Jump to content

Infected, yet no infections found


Recommended Posts

Hi, I'm hoping you can help me. I usually use MBAM and it takes care of any problems I have, but now I have something new.

I've been experiencing browser redirects when using Google through Firefox and browser crashes with both Firefox and Internet Explorer. Windows Security Center has also been popping up telling me my firewall is off. I went through the control panel to see what the settings were and it's indeed off. When I try to turn it back on, it turns off again a little later. Also, all of my restore points appear to be gone now.

I went to MBAM to run a scan, but it will not let me update. When I try, the program crashes and closes. I ran a scan without updates and it found nothing. I then ran a Spybot Search and Destroy scan and again, nothing showed up. I checked Firefox again and I still get redirects when I search. So then I went to Avast and tried to update before scanning, and it wouldn't let me update that either. I ran a thorough scan with Avast anyway, without updating, and it also found nothing.

I've taken a look at my Hijack This log, but I can't see anything out of the ordinary.

If anyone can give me a clue what nasty piece of work I might have picked up, I'd be thankful.

Here are my MBAM and HJT logs (without the latest update in MBAM's case, because I can not get it to update without crashing).

Malwarebytes' Anti-Malware 1.35

Database version: 1904

Windows 5.1.2600 Service Pack 3

4/1/2009 9:13:26 PM

mbam-log-2009-04-01 (21-13-26).txt

Scan type: Quick Scan

Objects scanned: 76814

Time elapsed: 4 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:14:02 PM, on 4/1/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\arservice.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\ARPWRMSG.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\DISC\DISCover.exe

C:\Program Files\DISC\DiscUpdMgr.exe

C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe

C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\svchost.exe

c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\DISC\DiscStreamHub.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\system32\wscntfy.exe

c:\windows\system\hpsysdrv.exe

C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\HP_Administrator\My Documents\Malware Removal Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.trymedia.com (HKLM)

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/amun/default/mjolauncher.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab

O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.com/client/msnmusax4507.cab

O20 - AppInit_DLLs: tezjec.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--

End of file - 13157 bytes

Link to post
Share on other sites

  • Staff

Hi,

Since I'm pretty sure you can't run regedit, Download registrar manager:

http://www.resplendence.com/download/rrtri.exe

Install it and launch it.

In the Addressfield on top in Registrar Manager, enter:

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

This will Highlight/select the key "Drivers32" on the left.

Rightclick that key and select "Export".

See the image below how it should look like: drivers32.gif

Save the export to your desktop. In registrar manager, it saves it by default as regfile.reg, so that file should be on your desktop now.

Rightclick that file (regfile.reg) and select to edit. This will open it in notepad.

Copy and paste the contents of it in your next reply.

Link to post
Share on other sites

Thank you for the reply!

Here's what you requested.

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"midimapper"="midimap.dll"

"msacm.imaadpcm"="imaadp32.acm"

"msacm.msadpcm"="msadp32.acm"

"msacm.msg711"="msg711.acm"

"msacm.msgsm610"="msgsm32.acm"

"msacm.trspch"="tssoft32.acm"

"vidc.cvid"="iccvid.dll"

"VIDC.I420"="msh263.drv"

"vidc.iv31"="ir32_32.dll"

"vidc.iv32"="ir32_32.dll"

"vidc.iv41"="ir41_32.ax"

"VIDC.IYUV"="iyuv_32.dll"

"vidc.mrle"="msrle32.dll"

"vidc.msvc"="msvidc32.dll"

"VIDC.UYVY"="msyuv.dll"

"VIDC.YUY2"="msyuv.dll"

"VIDC.YVU9"="tsbyuv.dll"

"VIDC.YVYU"="msyuv.dll"

"wavemapper"="msacm32.drv"

"msacm.msg723"="msg723.acm"

"vidc.M263"="msh263.drv"

"vidc.M261"="msh261.drv"

"msacm.msaudio1"="msaud32.acm"

"msacm.sl_anet"="sl_anet.acm"

