apache software foundation\apache2.2\bin\ApacheMonitor.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1246076119625 DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195712640453 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL Notify: igfxcui - igfxsrvc.dll AppInit_DLLs: binuvete.dll c:\windows\system32\muvetuvo.dll c:\windows\system32\nudewolu.dll c:\windows\system32\pumotozi.dll c:\windows\system32\tobamiwo.dll c:\windows\system32\telonapi.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SSODL: mebokileg - {00e72e38-0b35-47e4-b227-148fb079e63b} - c:\windows\system32\nudewolu.dll SSODL: mezeyomaz - {cf4cf8bf-0115-4dcf-b490-ceed73bad989} - c:\windows\system32\nudewolu.dll SSODL: dobigodop - {d439027e-50d1-489d-98d6-25693f7f7291} - c:\windows\system32\pumotozi.dll SSODL: gafodalol - {8f0f85b0-fc7a-44fd-8b85-32e25c768385} - c:\windows\system32\tobamiwo.dll STS: mujuzedij: {00e72e38-0b35-47e4-b227-148fb079e63b} - c:\windows\system32\nudewolu.dll STS: mujuzedij: {cf4cf8bf-0115-4dcf-b490-ceed73bad989} - c:\windows\system32\nudewolu.dll STS: jugezatag: {d439027e-50d1-489d-98d6-25693f7f7291} - c:\windows\system32\pumotozi.dll STS: tokatiluy: {8f0f85b0-fc7a-44fd-8b85-32e25c768385} - c:\windows\system32\tobamiwo.dll SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL LSA: Notification Packages = scecli binuvete.dll IFEO: image file execution options - svchost.exe ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\stanbe~1\applic~1\mozilla\firefox\profiles\qlwmisxj.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q= FF - prefs.js: browser.startup.homepage - FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll FF - plugin: c:\documents and settings\stan beson\application data\mozilla\firefox\profiles\qlwmisxj.default\extensions\[email protected]\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll ---- FIREFOX POLICIES ---- FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); ============= SERVICES / DRIVERS =============== R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-4-28 385880] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-25 164048] R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-11 82952] R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656] R2 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe [2009-8-6 24645] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-25 19024] R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-25 40384] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-4-11 93320] R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-11 271480] R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-11 271480] R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-11 271480] R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-4-28 170144] R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-4-28 188136] R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-4-28 141792] R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-25 40384] R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-25 40384] R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-11 55456] R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-4-11 152320] R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-4-11 51688] R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-11 312616] R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-4-11 88480] S0 ltiu;ltiu;c:\windows\system32\drivers\vtuijpwj.sys --> c:\windows\system32\drivers\vtuijpwj.sys [?] S2 pciinfo;HP Pci Information;\??\c:\docume~1\stanbe~1\locals~1\temp\hpispz\hpdom\pciinfo.sys --> c:\docume~1\stanbe~1\locals~1\temp\hpispz\hpdom\pciinfo.sys [?] S3 HPEWSFXBULK;HPEWSFXBULK;c:\windows\system32\drivers\hpfxbulk.sys [2009-12-4 17432] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1c3.tmp --> c:\windows\system32\1C3.tmp [?] S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-4-11 88480] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-11 83496] S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-20 34248] S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-20 40552] S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-4-3 1251720] =============== Created Last 30 ================ 2010-06-05 16:44:37 0 d-----w- c:\program files\Trend Micro 2010-06-04 16:28:03 0 d-----w- c:\docume~1\stanbe~1\applic~1\SUPERAntiSpyware.com 2010-06-04 16:28:03 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2010-06-04 16:27:44 0 d-----w- c:\program files\SUPERAntiSpyware 2010-05-31 18:12:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-31 18:12:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-31 18:12:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-25 17:57:13 1409 ----a-w- c:\windows\QTFont.for 2010-05-25 17:57:12 54156 ---ha-w- c:\windows\QTFont.qfn 2010-05-13 03:05:25 3254 ----a-w- c:\windows\system32\wbem\Outlook_01caf24921e170fc.mof ==================== Find3M ==================== 2010-04-28 00:16:24 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys 2010-04-28 00:16:24 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys 2010-04-28 00:16:24 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys 2010-04-28 00:16:24 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys 2010-04-28 00:16:24 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys 2010-04-28 00:16:24 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys 2010-04-28 00:16:24 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys 2010-04-28 00:16:24 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys 2010-04-28 00:16:24 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys 2010-04-28 00:16:24 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys 2010-04-22 20:45:23 161581 ----a-w- c:\windows\fonts\AdobeFnt.lst 2010-04-20 15:03:48 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-04-15 03:55:19 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys 2010-04-15 03:55:19 361600 ----a-w- c:\windows\system32\dllcache\tcpip.sys 2008-05-25 00:33:09 2725048 ----a-w- c:\program files\FLV PlayerFCSetup.exe ============= FINISH: 19:58:17.60 =============== ** Attach.txt ** UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_10-03-17.01) Microsoft Windows XP Home Edition Boot Device: \Device\HarddiskVolume1 Install Date: 3/26/2006 6:43:58 AM System Uptime: 6/5/2010 6:25:32 PM (1 hours ago) Motherboard: Hewlett-Packard | | 309D Processor: Intel® Pentium® M processor 1.60GHz | U1 | 1596/400mhz ==== Disk Partitions ========================= C: is FIXED (NTFS) - 56 GiB total, 10.692 GiB free. D: is CDROM () ==== Disabled Device Manager Items ============= ==== System Restore Points =================== RP654: 3/8/2010 8:10:56 AM - System Checkpoint RP655: 3/12/2010 11:37:58 AM - System Checkpoint RP656: 3/14/2010 4:22:49 PM - System Checkpoint RP657: 3/15/2010 7:38:39 PM - System Checkpoint RP658: 3/19/2010 2:51:07 PM - System Checkpoint RP659: 3/21/2010 4:36:48 PM - System Checkpoint RP660: 3/23/2010 10:33:19 AM - System Checkpoint RP661: 3/24/2010 9:56:02 PM - System Checkpoint RP662: 3/26/2010 6:59:22 PM - System Checkpoint RP663: 3/31/2010 7:49:02 PM - System Checkpoint RP664: 4/2/2010 10:05:13 AM - System Checkpoint RP665: 4/3/2010 6:00:10 PM - System Checkpoint RP666: 4/4/2010 6:29:10 PM - System Checkpoint RP667: 4/7/2010 10:11:14 PM - System Checkpoint RP668: 4/8/2010 11:04:05 PM - System Checkpoint RP669: 4/11/2010 3:14:53 PM - System Checkpoint RP670: 4/13/2010 11:10:57 AM - System Checkpoint RP671: 4/15/2010 9:46:18 AM - System Checkpoint RP672: 4/16/2010 10:47:20 PM - Removed Ad-Aware Email Scanner for Outlook RP673: 4/17/2010 11:06:01 PM - System Checkpoint RP674: 4/19/2010 11:34:20 AM - System Checkpoint RP675: 4/20/2010 8:02:35 AM - Removed Java 6 Update 13 RP676: 4/20/2010 8:03:36 AM - Installed Java 6 Update 20 RP677: 4/22/2010 10:03:20 AM - System Checkpoint RP678: 4/24/2010 12:27:48 AM - System Checkpoint RP679: 4/25/2010 3:35:03 PM - avast! Free Antivirus Setup RP680: 4/29/2010 9:07:48 AM - System Checkpoint RP681: 4/30/2010 5:52:28 PM - System Checkpoint RP682: 5/1/2010 6:49:31 PM - System Checkpoint RP683: 5/3/2010 11:39:08 AM - System Checkpoint RP684: 5/7/2010 7:22:18 PM - System Checkpoint RP685: 5/9/2010 7:44:29 PM - System Checkpoint RP686: 5/13/2010 8:38:18 AM - System Checkpoint RP687: 5/14/2010 8:11:56 PM - System Checkpoint RP688: 5/17/2010 9:42:29 AM - System Checkpoint RP689: 5/20/2010 2:07:05 AM - System Checkpoint RP690: 5/21/2010 8:23:30 PM - System Checkpoint RP691: 5/23/2010 1:59:16 PM - System Checkpoint RP692: 5/25/2010 9:52:04 PM - System Checkpoint RP693: 5/28/2010 12:15:44 AM - System Checkpoint RP694: 5/30/2010 5:15:44 PM - System Checkpoint