Jump to content

user protection


Recommended Posts

i have followed as many steps as i can find to fix the user protection stuff on my computer, but when i do run the program (only in safe mode) i get the error 732 (12007, 0) and cant fix it with the proxy settings or by running the provided code.

Help please?

thx in advance

Link to post
Share on other sites

I have an infection. the user protection adds keep popping up. and i cant use the net because it always directs me to other sites. i am using another computer to inquire. so after some searching i found this mbam-exe was the solution to getting rid of the user protection infection. so i downloaded the program onto a USB stick, and have been able to get a scan to run while in safe mode, but it wont update prior to running the scan - and its not finding the user protection stuff to remoive it?

i set my internet to automatically detect. but still get error code 732 (12001, 0)

? how do i get rid of this user protection?

Hi,

Are you dealing with an actual infection, or is this just an issue of updating?

Link to post
Share on other sites

also, pursuant to advice on a similar thread - i did this

Error 732 pertains to a potential connection issue.

First try this:

1. Uninstall Malwarebytes' Anti-Malware using Add or Remove programs in the Control Panel.

2. Restart your computer (very important).

3. Download and run this utility.

4. It will ask to restart your computer (please allow it to).

5. After the computer restarts, install the latest version from here.

Note: You will need to reactivate the program using the license you were sent via e-mail if you purchased it.

See if the error persists.

-screen317

but also, in order to complete step 5. i have to startup in safe mode.

whats my next step?

Link to post
Share on other sites

also, this looked like it was advised for others with potentially similar problems, so i downloaded DDS and here is the logs

DS (Ver_10-03-17.01) - NTFSx86 MINIMAL

Run by HP_Administrator at 7:40:06.57 on Mon 03/22/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.764 [GMT -5:00]

AV: User Protection *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

AV: Trend Micro PC-cillin Internet Security 2006 *On-access scanning enabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\WINDOWS\Explorer.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\webhelper.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [diskperfxp.exe] c:\docume~1\hp_adm~1\locals~1\temp\diskperfxp.exe

uRun: [user Protection] "c:\program files\user protection\usrprot.exe" -noscan

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe

mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [PCDrProfiler]

mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [pccguide.exe] "c:\program files\trend micro\internet security 2006\pccguide.exe"

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [DISCover] c:\program files\disc\DISCover.exe nogui

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\linksys\wusb100\WUSB100.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll

Trusted Zone: trymedia.com

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab

DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab

DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab

DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.tscmaps.com/shared/viewer/mgaxctrl.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159647648046

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\9wm9jqnu.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJPI150_05.dll

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-9 135664]

S2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-8-9 14336]

S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

S2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-9-26 202768]

S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2005-9-28 340037]

S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2005-9-12 630845]

S2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-9-26 35856]

S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2005-9-12 286788]

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2010-3-6 16512]

S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2006-8-30 39048]

S3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-7-28 517632]

=============== Created Last 30 ================

2010-03-22 12:35:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-22 12:35:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-22 12:35:58 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-22 02:11:54 0 d-----w- c:\docume~1\hp_adm~1\applic~1\Malwarebytes

2010-03-21 23:06:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-03-21 21:22:09 4716 ----a-w- c:\docume~1\alluse~1\applic~1\fiosejgfse.dll

2010-03-21 18:32:47 0 d-----w- c:\program files\User Protection

2010-03-21 18:23:37 1597 ----a-w- c:\windows\system32\_VOIDmfeklnmal.dll

2010-03-21 18:22:38 10371 ----a-w- c:\docume~1\alluse~1\applic~1\_VOIDmainqt.dll

2010-03-21 18:22:27 49152 ----a-w- c:\windows\system32\_VOIDmpgoskbdsd.dll

2010-03-21 18:22:25 49152 ----a-w- c:\windows\system32\_VOIDvpnrbmvyfg.dll

2010-03-21 18:22:11 189 ----a-w- c:\windows\system32\_VOIDffdgangaxa.dat

2010-03-21 18:22:09 29696 ----a-w- c:\windows\system32\_VOIDfhlxgcnlem.dll

2010-03-21 18:22:04 0 d-----w- c:\windows\_VOIDnstrpqdwoj

2010-03-06 19:53:42 0 d-----w- c:\docume~1\hp_adm~1\applic~1\AVS4YOU

2010-03-06 19:52:22 0 d-----w- c:\program files\common files\AVSMedia

2010-03-06 19:50:33 24576 ----a-w- c:\windows\system32\msxml3a.dll

2010-03-06 19:50:33 0 d-----w- c:\docume~1\alluse~1\applic~1\AVS4YOU

2010-03-06 19:16:12 45056 ----a-w- c:\windows\system32\WNASPI32.DLL

2010-03-06 19:16:12 16512 ----a-w- c:\windows\system32\drivers\ASPI32.SYS

2010-03-06 19:01:57 87608 ----a-w- c:\docume~1\hp_adm~1\applic~1\inst.exe

2010-03-06 19:01:57 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys

2010-03-06 19:01:57 47360 ----a-w- c:\docume~1\hp_adm~1\applic~1\pcouffin.sys

2010-03-06 18:54:30 0 d-----w- c:\documents and settings\hp_administrator\.dvdcss