"msacm.iac2"="C:\\WINDOWS\\system32\\iac25_32.ax"

"vidc.iv50"="ir50_32.dll"

"msacm.l3acm"="C:\\WINDOWS\\system32\\l3codeca.acm"

"wave"="wdmaud.drv"

"midi"="wdmaud.drv"

"mixer"="wdmaud.drv"

"aux"="wdmaud.drv"

"vidc.LEAD"="LCODCCMP.DLL"

"vidc.yv12"="DivX.dll"

"VIDC.MJPG"="Pvmjpg30.dll"

"VIDC.PIM1"="pclepim1.dll"

"MSVideo8"="VfWWDM32.dll"

"wave1"="wdmaud.drv"

"mixer1"="wdmaud.drv"

"vidc.DIVX"="DivX.dll"

"vidc.XVID"="xvidvfw.dll"

"vidc.mpg4"="mpg4c32.dll"

"vidc.mp42"="mpg4c32.dll"

"vidc.mp43"="mpg4c32.dll"

"wave2"="wdmaud.drv"

"mixer2"="wdmaud.drv"

"wave3"="wdmaud.drv"

"mixer3"="wdmaud.drv"

"wave4"="wdmaud.drv"

"mixer4"="wdmaud.drv"

"wave5"="wdmaud.drv"

"mixer5"="wdmaud.drv"

"aux2"="C:\\WINDOWS\\system32\\..\\grnoau.ene"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server\RDP]

"wave"="rdpsnd.dll"

"mixer"="rdpsnd.dll"

"MaxBandwidth"=dword:000056b9

"wavemapper"="msacm32.drv"

"EnableMP3Codec"=dword:00000001

"midimapper"="midimap.dll"

Link to post
Share on other sites

  • Staff

Hi,

I want a sample of it first, so navigate to and zip up the following file:

C:\Windows\grnoau.ene

To zip the file, rightclick it and select > send to > zipped folder

This will create the zipped folder grnoau

Then go to here: http://www.malwarebytes.org/forums/index.php?showforum=55

Start a new thread there (for example, for miekiemoes). Post the url to this thread/url and attach the zipped grnoau there.

Let me know once you've done that.

Then we'll start with removal (want to have a sample first) :)

Link to post
Share on other sites

  • Staff

Thank you for the file.. Detection for this newest variant was added 10 mins ago, but since you can't update mbam anyway, you'll have to perform the following instead:

* Open hijackthis, click 'config' (bottom right)

Choose the tab 'misc Tools' on top.

Choose 'delete a file on reboot'

In the field, copy and paste next:

C:\Windows\grnoau.ene

Click open.

Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok

Your system should reboot now.

Then, Open notepad and copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux2"="wdmaud.drv"

Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this: reg.gif

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Let me know in your next reply how things are now.

Link to post
Share on other sites

Thank you! So fast! :)

I did what you told me to, and I tried to update MBAM and it was successful! I was also able to update Avast as well. I also did a few random web searches and so far, no more redirects. The Windows Security Alerts was still saying my firewall was off, so I went back through the control panel and turned it back on. So far, so good. It hasn't gone off yet.

Link to post
Share on other sites

Good to hear. :)

It should be OK now. Any idea how you got infected? From where? This because you'll get infected with this one via legitimate sites (injected script). Any idea what site?

Thank you so much for all of your help!

I'm actually a little embarrassed to say where I think I got it from. No, not a porn site :) , but a Russian site about an old, cancelled soap opera, Santa Barbara, that I listened to music clips from the show on. I'm a "closeted" soap fan, you see. :) I visited the site one day last week and that day my Avast went crazy. It said it had deleted the virus it detected, but I guess it didn't.

I'm going to install no-script to keep that from happening again and I won't be going back to it anytime soon.

Link to post
Share on other sites

Ok, thanks for the feedback :)

It may be a good idea to contact the website owner there, because I'm pretty sure s(he) is not aware of the fact that the site got compromised.

Ok, thank you I will.