RP695: 6/1/2010 10:31:04 PM - System Checkpoint RP696: 6/4/2010 7:45:38 AM - System Checkpoint RP697: 6/5/2010 7:49:08 AM - System Checkpoint RP698: 6/5/2010 9:44:33 AM - Installed HiJackThis ==== Installed Programs ====================== 32 Bit HP CIO Components Installer Absolute Beginner's Series SQL Lesson 1 Absolute Beginner's Series SQL Lesson 2 Absolute Beginner's Series SQL Lesson 3 Absolute Beginner's Series SQL Lesson 4 ActiveState Komodo Edit 5.0.3 Adobe Acrobat 5.0 Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Reader 7.0.5 Language Support Adobe Reader 7.1.0 Agere Systems AC'97 Modem ALPS Touch Pad Driver Apache HTTP Server 2.2.13 Apple Mobile Device Support Apple Software Update Applian FLV Player AT&T Internet Security Wizard 1.5.11 AT&T Toolbar ATT-HSI avast! Free Antivirus Bonjour Canon MP Navigator EX 1.0 Canon MX310 series Character Set Converter 1.01 Critical Update for Windows Media Player 11 (KB959772) Easy Internet Sign-up Eudora GDR 4053 for SQL Server Tools and Workstation Components 2005 ENU (KB970892) GNU Privacy Guard Google Toolbar for Internet Explorer Google Video Player GoToMeeting/GoToWebinar 3.0.0.198 HiJackThis Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Format SDK (KB902344) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB915800-v4) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) Hotfix for Windows XP (KB976098-v2) Hotfix for Windows XP (KB979306) HP Help and Support HP Update HP Wireless Assistant 1.01 B2 HP_User_Guides_0005 HpSdpAppCoreApp Intel® Graphics Media Accelerator Driver for Mobile InterVideo WinDVD Ipswitch WS_FTP Home 2007 iTunes J2SE Runtime Environment 5.0 Update 4 J2SE Runtime Environment 5.0 Update 9 Java Auto Updater Java 6 Update 20 Java 6 Update 5 Java 6 Update 7 LightScribe 1.4.31.1 LiveUpdate Notice (Symantec Corporation) Malwarebytes' Anti-Malware McAfee Internet Security Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft Base Smart Card Cryptographic Service Provider Package Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Money 2005 Microsoft MSDN 2005 Express Edition - ENU Microsoft Office 2007 Service Pack 2 (SP2) Microsoft Office Access MUI (English) 2007 Microsoft Office Access Setup Metadata MUI (English) 2007 Microsoft Office Excel MUI (English) 2007 Microsoft Office Outlook MUI (English) 2007 Microsoft Office PowerPoint MUI (English) 2007 Microsoft Office Professional 2007 Microsoft Office Professional 2007 Trial Microsoft Office Proof (English) 2007 Microsoft Office Proof (French) 2007 Microsoft Office Proof (Spanish) 2007 Microsoft Office Proofing (English) 2007 Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) Microsoft Office Publisher MUI (English) 2007 Microsoft Office Shared MUI (English) 2007 Microsoft Office Shared Setup Metadata MUI (English) 2007 Microsoft Office Standard Edition 2003 Microsoft Office Word MUI (English) 2007 Microsoft Software Update for Web Folders (English) 12 Microsoft SQL Server 2000 Sample Database Scripts Microsoft SQL Server 2005 Microsoft SQL Server 2005 Books Online (English) (May 2007) Microsoft SQL Server 2005 Express Edition (SQLEXPRESS) Microsoft SQL Server 2005 Tools Express Edition Microsoft SQL Server Management Studio Express Microsoft SQL Server Native Client Microsoft SQL Server Setup Support Files (English) Microsoft SQL Server VSS Writer Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual Basic 2005 Express Edition - ENU Microsoft Visual Basic 2005 Express Edition - ENU Service Pack 1 (KB926747) Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Express Edition - ENU Microsoft Visual C++ 2005 Express Edition - ENU Service Pack 1 (KB926748) Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Microsoft Visual Web Developer 2005 Express Edition - ENU Microsoft Visual Web Developer 2005 Express Edition - ENU Service Pack 1 (KB926751) Microsoft Works Move Networks Media Player for Internet Explorer Mozilla Firefox (3.6.3) MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) MSXML 6.0 Parser (KB933579) muvee autoProducer 4.0 - SE MySQL Server 5.0 Norton 360 program3 Quick Launch Buttons 5.10 B5 QuickTime Rhapsody Player Engine Security Update for 2007 Microsoft Office System (KB969559) Security Update for 2007 Microsoft Office System (KB973704) Security Update for Microsoft Office Excel 2007 (KB973593) Security Update for Microsoft Office Outlook 2007 (KB972363) Security Update for Microsoft Office PowerPoint 2007 (KB957789) Security Update for Microsoft Office Publisher 2007 (KB969693) Security Update for Microsoft Office system 2007 (972581) Security Update for Microsoft Office system 2007 (KB969613) Security Update for Microsoft Office system 2007 (KB974234) Security Update for Microsoft Office Visio Viewer 2007 (KB973709) Security Update for Microsoft Office Word 2007 (KB969604) Security Update for Microsoft Visual C++ 2005 Express Edition - ENU (KB971090) Security Update for Step By Step Interactive Training (KB898458) Security Update for Step By Step Interactive Training (KB923723) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB954155) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 10 (KB936782) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows Search 4 - KB963093 Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950759) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953838) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956390) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958215) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB958869) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960714) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB963027) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969059) Security Update for Windows XP (KB969897) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB969947) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB970430) Security Update for Windows XP (KB971468) Security Update for Windows XP (KB971486) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB971961) Security Update for Windows XP (KB972260) Security Update for Windows XP (KB972270) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973525) Security Update for Windows XP (KB973869) Security Update for Windows XP (KB973904) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974318) Security Update for Windows XP (KB974392) Security Update for Windows XP (KB974455) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975025) Security Update for Windows XP (KB975467) Security Update for Windows XP (KB975560) Security Update for Windows XP (KB975713) Security Update for Windows XP (KB976325) Security Update for Windows XP (KB977165) Security Update for Windows XP (KB977914) Security Update for Windows XP (KB978037) Security Update for Windows XP (KB978251) Security Update for Windows XP (KB9 Edited June 8, 2010 by StanB Share this post Link to post Share on other sites
lesliebibb Posted June 7, 2010 1 Can you go to C:\windows\system32\drivers\etc en open the file hosts with notepad, post the contents here. In this file you can set where you want websites to go to, for example you can set pcpitstop.com to go to whatever.com. 2 IE is now at version 8, you should normally always update to the last version (although updating won't fix the issue). Share this post Link to post Share on other sites
StanB Posted June 7, 2010 1 Can you go to C:\windows\system32\drivers\etc en open the file hosts with notepad, post the contents here. In this file you can set where you want websites to go to, for example you can set pcpitstop.com to go to whatever.com. Thanks for the reply. ** Start of C:\WINDOWS\System32\drivers\etc\hosts ** # Copyright © 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost ** End of C:\WINDOWS\System32\drivers\etc\hosts ** 2 IE is now at version 8, you should normally always update to the last version (although updating won't fix the issue). I mostly use Firefox on this computer. I use IE to test browser compatibility of web pages. That is why I have not updated the program. My other computer has the current version of IE. Share this post Link to post Share on other sites