I just noticed my firewall blinked off again (I got the balloon message that no firewall is turned on). Any ideas why it might be doing this, or any suggestions for a better firewall than just the Windows one?

Link to post
Share on other sites

  • Staff

I see this leftover in your HijackThislog:

O20 - AppInit_DLLs: tezjec.dll

So check that entry and fix it.

Not sure about the Firewall notification, but that could be caused because of your Avast. I have seen that before.

However, I want to perform a doublecheck here if there's still something lurking here (from a previous infection you were dealing with), so do next please..

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Combofix log as requested!

ComboFix 09-04-01.01 - HP_Administrator 2009-04-03 10:41:29.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.382 [GMT -5:00]

Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1335 [VPS 090403-0] *On-access scanning disabled* (Updated)

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2009-03-03 to 2009-04-03 )))))))))))))))))))))))))))))))

.

2009-04-03 08:50 . 2009-04-03 08:50 <DIR> d-------- c:\program files\Registrar Registry Manager

2009-04-03 08:50 . 2009-01-20 12:52 31,928 --a------ c:\windows\system32\rrMon.sys

2009-04-01 13:43 . 2009-04-01 15:53 <DIR> d-------- c:\windows\BDOSCAN8

2009-03-30 16:18 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2009-03-21 01:10 . 2009-03-21 01:10 <DIR> d-------- c:\program files\CCleaner

2009-03-21 01:10 . 2009-03-21 01:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-03-14 03:21 . 2009-03-15 21:40 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com

2009-03-14 03:21 . 2009-03-14 03:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-03-11 06:09 . 2009-03-11 06:09 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\eGames

2009-03-11 06:09 . 2009-03-11 06:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\eGames

2009-03-11 06:07 . 2009-03-11 06:07 <DIR> d-------- c:\windows\Satisfashion

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-03 15:38 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\DNA

2009-04-03 15:34 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\BitTorrent

2009-04-03 14:28 --------- d-----w c:\program files\DNA

2009-04-02 19:20 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater

2009-04-01 19:01 --------- d--h--w c:\documents and settings\HP_Administrator\Application Data\Move Networks

2009-03-30 21:18 --------- d-----w c:\program files\Panda Security

2009-03-30 16:11 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-03-26 21:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-26 21:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-03-21 06:12 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-03-16 19:22 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Any Video Converter

2009-03-13 06:29 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-03-12 08:59 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\dvdcss

2009-03-11 01:02 410,984 ----a-w c:\windows\system32\deploytk.dll

2009-03-07 08:25 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-03-06 02:12 --------- d-----w c:\program files\Google

2009-02-25 06:12 --------- d-----w c:\documents and settings\All Users\Application Data\SpinTop Games

2009-02-21 07:17 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\SpinTop Games

2009-02-14 16:25 --------- d-----w c:\program files\Bonjour

2009-02-13 11:24 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Jetsetter

2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys

2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys

2009-02-07 05:33 --------- d-----w c:\program files\Gabest

2009-01-17 03:35 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll

2008-03-03 18:45 252 ----a-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat

2005-05-13 22:12 217,073 --sha-r c:\windows\meta4.exe

2005-10-24 16:13 66,560 --sha-r c:\windows\MOTA113.exe

2005-10-14 02:27 422,400 --sha-r c:\windows\x2.64.exe

2006-09-17 09:05 22 --sha-w c:\windows\SMINST\HPCD.sys

2005-10-08 00:14 308,224 --sha-r c:\windows\system32\avisynth.dll

2005-07-14 17:31 27,648 --sha-r c:\windows\system32\AVSredirect.dll

2005-06-26 20:32 616,448 --sha-r c:\windows\system32\cygwin1.dll

2005-06-22 03:37 45,568 --sha-r c:\windows\system32\cygz.dll

2004-01-25 05:00 70,656 --sha-r c:\windows\system32\i420vfw.dll

2006-04-27 15:24 2,945,024 --sha-r c:\windows\system32\Smab.dll

2005-02-28 18:16 240,128 --sha-r c:\windows\system32\x.264.exe

2004-01-25 05:00 70,656 --sha-r c:\windows\system32\yv12vfw.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-03-14_ 4.27.21.28 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-04-01 18:43:38 45,056 ----a-w c:\windows\BDOSCAN8\avxdisk.dll

+ 2009-04-01 18:43:38 10,240 ----a-w c:\windows\BDOSCAN8\avxs.dll

+ 2009-04-01 18:43:38 27,136 ----a-w c:\windows\BDOSCAN8\avxt.dll

+ 2009-04-01 18:43:40 102,400 ----a-w c:\windows\BDOSCAN8\bdcore.dll

+ 2008-01-09 20:01:48 118,784 ----a-w c:\windows\BDOSCAN8\bdupd.dll

+ 2008-01-09 20:01:48 53,248 ----a-w c:\windows\BDOSCAN8\ipsupd.dll

+ 2009-04-01 18:43:40 142,848 ----a-w c:\windows\BDOSCAN8\libfn.dll

+ 2009-04-01 18:43:38 86,016 ----a-w c:\windows\BDOSCAN8\librtvr.dll

+ 2008-01-09 20:01:48 53,248 ----a-w c:\windows\bdoscandel.exe

+ 2008-06-30 15:39:58 128,256 ----a-w c:\windows\Downloaded Program Files\as2stubie.dll

+ 2008-01-09 20:01:48 118,784 ----a-w c:\windows\Downloaded Program Files\bdupd.dll

+ 2008-01-09 20:01:48 53,248 ----a-w c:\windows\Downloaded Program Files\ipsupd.dll

- 2009-02-03 23:21:12 21,244,864 ----a-w c:\windows\system32\MRT.exe

+ 2009-02-25 17:55:00 24,768,960 ----a-w c:\windows\system32\MRT.exe

+ 2009-01-20 17:52:46 120,376 ----a-w c:\windows\system32\rrsec.dll

+ 2009-01-20 17:52:42 97,888 ----a-w c:\windows\system32\rrsec2k.exe

+ 2009-04-03 14:28:00 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_56c.dat

+ 2009-04-03 14:27:49 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_62c.dat

+ 2009-04-03 14:27:59 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7b8.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 68856]

"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-01-19 4670968]

"PMCS"="c:\program files\Pinnacle\Shared Files\\Programs\MediaCenterService\PMC.Service.Main.exe" [2006-06-08 65536]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-06 342848]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360]

"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]

"DISCover"="c:\program files\DISC\DISCover.exe" [2006-03-16 1077248]

"DiscUpdateManager"="c:\program files\DISC\DiscUpdMgr.exe" [2006-03-16 61440]

"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-03-20 90112]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]

"IcoSet"="c:\hp\bin\cloaker.exe" [1999-11-07 27136]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]

"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-24 185896]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]

"StrgSync.exe"="c:\program files\StorageSync\StrgSync.exe" [2005-10-07 3032576]

"PMCRemote"="c:\program files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe" [2006-06-08 90112]

"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-06 177472]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-10 148888]

"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 c:\windows\RTHDCPL.EXE]

"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 c:\windows\arpwrmsg.exe]

"nwiz"="nwiz.exe" [2006-01-24 c:\windows\system32\nwiz.exe]

"ledpointer"="CNYHKey.exe" [2004-03-03 c:\windows\CNYHKey.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-09-06 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-06-16 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.MJPG"= Pvmjpg30.dll

"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"mW[

Link to post
Share on other sites

  • Staff

Hi,

Only a small leftover..

Open notepad and copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\\system32\\drivers\\svchost.exe"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this: reg.gif

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Also, from what I can see here... your Windows firewall is set to disabled here and I see an odd value present there as well with an unrecognised characterset.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"mW[

Link to post
Share on other sites

Hi miekiemoes!

I did as you told me to with fix.reg with no problems and I was also able to delete the odd character set with no problems.

I downloaded and installed Comodo Firewall Protection with no problems.

Also, uninstalled Combo Fix with no problems.

I can't say thank you enough!

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.