Juliet Posted June 8, 2010 Hi and welcome I see McAfee, Symantec/Norton. and avast! Antivirus. Need to get this computer down to just 1 antivirus or we're stuck with conflicts and errors, nor will tools we need to run work. Take care of this first before attempting further instructions. Look in your add/remove programs list, and if found remove Security Guard. If you can't locate it don't worry, just continue. Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked. O2 - BHO: (no name) - {6a2025e6-a562-4884-ac76-c1d75533a67a} - gahiboru.dll (file missing) O4 - HKUS\S-1-5-18\..\Run: [security Guard] "C:\Documents and Settings\All Users\Application Data\a656eba\SGa656.exe" /s /d (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [security Guard] "C:\Documents and Settings\All Users\Application Data\a656eba\SGa656.exe" /s /d (User 'Default user') O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} (Java Plug-in 1.6.0_14) - O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} (Java Plug-in 1.6.0_15) - O20 - AppInit_DLLs: binuvete.dll c:\windows\system32\muvetuvo.dll c:\windows\system32\nudewolu.dll c:\windows\system32\pumotozi.dll c:\windows\system32\tobamiwo.dll c:\windows\system32\telonapi.dll O21 - SSODL: mebokileg - {00e72e38-0b35-47e4-b227-148fb079e63b} - c:\windows\system32\nudewolu.dll (file missing) O21 - SSODL: mezeyomaz - {cf4cf8bf-0115-4dcf-b490-ceed73bad989} - c:\windows\system32\nudewolu.dll (file missing) O21 - SSODL: dobigodop - {d439027e-50d1-489d-98d6-25693f7f7291} - c:\windows\system32\pumotozi.dll (file missing) O21 - SSODL: gafodalol - {8f0f85b0-fc7a-44fd-8b85-32e25c768385} - c:\windows\system32\tobamiwo.dll (file missing) O22 - SharedTaskScheduler: mujuzedij - {00e72e38-0b35-47e4-b227-148fb079e63b} - c:\windows\system32\nudewolu.dll (file missing) O22 - SharedTaskScheduler: mujuzedij - {cf4cf8bf-0115-4dcf-b490-ceed73bad989} - c:\windows\system32\nudewolu.dll (file missing) O22 - SharedTaskScheduler: jugezatag - {d439027e-50d1-489d-98d6-25693f7f7291} - c:\windows\system32\pumotozi.dll (file missing) O22 - SharedTaskScheduler: tokatiluy - {8f0f85b0-fc7a-44fd-8b85-32e25c768385} - c:\windows\system32\tobamiwo.dll (file missing) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Download OTM by OldTimer Here & save it to your desktop. Double click on OTM.exe to run it Copy & paste the contents inside the Code box below beginning with :Files into --->> Paste Instructions for Items to be Moved Note: Do not type it out to minimize the risk of typo error :Files c:\windows\system32\nudewolu.dll c:\windows\system32\pumotozi.dll c:\windows\system32\tobamiwo.dll c:\windows\system32\drivers\vtuijpwj.sys :reg [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Security Guard"=- [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Security Guard"=- :Commands [purity] [resethosts] [emptytemp] [CREATERESTOREPOINT] [EMPTYFLASH] [Reboot] Click on MoveIt! When done, click on Exit Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply. In your next reply post: OTM log new DDS.txt give me an update as to how the computer is acting now. Share this post Link to post Share on other sites
StanB Posted June 8, 2010 Hi and welcome I see McAfee, Symantec/Norton. and avast! Antivirus. Need to get this computer down to just 1 antivirus or we're stuck with conflicts and errors, nor will tools we need to run work. Take care of this first before attempting further instructions. Look in your add/remove programs list, and if found remove Security Guard. If you can't locate it don't worry, just continue. Thanks for the reply. I have removed McAfee using Add or Remove Programs. If I remember correctly, I uninstalled Symantec/Norton using Add or Remove Programs about a year ago, before I installed McAfee. In any event, Symantec/Norton is not in the Add or Remove Programs list now. There is still a "Norton 360" folder in the C:\Program Files directory, but the only two files in the folder are url.txt and urlhistory.txt. What do I need to do to remove Symantec/Norton completely? Also Security Guard is not in the Add or Remove Programs list. Share this post Link to post Share on other sites
Juliet Posted June 8, 2010 Use the Norton removal tool. http://service1.symantec.com/support/tsgeninfo.nsf/docid/2005033108162039 After you follow my instructions, and any remaining files/folders are left we can remove those. Share this post Link to post Share on other sites
StanB Posted June 8, 2010 The two problems are still here. I tried a Google search using Firefox and it was redirected to eyesmd.com and then a few seconds later redirected to 68.169.84.155. I can not access Windows Update. When I copied the URL from IE to Firefox, I got the following message. "The connection to the server was reset while the page was loading." The OTM log and new DDS.txt are included below. ** 06082010_072951.log ** All processes killed ========== FILES ========== File/Folder c:\windows\system32\nudewolu.dll not found. File/Folder c:\windows\system32\pumotozi.dll not found. File/Folder c:\windows\system32\tobamiwo.dll not found. File/Folder c:\windows\system32\drivers\vtuijpwj.sys not found. ========== REGISTRY ========== HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows\\"AppInit_DLLs"|"" /E : value set successfully! HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\"Notification Packages"|hex(7):73,63,65,63,6c,69,00,00 /E : value set successfully! Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Security Guard not found. Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Security Guard not found. ========== COMMANDS ========== C:\WINDOWS\System32\drivers\etc\Hosts moved successfully. HOSTS file reset successfully [EMPTYTEMP] User: Administrator ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 32902 bytes User: All Users User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 32768 bytes User: LocalService ->Temp folder emptied: 65984 bytes ->Temporary Internet Files folder emptied: 5750034 bytes User: NetworkService ->Temp folder emptied: 1867776 bytes ->Temporary Internet Files folder emptied: 26142759 bytes ->Flash cache emptied: 8590 bytes User: PHP ->Temp folder emptied: 2020 bytes ->Temporary Internet Files folder emptied: 34349 bytes ->FireFox cache emptied: 10735480 bytes ->Flash cache emptied: 405 bytes User: Stan Beson ->Temp folder emptied: 211088252 bytes ->Temporary Internet Files folder emptied: 13559227 bytes ->Java cache emptied: 83580034 bytes ->FireFox cache emptied: 78945239 bytes ->Flash cache emptied: 1201923 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 19569 bytes %systemroot%\System32 .tmp files removed: 22333969 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 49006539 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 70078 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 481.00 mb Restore point Set: OTM Restore Point (0) OTM by OldTimer - Version 3.1.12.2 log created on 06082010_072951 Files moved on Reboot... File C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_100.dat not found! File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot. Registry entries deleted on Reboot... ** DDS.txt ** DDS (Ver_10-03-17.01) - NTFSx86 Run by Stan Beson at 7:41:46.37 on Tue 06/08/2010 Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.130 [GMT -7:00] AV: Security Guard *On-access scanning enabled* (Updated) {15963F2F-11E0-41F4-9077-8648C685CC01} AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} FW: Security Guard *enabled* {B0BB15C4-0E0D-49F9-B1A7-9BE247C8F539} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Alwil Software\Avast5\AvastSvc.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Program Files\Common Files\Motive\McciCMService.exe C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxtray.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\AT&T\Internet Security Wizard\ISW.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\HPQ\SHARED\HPQWMI.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Documents and Settings\Stan Beson\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = about:blank uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=laptop mDefault_Search_URL = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe uRun: [McAfee Update] c:\docume~1\stanbe~1\locals~1\temp\mcupdate_1275973752.exe /syncfin c:\docume~1\stanbe~1\locals~1\temp\mcupdate_1275973753.ini mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe mRun: [soundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray mRun: [AGRSMMSG] AGRSMMSG.exe mRun: [Apoint] c:\program files\apoint2k\Apoint.exe mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [iSW.exe] "c:\program files\at&t\internet security wizard\ISW.exe" /AUTORUN mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui StartupFolder: c:\docume~1\stanbe~1\startm~1\programs\startup\automa~1.lnk - c:\troopmaster software\automailer\AutoMailer.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monito~1.lnk - c:\program files\apache software foundation\apache2.2\bin\ApacheMonitor.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1246076119625 DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195712640453 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL Notify: igfxcui - igfxsrvc.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL IFEO: image file execution options - svchost.exe ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\stanbe~1\applic~1\mozilla\firefox\profiles\qlwmisxj.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q= FF - prefs.js: browser.startup.homepage - FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll FF - plugin: c:\documents and settings\stan beson\application data\mozilla\firefox\profiles\qlwmisxj.default\extensions\[email protected]\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll ---- FIREFOX POLICIES ---- FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); ============= SERVICES / DRIVERS =============== R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-25 164048] R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656] R2 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe [2009-8-6 24645] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-25 19024] R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-25 40384] R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-25 40384] R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-25 40384] S0 ltiu;ltiu;c:\windows\system32\drivers\vtuijpwj.sys --> c:\windows\system32\drivers\vtuijpwj.sys [?] S2 pciinfo;HP Pci Information;\??\c:\docume~1\stanbe~1\locals~1\temp\hpispz\hpdom\pciinfo.sys --> c:\docume~1\stanbe~1\locals~1\temp\hpispz\hpdom\pciinfo.sys [?] S3 HPEWSFXBULK;HPEWSFXBULK;c:\windows\system32\drivers\hpfxbulk.sys [2009-12-4 17432] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1c3.tmp --> c:\windows\system32\1C3.tmp [?] S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-20 34248] S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-20 40552] S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-4-3 1251720] =============== Created Last 30 ================ 2010-06-08 14:29:51 0 d-----w- C:\_OTM 2010-06-05 16:44:37 0 d-----w- c:\program files\Trend Micro 2010-06-04 16:28:03 0 d-----w- c:\docume~1\stanbe~1\applic~1\SUPERAntiSpyware.com 2010-06-04 16:28:03 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2010-06-04 16:27:44 0 d-----w- c:\program files\SUPERAntiSpyware 2010-05-31 18:12:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-31 18:12:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-31 18:12:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-25 17:57:13 1409 ----a-w- c:\windows\QTFont.for 2010-05-25 17:57:12 54156 ---ha-w- c:\windows\QTFont.qfn 2010-05-13 03:05:25 3254 ----a-w- c:\windows\system32\wbem\Outlook_01caf24921e170fc.mof ==================== Find3M ==================== 2010-04-22 20:45:23 161581 ----a-w- c:\windows\fonts\AdobeFnt.lst 2010-04-20 15:03:48 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-04-15 03:55:19 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys 2010-04-15 03:55:19 361600 ----a-w- c:\windows\system32\dllcache\tcpip.sys 2008-05-25 00:33:09 2725048 ----a-w- c:\program files\FLV PlayerFCSetup.exe ============= FINISH: 7:43:14.81 =============== I don't know if it will help you or not, but I deleted C:\Documents and Settings\All Users\Application Data\a656eba\SGa656.exe several weeks ago when I first noticed this problem. Thanks for your assistance. Share this post Link to post Share on other sites
Juliet Posted June 8, 2010 Download ComboFix from either of these locations: Link 1 Link 2 VERY IMPORTANT !!! Save ComboFix.exe to your Desktop * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here AVAST Right click on the avast! icon in system tray (looks like this: ) and choose (Stop On-Access Protection) Double click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.Notes: 1. Do not mouse-click Combofix's window while it is running. That may cause it to stall. 2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions. Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well. Don't select to run the Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine. If there are internet issues afterward: *In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously. In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy. You may need several replies to post the requested logs, otherwise they might get cut off. Share this post Link to post Share on other sites
StanB Posted June 9, 2010 ** ComboFix.txt ** ComboFix 10-06-08.02 - Stan Beson 06/08/2010 15:35:14.1.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.196 [GMT -7:00] Running from: c:\documents and settings\Stan Beson\Desktop\ComboFix.exe AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Stan Beson\g2mdlhlpx.exe c:\documents and settings\Stan Beson\Recent\ANTIGEN.sys c:\documents and settings\Stan Beson\Recent\DBOLE.tmp c:\documents and settings\Stan Beson\Recent\delfile.sys c:\documents and settings\Stan Beson\Recent\eb.tmp c:\documents and settings\Stan Beson\Recent\exec.drv c:\documents and settings\Stan Beson\Recent\exec.sys c:\documents and settings\Stan Beson\Recent\fix.drv c:\documents and settings\Stan Beson\Recent\kernel32.exe c:\documents and settings\Stan Beson\Recent\kernel32.tmp c:\documents and settings\Stan Beson\Recent\PE.drv c:\documents and settings\Stan Beson\Recent\PE.sys c:\documents and settings\Stan Beson\Recent\ppal.dll c:\documents and settings\Stan Beson\Recent\ppal.tmp c:\documents and settings\Stan Beson\Recent\runddlkey.sys c:\documents and settings\Stan Beson\Recent\SICKBOY.exe c:\documents and settings\Stan Beson\Recent\SM.exe c:\documents and settings\Stan Beson\Recent\std.sys c:\documents and settings\Stan Beson\Recent\tjd.tmp c:\program files\Mozilla Firefox\searchplugins\search.xml c:\windows\Downloaded Program Files\ODCTOOLS c:\windows\Tasks\cszsfqcj.job Infected copy of c:\windows\system32\drivers\tcpip.sys was found and disinfected Restored copy from - Kitty had a snack . ((((((((((((((((((((((((( Files Created from 2010-05-08 to 2010-06-08 ))))))))))))))))))))))))))))))) . 2010-06-08 14:29 . 2010-06-08 14:29 -------- d-----w- C:\_OTM 2010-06-05 16:44 . 2010-06-05 16:44 -------- d-----w- c:\program files\Trend Micro 2010-06-04 16:28 . 2010-06-04 16:28 -------- d-----w- c:\documents and settings\Stan Beson\Application Data\SUPERAntiSpyware.com 2010-06-04 16:28 . 2010-06-04 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2010-06-04 16:27 . 2010-06-04 16:27 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-05-31 18:12 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-31 18:12 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-31 18:12 . 2010-05-31 18:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-31 03:04 . 2010-05-31 17:18 -------- d-----w- c:\program files\Windows Live Safety Center . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-08 14:13 . 2008-06-21 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2010-06-08 05:20 . 2010-04-12 02:22 -------- d-----w- c:\program files\McAfee 2010-06-08 05:18 . 2010-04-12 02:23 -------- d-----w- c:\program files\Common Files\Mcafee 2010-06-07 23:31 . 2010-06-04 16:28 63488 ----a-w- c:\documents and settings\Stan Beson\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll 2010-06-07 23:30 . 2010-06-04 16:28 117760 ----a-w- c:\documents and settings\Stan Beson\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-06-05 16:44 . 2010-06-05 16:44 388096 ----a-r- c:\documents and settings\Stan Beson\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-06-04 16:28 . 2010-06-04 16:28 52224 ----a-w- c:\documents and settings\Stan Beson\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-05-31 18:13 . 2010-04-11 23:02 -------- d-----w- c:\documents and settings\Stan Beson\Application Data\Malwarebytes 2010-05-31 18:12 . 2010-04-11 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-05-24 17:36 . 2010-05-24 17:36 503808 ----a-w- c:\documents and settings\Stan Beson\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-16100257-n\msvcp71.dll 2010-05-24 17:36 . 2010-05-24 17:36 499712 ----a-w- c:\documents and settings\Stan Beson\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-16100257-n\jmc.dll 2010-05-24 17:35 . 2010-05-24 17:35 12800 ----a-w- c:\documents and settings\Stan Beson\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-266e04a0-n\decora-d3d.dll 2010-05-24 17:35 . 2010-05-24 17:35 61440 ----a-w- c:\documents and settings\Stan Beson\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-266e04a0-n\decora-sse.dll 2010-05-24 17:35 . 2010-05-24 17:35 348160 ----a-w- c:\documents and settings\Stan Beson\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-16100257-n\msvcr71.dll 2010-05-22 03:34 . 2005-08-02 06:55 -------- d-----w- c:\program files\Easy Internet signup 2010-05-06 20:59 . 2010-04-25 22:35 165032 ----a-w- c:\windows\system32\aswBoot.exe 2010-05-06 20:39 . 2010-04-25 22:36 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2010-05-06 20:39 . 2010-04-25 22:36 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys 2010-05-06 20:34 . 2010-04-25 22:36 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2010-05-06 20:33 . 2010-04-25 22:36 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2010-05-06 20:33 . 2010-04-25 22:36 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys 2010-05-06 20:33 . 2010-04-25 22:36 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2010-05-06 20:33 . 2010-04-25 22:36 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2010-04-25 22:35 . 2010-04-25 22:35 -------- d-----w- c:\program files\Alwil Software 2010-04-25 22:35 . 2010-04-25 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software 2010-04-24 06:27 . 2010-04-24 06:27 -------- d-----w- c:\program files\Sophos 2010-04-20 15:05 . 2005-08-02 06:30 -------- d-----w- c:\program files\Common Files\Java 2010-04-20 15:03 . 2010-04-20 15:04 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-04-20 15:03 . 2005-08-02 06:30 -------- d-----w- c:\program files\Java 2010-04-17 05:50 . 2010-04-04 18:43 -------- d-----w- c:\program files\Lavasoft 2010-04-15 03:55 . 2004-08-04 08:00 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys 2010-04-14 16:47 . 2010-04-25 22:35 38848 ----a-w- c:\windows\system32\avastSS.scr 2010-04-12 02:30 . 2009-06-20 09:15 -------- d-----w- c:\program files\SiteAdvisor 2010-04-11 18:25 . 2005-08-02 06:59 -------- d-----w- c:\program files\Google 2010-04-04 19:12 . 2010-04-04 19:13 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2008-05-25 00:33 . 2008-05-25 00:32 2725048 ----a-w- c:\program files\FLV PlayerFCSetup.exe 2009-06-17 06:27 . 2009-06-17 06:27 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll 2009-06-17 06:27 . 2009-06-17 06:27 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll 2009-06-17 06:27 . 2009-06-17 06:27 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 68856] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-19 4363504] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-18 2397424] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-08 126976] "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544] "AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 88209] "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-02-08 159744] "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 794624] "LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952] "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816] "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-03-29 233534] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048] "ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040] "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192] c:\documents and settings\Stan Beson\Start Menu\Programs\Startup\ AutoMailer.lnk - c:\troopmaster software\AutoMailer\AutoMailer.exe [2008-11-19 73728] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-6-16 82026] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2009-8-6 41051] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Hp\\HP Software Update\\hpwuschd2.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3306:TCP"= 3306:TCP:MySQL Server R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/25/2010 3:36 PM 164048] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656] R2 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [8/6/2009 3:50 PM 24645] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/25/2010 3:36 PM 19024] S0 ltiu;ltiu;c:\windows\system32\drivers\vtuijpwj.sys --> c:\windows\system32\drivers\vtuijpwj.sys [?] S2 pciinfo;HP Pci Information;\??\c:\docume~1\STANBE~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys --> c:\docume~1\STANBE~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys [?] S3 HPEWSFXBULK;HPEWSFXBULK;c:\windows\system32\drivers\hpfxbulk.sys [12/4/2009 12:11 PM 17432] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1C3.tmp --> c:\windows\system32\1C3.tmp [?] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . Contents of the 'Scheduled Tasks' folder 2010-05-22 c:\windows\Tasks\Easy Internet Sign-up.job - c:\program files\Easy Internet signup\HPSdpApp.exe [2005-03-03 18:04] 2007-05-01 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job - c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-05-14 09:01] . . ------- Supplementary Scan ------- . uStart Page = about:blank uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Stan Beson\Application Data\Mozilla\Firefox\Profiles\qlwmisxj.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q= FF - prefs.js: browser.startup.homepage - FF - plugin: c:\documents and settings\Stan Beson\Application Data\Mozilla\Firefox\Profiles\qlwmisxj.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll ---- FIREFOX POLICIES ---- FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-06-08 15:48 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????9?9?8?7??????? ???B?????????????hLC? ?????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\1C3.tmp" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL] "ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3847439602-4269998751-1323973196-1006\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{44034FD7-1AAB-56DE-05376226E3E18762}\{E5927D01-F17A-5508-2A74EFC6C5188D90}\{F4E471EB-CB8D-E257-550ABC7FEB789AD1}*] "{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,44,d2,df, f1,16,69,51,c7,ad,b1,e3,48,96,f9,66,0c,88,32,22,b8,17,f2,ea,73,0d,08,cb,42,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{59FD906B-7064-D511-A92C76967AEA497D}\{7BE5E469-8614-18F7-FB4A2951C2296B41}\{4CE5DCAA-16CA-BCB0-DF1B4E45E77E17F5}*] "S6KI1YERXJTIP3T5RVDI41UR2G1"=hex:01,00,01,00,00,00,00,00,26,ff,b1,c2,08,0b,50, 9e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(820) c:\program files\SUPERAntiSpyware\SASWINLO.DLL c:\windows\system32\igfxsrvc.dll c:\windows\system32\hccutils.DLL . Completion time: 2010-06-08 15:55:46 ComboFix-quarantined-files.txt 2010-06-08 22:55 Pre-Run: 11,949,334,528 bytes free Post-Run: 11,932,024,832 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect - - End Of File - - AAE48BF598E5E94FF430D2E0EFBC68A0 Share this post Link to post Share on other sites
Juliet Posted June 9, 2010 Welcome back Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix. Go to My Computer->Tools->Folder Options->View tab: Under the Hidden files and folders heading: Select - Show hidden files and folders. Uncheck- Hide protected operating system files (recommended) option. Also, make sure there is no checkmark beside Hide file extensions for known file types. Click OK. (Remember to Hide files and folders once done) Please go to: VirusTotal Click the Browse button and search for the following file: c:\windows\system32\drivers\vtuijpwj.sys Click Open Then click Send File Please be patient while the file is scanned. Once the scan results appear, please provide them in your next reply. If it says already scanned -- click "reanalyze now" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~` Download CKScanner by askey127 from HERE Important - Save it to your desktop. Doubleclick CKScanner.exe and click Search For Files. After a very short time, when the cursor hourglass disappears, click Save List To File. A message box will verify the file saved. Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~` Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working. This includes Antivirus, Firewall, and any Spyware scanners that run in the background. Click on this link Here to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below: Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop. File:: c:\windows\system32\1C3.tmp c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe Folder:: c:\documents and settings\All Users\Application Data\McAfee c:\program files\McAfee c:\program files\Common Files\Mcafee DDS:: TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Symantec PIF AlertEng"=- Driver:: MEMSWEEP2 RegNULL:: [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{44034FD7-1AAB-56DE-05376226E3E18762}\{E5927D01-F17A-5508-2A74EFC6C5188D90}\{F4E471EB-CB8D-E257-550ABC7FEB789AD1}*] [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{59FD906B-7064-D511-A92C76967AEA497D}\{7BE5E469-8614-18F7-FB4A2951C2296B41}\{4CE5DCAA-16CA-BCB0-DF1B4E45E77E17F5}*] Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine. If there are internet issues afterward: *In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously. In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~` After I see the results of the above logs I will be requesting an online scan. Also, please give me an update on how the computer is at the moment. In your next reply post: File requested scanned CKFiles.txt ComboFix.txt You may need several replies to post the requested logs, otherwise they might get cut off. Share this post Link to post Share on other sites
StanB Posted June 9, 2010 Click the Browse button and search for the following file: c:\windows\system32\drivers\vtuijpwj.sys That file is not on my computer. I double checked the Folder Options settings to make sure they are set according to your instructions and they are. Should I complete the other instructions from your last message? Share this post Link to post Share on other sites
Juliet Posted June 10, 2010 Let's let the file wait for the time being, continue with the other instructions. Share this post Link to post Share on other sites
StanB Posted June 10, 2010 My computer seems to be working better. Thanks for your assistance. I tried two Google searches and the browser was not redirected when I clicked on the search result links. Also I am now able to access Windows Updates. I will test it more later. ** ckfiles.txt ** CKScanner - Additional Security Risks - These are not necessarily bad c:\program files\ssh communications security\ssh secure shell\ssh-keygen2.exe scanner sequence 3.NA.11 ----- EOF ----- ** ComboFix.txt ** ComboFix 10-06-08.02 - Stan Beson 06/09/2010 22:44:38.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.227 [GMT -7:00] Running from: c:\documents and settings\Stan Beson\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Stan Beson\Desktop\CFScript.txt AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} FILE :: "c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" "c:\windows\system32\1C3.tmp" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\McAfee c:\documents and settings\All Users\Application Data\McAfee\dspwrp\SmartMessaging.db c:\documents and settings\All Users\Application Data\McAfee\MBK\Exceptions.txt c:\documents and settings\All Users\Application Data\McAfee\MBK\MbkUsrPath c:\documents and settings\All Users\Application Data\McAfee\MBK\MonitorInfo.xml c:\documents and settings\All Users\Application Data\McAfee\MBK\UserBindingInfo.xml c:\documents and settings\All Users\Application Data\McAfee\MCLOGS\MISP\mcupdate_1275973752\mcupdate_1275973752000.log c:\documents and settings\All Users\Application Data\McAfee\MSC\Cache\McSubDB.Bak c:\documents and settings\All Users\Application Data\McAfee\MSC\mcini.ini c:\documents and settings\All Users\Application Data\McAfee\MSC\McSubDB.Dat c:\program files\Common Files\Mcafee c:\program files\Common Files\Mcafee\Installer\mcinst.exe c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe c:\program files\McAfee . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_MEMSWEEP2 -------\Service_MEMSWEEP2 -------\Legacy_LiveUpdate_Notice_Service -------\Service_LiveUpdate Notice Service ((((((((((((((((((((((((( Files Created from 2010-05-10 to 2010-06-10 ))))))))))))))))))))))))))))))) . 2010-06-08 14:29 . 2010-06-08 14:29 -------- d-----w- C:\_OTM 2010-06-05 16:44 . 2010-06-05 16:44 -------- d-----w- c:\program files\Trend Micro 2010-06-04 16:28 . 2010-06-04 16:28 -------- d-----w- c:\documents and settings\Stan Beson\Application Data\SUPERAntiSpyware.com 2010-06-04 16:28 . 2010-06-04 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2010-06-04 16:27 . 2010-06-04 16:27 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-05-31 18:12 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-31 18:12 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-31 18:12 . 2010-05-31 18:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-31 03:04 . 2010-05-31 17:18 -------- d-----w- c:\program files\Windows Live Safety Center . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-07 23:31 . 2010-06-04 16:28 63488 ----a-w- c:\documents and settings\Stan Beson\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll 2010-06-07 23:30 . 2010-06-04 16:28 117760 ----a-w- c:\documents and settings\Stan Beson\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-06-05 16:44 . 2010-06-05 16:44 388096 ----a-r- c:\documents and settings\Stan Beson\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-06-04 16:28 . 2010-06-04 16:28 52224 ----a-w- c:\documents and settings\Stan Beson\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-05-31 18:13 . 2010-04-11 23:02 -------- d-----w- c:\documents and settings\Stan Beson\Application Data\Malwarebytes 2010-05-31 18:12 . 2010-04-11 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-05-24 17:36 . 2010-05-24 17:36 503808 ----a-w- c:\documents and settings\Stan Beson\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-16100257-n\msvcp71.dll 2010-05-24 17:36 . 2010-05-24 17:36 499712 ----a-w- c:\documents and settings\Stan Beson\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-16100257-n\jmc.dll 2010-05-24 17:35 . 2010-05-24 17:35 12800 ----a-w- c:\documents and settings\Stan Beson\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-266e04a0-n\decora-d3d.dll 2010-05-24 17:35 . 2010-05-24 17:35 61440 ----a-w- c:\documents and settings\Stan Beson\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-266e04a0-n\decora-sse.dll 2010-05-24 17:35 . 2010-05-24 17:35 348160 ----a-w- c:\documents and settings\Stan Beson\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-16100257-n\msvcr71.dll 2010-05-22 03:34 . 2005-08-02 06:55 -------- d-----w- c:\program files\Easy Internet signup 2010-05-06 20:59 . 2010-04-25 22:35 165032 ----a-w- c:\windows\system32\aswBoot.exe 2010-05-06 20:39 . 2010-04-25 22:36 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2010-05-06 20:39 . 2010-04-25 22:36 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys 2010-05-06 20:34 . 2010-04-25 22:36 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2010-05-06 20:33 . 2010-04-25 22:36 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2010-05-06 20:33 . 2010-04-25 22:36 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys 2010-05-06 20:33 . 2010-04-25 22:36 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2010-05-06 20:33 . 2010-04-25 22:36 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2010-04-25 22:35 . 2010-04-25 22:35 -------- d-----w- c:\program files\Alwil Software 2010-04-25 22:35 . 2010-04-25 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software 2010-04-24 06:27 . 2010-04-24 06:27 -------- d-----w- c:\program files\Sophos 2010-04-20 15:05 . 2005-08-02 06:30 -------- d-----w- c:\program files\Common Files\Java 2010-04-20 15:03 . 2010-04-20 15:04 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-04-20 15:03 . 2005-08-02 06:30 -------- d-----w- c:\program files\Java 2010-04-17 05:50 . 2010-04-04 18:43 -------- d-----w- c:\program files\Lavasoft 2010-04-15 03:55 . 2004-08-04 08:00 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys 2010-04-14 16:47 . 2010-04-25 22:35 38848 ----a-w- c:\windows\system32\avastSS.scr 2010-04-12 02:30 . 2009-06-20 09:15 -------- d-----w- c:\program files\SiteAdvisor 2010-04-11 18:25 . 2005-08-02 06:59 -------- d-----w- c:\program files\Google 2010-04-04 19:12 . 2010-04-04 19:13 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2008-05-25 00:33 . 2008-05-25 00:32 2725048 ----a-w- c:\program files\FLV PlayerFCSetup.exe 2009-06-17 06:27 . 2009-06-17 06:27 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll 2009-06-17 06:27 . 2009-06-17 06:27 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll 2009-06-17 06:27 . 2009-06-17 06:27 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 68856] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-19 4363504] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-08 126976] "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544] "AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 88209] "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-02-08 159744] "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 794624] "LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952] "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816] "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-03-29 233534] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048] "ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040] "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192] c:\documents and settings\Stan Beson\Start Menu\Programs\Startup\ AutoMailer.lnk - c:\troopmaster software\AutoMailer\AutoMailer.exe [2008-11-19 73728] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-6-16 82026] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2009-8-6 41051] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Hp\\HP Software Update\\hpwuschd2.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3306:TCP"= 3306:TCP:MySQL Server R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/25/2010 3:36 PM 164048] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656] R2 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [8/6/2009 3:50 PM 24645] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/25/2010 3:36 PM 19024] S0 ltiu;ltiu;c:\windows\system32\drivers\vtuijpwj.sys --> c:\windows\system32\drivers\vtuijpwj.sys [?] S2 pciinfo;HP Pci Information;\??\c:\docume~1\STANBE~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys --> c:\docume~1\STANBE~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys [?] S3 HPEWSFXBULK;HPEWSFXBULK;c:\windows\system32\drivers\hpfxbulk.sys [12/4/2009 12:11 PM 17432] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . Contents of the 'Scheduled Tasks' folder 2010-05-22 c:\windows\Tasks\Easy Internet Sign-up.job - c:\program files\Easy Internet signup\HPSdpApp.exe [2005-03-03 18:04] 2007-05-01 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job - c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-05-14 09:01] . . ------- Supplementary Scan ------- . uStart Page = about:blank uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mDefault_Search_URL = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Stan Beson\Application Data\Mozilla\Firefox\Profiles\qlwmisxj.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q= FF - prefs.js: browser.startup.homepage - FF - plugin: c:\documents and settings\Stan Beson\Application Data\Mozilla\Firefox\Profiles\qlwmisxj.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll ---- FIREFOX POLICIES ---- FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-06-09 23:01 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????9?9?8?7??`???? ???B?????????????hLC? ?????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL] "ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3847439602-4269998751-1323973196-1006\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(820) c:\program files\SUPERAntiSpyware\SASWINLO.DLL - - - - - - - > 'explorer.exe'(2088) c:\windows\system32\WPDShServiceObj.dll c:\program files\SmartFTP Client 2.0\smarthook.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Alwil Software\Avast5\AvastSvc.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Common Files\Motive\McciCMService.exe c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\windows\system32\SearchIndexer.exe c:\program files\Windows Media Player\WMPNetwk.exe c:\windows\system32\wscntfy.exe c:\windows\AGRSMMSG.exe c:\program files\Apoint2K\Apntex.exe c:\program files\iPod\bin\iPodService.exe c:\program files\HPQ\SHARED\HPQWMI.exe c:\program files\Yahoo!\Messenger\ymsgr_tray.exe . ************************************************************************** . Completion time: 2010-06-09 23:09:58 - machine was rebooted ComboFix-quarantined-files.txt 2010-06-10 06:09 ComboFix2.txt 2010-06-08 22:55 Pre-Run: 11,887,575,040 bytes free Post-Run: 11,746,635,776 bytes free - - End Of File - - A9F7AC70FA03408D53530A5631C5A966 Share this post Link to post Share on other sites
Juliet Posted June 10, 2010 My computer seems to be working better. Thanks for your assistance. I tried two Google searches and the browser was not redirected when I clicked on the search result links. Also I am now able to access Windows Updates. Good deal c:\program files\ssh communications security\ssh secure shell\ssh-keygen2.exe Forum Policy I strongly suggest you remove any cracked software that is installed, we do not approve nor will we provide support in the future for problems produced because of illegal software. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Double click on OTM.exe to run it Copy & paste the contents inside the Code box below beginning with :Files into --->> Paste Instructions for Items to be Moved Note: Do not type it out to minimize the risk of typo error :Files c:\windows\system32\drivers\vtuijpwj.sys :services ltiu :Commands [purity] [emptytemp] [Reboot] Click on MoveIt! When done, click on Exit Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NEXT** I'd like for you to run this next online scan to check for remnants or anything that might be hidden. The below scan can take up to an hour or longer, so please be patient. *Note It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time. Please don't go surfing while your resident protection is disabled! Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use. Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/partner/d...n=1260122209224 Other available links Kaspersky Online Scanner or from here http://www.kaspersky.com/virusscanner Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan. Click on the Accept button and install any components it needs. The program will install and then begin downloading the latest definition files. After the files have been downloaded on the left side of the page in the Scan section select My Computer. This will start the program and scan your system. The scan will take a while, so be patient and let it run. (At times it may appear to stall)* Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan. * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Once the scan is complete, click on View scan report To obtain the report: Click on: Save Report As Next, in the Save as prompt, Save in area, select: Desktop In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select: Text file [*.txt] Then, click: Save Please post the Kaspersky Online Scanner Report in your reply. Animated tutorial http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif (Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.) Or use Firefox with IE-Tab plugin https://addons.mozilla.org/en-US/firefox/addon/1419 In your next reply post: OTM log Kaspersky log You may need several replies to post the requested logs, otherwise they might get cut off. Share this post Link to post Share on other sites
StanB Posted June 10, 2010 I will be away from my computer and the Internet for the next two days. As soon as I get back I will continue. Thanks very much for all your help. Share this post Link to post Share on other sites
StanB Posted June 12, 2010 c:\program files\ssh communications security\ssh secure shell\ssh-keygen2.exe Forum Policy I strongly suggest you remove any cracked software that is installed, we do not approve nor will we provide support in the future for problems produced because of illegal software. Was this file damaged by the virus? It is part of the FTP program I use for my school work that was recommended by my college. It is a non-commercial, non-expiring version and it was a free download when I installed it. I do not use it for commercial purposes per the license agreement. Please advise me what to do. Share this post Link to post Share on other sites
StanB Posted June 12, 2010 *Note It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time. Is it okay to leave the firewall enabled while the Kaspersky Online Scanner runs? Share this post Link to post Share on other sites
Juliet Posted June 12, 2010 Was this file damaged by the virus? It is part of the FTP program I use for my school work that was recommended by my college. It is a non-commercial, non-expiring version and it was a free download when I installed it. I do not use it for commercial purposes per the license agreement. Please advise me what to do. No, the file has not been damaged. It was flagged by that tool because it had Keygen in the file name.It's odd that if it was recommended it would have to have a keygen to keep the software running. If it's needed and a legal program for college, and not flagged by other scanners as infected, then leave it on the computer. Is it okay to leave the firewall enabled while the Kaspersky Online Scanner runs? After the scan has downloaded all definitions and the firewall hasn't flagged anything,.....should be fine to leave it running. Share this post Link to post Share on other sites
StanB Posted June 12, 2010 (edited) I did not disable my virus protection before I ran OTM.exe. I hope that was not a mistake. While OTM.exe ran, Avast! moved a file. Here is the report. 6/12/2010 8:52:36 AM C:\Program Files\Apoint2K\Apoint.exe [L] Win32:Malware-gen (0) File was successfully moved to chest... * * avast! Real-time Shield Scan Report * This file is generated automatically * * Started on: Saturday, June 12, 2010 8:55:30 AM * ** start 06122010_085216.log ** All processes killed ========== FILES ========== File/Folder c:\windows\system32\drivers\vtuijpwj.sys not found. ========== SERVICES/DRIVERS ========== Service ltiu stopped successfully! Service ltiu deleted successfully! ========== COMMANDS ========== [EMPTYTEMP] User: Administrator ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: All Users User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: LocalService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 2936317 bytes User: NetworkService ->Temp folder emptied: 98304 bytes ->Temporary Internet Files folder emptied: 33170 bytes ->Flash cache emptied: 1036 bytes User: PHP ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->FireFox cache emptied: 0 bytes ->Flash cache emptied: 0 bytes User: Stan Beson ->Temp folder emptied: 9606631 bytes ->Temporary Internet Files folder emptied: 6907285 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 55931122 bytes ->Flash cache emptied: 558 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 9448 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes RecycleBin emptied: 2789376 bytes Total Files Cleaned = 75.00 mb OTM by OldTimer - Version 3.1.12.2 log created on 06122010_085216 Files moved on Reboot... C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_204.dat moved successfully. File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot. Registry entries deleted on Reboot... ** end 06122010_085216.log ** Using Internet Explorer, visit http://www.kaspersky...n=1260122209224 There is a problem running the Kaspersky Online Scanner using IE 6.0. It looks like I can run it using Firefox. Should I use Firefox or upgrade IE? I use IE 6.0 on this computer to test for web page browser compatibility problems, but if I need to upgrade to solve this virus problem I will do it. (edited to correct misspelled word) Edited June 12, 2010 by StanB Share this post Link to post Share on other sites
Juliet Posted June 12, 2010 Or use Firefox with IE-Tab plugin https://addons.mozilla.org/en-US/firefox/addon/1419 I use IE 6.0 on this computer to test for web page browser compatibility problems, but if I need to upgrade to solve this virus problem I will do it.In time you may want to consider upgrading IE to cover exploits and vulnerabilities. Share this post Link to post Share on other sites
StanB Posted June 13, 2010 Or use Firefox with IE-Tab plugin https://addons.mozil...efox/addon/1419 There is an updated version that works with Firefox 3.6, however I updated IE instead of installing it. IE Tab 2 https://addons.mozil...ox/addon/92382/ In time you may want to consider upgrading IE to cover exploits and vulnerabilities. I installed IE 8, but that did not fix the problem. For some reason there is a problem with Java in IE when I access the Kaspersky Online Scanner. "Kaspersky Online Scanner 7.0 download and operation require Java framework version 1.5 or later." Java version 1.6.0_20 is installed on the computer. I checked the settings in IE and the Java Control Panel. The following are listed in Add or Remove Programs window: J2SE Runtime Environment 5.0 Update 4 J2SE Runtime Environment 5.0 Update 5 Java™ 6 Update 20 Java™ 6 Update 5 Java™ 6 Update 7 The C:\Program Files\Java folder has the following folders: jre1.5.0_04 jre1.5.0_09 jre1.6.0_05 jre1.6.0_07 jre6 I will try to uninstall Java and reinstall it again. Do you have any other suggestions? Share this post Link to post Share on other sites
Juliet Posted June 13, 2010 Kaspersky generally works with Firefox, have you updated to the latest version? Forget Kaspersky we'll try a different scanner. You can use either Internet Explorer or Mozilla FireFox for this scan. Please go here then click on: Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install. All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox. Select the option YES, I accept the Terms of Use then click on: When prompted allow the Add-On/Active X to install. Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked. Now click on Advanced Settings and select the following: Scan for potentially unwanted applications Scan for potentially unsafe applications Enable Anti-Stealth Technology Now click on: The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection. When completed the Online Scan will begin automatically. Do not touch either the Mouse or keyboard during the scan otherwise it may stall. When completed select Uninstall application on close if you so wish, make sure you copy the logfile first! Now click on: Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt. Copy and paste that log as a reply to this topic. Share this post Link to post Share on other sites
StanB Posted June 14, 2010 Kaspersky generally works with Firefox, have you updated to the latest version? Yes, I have version 3.6.3 of Firefox. It looks like Kaspersky will run in Firefox on my computer, but I have not tried it yet. ** C:\Program Files\ESET\EsetOnlineScanner\log.txt ** [email protected] as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=fd2e2b1da701db498934a2ef48c87765 # end=stopped # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-06-14 05:02:51 # local_time=2010-06-13 10:02:51 (-0800, Pacific Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=768 16777175 100 0 4170448 4170448 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=616 # found=0 # cleaned=0 # scan_time=25 esets_scanner_update returned -1 esets_gle=53251 # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=fd2e2b1da701db498934a2ef48c87765 # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2010-06-14 09:28:43 # local_time=2010-06-14 02:28:43 (-0800, Pacific Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=768 16777191 100 0 4176191 4176191 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=126272 # found=1 # cleaned=0 # scan_time=10228 C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP700\A0111066.sys Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I Share this post Link to post Share on other sites
Juliet Posted June 15, 2010 OK, this scan actually looks good. Let's go ahead with final clean up and send you on your way. Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point. Go to Start > Run > copy and paste the full text path in the run box Start > Run & typing in ComboFix /Uninstall Note the space between the x and the /U, it needs to be there. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Download OTC by OldTimer and save it to your desktop. Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator Then Click the big button. You will get a prompt saying "Being Cleanup Process". Please select Yes. Restart your computer when prompted. ~~~~~~~~~~~~~~~~~~~~~~~~~~` Your good to go, good job! Please take the time to read over a few of my preventive tips. Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows. Firefox 3 The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 3, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both. *NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points. WOT Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE. How to prevent Malware: Created by Miekiemoes Here are some additional utilities that will further enhance your safety. # http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) Scan your computer regularly for malware Scan on a regular basis to keep your computer clean, free software such as Malwarebytes Anti-Malware (MBAM) and SUPERAntiSpyware- Please note that these products can also be run as free without a licience as a scan on demand scanner. Backup regularly You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups. Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer. Avoid P2P P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one. Please read this article 'Safe Computing Practices'. So how did I get infected in the first place. Secure My Computer: A Layered Approach Strong passwords: How to create and use them Free Antivirus-AntiSpyware-Firewall Software Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions. Slow Computer May Not Be Malware Related, Help! My computer is slow! http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html PC Safety and Security--What Do I Need? http://www.techsupportforum.com/security-center/general-computer-security/115548-pc-safety-security-what-do-i-need.html Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference! This site offers people who have been (or are) victims of malware the opportunity to document their story. Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/ Share this post Link to post Share on other sites
.png.9d4b89b15b2cd5e65edd93a0e6823dce.png)