2010-03-06 18:53:47 0 d-----w- c:\docume~1\hp_adm~1\applic~1\Digiarty

2010-03-06 18:53:40 0 d-----w- c:\program files\Digiarty

==================== Find3M ====================

2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys

2006-08-09 03:23:43 22 --sha-w- c:\windows\sminst\HPCD.sys

2009-02-12 23:33:59 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009021220090213\index.dat

============= FINISH: 7:40:43.12 ===============

THANKS AGAIN IN ADVANCE

Link to post
Share on other sites

i tried to follow the instructions - but they say to download combofix directly onto the desktop. but i cannot access any websites on the infected computer. and when i downloaded combofix to a usb drive and move it over onto the desktop - it didnt work? and suggestions

thanks in advance

Link to post
Share on other sites

  • Staff

What do you mean it didn't work?

Try it again, except download it from here:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before you transfer it, rename it to dsm02f.com

When you transfer it, transfer it to the Desktop, but don't double-click it.

Click Start --> Run, and enter this command:

"%userprofile%\desktop\dsm02f.com" /killall

Press OK and see if it runs now.

-screen317

Link to post
Share on other sites

YAYYYYYYYYYYY - i am responding from my computer that was infected - so i hope that means we are fixed

BUt here is my log - Do you need the other D log also to be sure?

you guys are awesome - who do i donate too - or will buying y'alls product suffice?

ComboFix 10-03-22.02 - DM1 03/22/2010 18:59:15.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.632 [GMT -5:00]

Running from: c:\documents and settings\DM1\Desktop\dsm02f.com.exe

AV: Trend Micro PC-cillin Internet Security 2006 *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\_VOIDmainqt.dll

c:\documents and settings\All Users\Application Data\fiosejgfse.dll

c:\program files\User Protection

c:\program files\User Protection\about.ico

c:\program files\User Protection\activate.ico

c:\program files\User Protection\buy.ico

c:\program files\User Protection\help.ico

c:\program files\User Protection\scan.ico

c:\program files\User Protection\settings.ico

c:\program files\User Protection\splash.mp3

c:\program files\User Protection\uninstall.exe

c:\program files\User Protection\update.ico

c:\program files\User Protection\usr.db

c:\program files\User Protection\usrext.dll

c:\program files\User Protection\usrhook.dll

c:\program files\User Protection\usrprot.exe

c:\program files\User Protection\virus.mp3

c:\windows\system32\_VOIDffdgangaxa.dat

c:\windows\system32\_VOIDfhlxgcnlem.dll

c:\windows\system32\_VOIDmfeklnmal.dll

c:\windows\system32\_VOIDmpgoskbdsd.dll

c:\windows\system32\_VOIDvpnrbmvyfg.dll

c:\windows\system32\drivers\_VOIDqbxicjhiof.sys

D:\Autorun.inf

J:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service__VOIDd.sys

-------\Legacy__VOIDd.sys

-------\Service__VOIDnstrpqdwoj

-------\Legacy__VOIDnstrpqdwoj

-------\Legacy_IPRIP

-------\Service_Iprip

((((((((((((((((((((((((( Files Created from 2010-02-23 to 2010-03-23 )))))))))))))))))))))))))))))))

.

2010-03-22 13:36 . 2010-03-22 13:36 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-03-22 12:35 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-22 12:35 . 2010-03-22 12:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-22 12:35 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-22 03:17 . 2010-03-22 03:17 -------- d-----w- c:\documents and settings\DM1\Local Settings\Application Data\Mozilla

2010-03-22 03:14 . 2010-03-22 03:14 -------- d-----w- c:\documents and settings\DM1\Application Data\Malwarebytes

2010-03-21 23:06 . 2010-03-21 23:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-03-21 23:06 . 2010-03-22 12:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-03-21 23:05 . 2010-03-21 23:05 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-03-21 21:38 . 2010-03-21 21:38 -------- d-----w- c:\documents and settings\DM1\Local Settings\Application Data\ATI

2010-03-21 21:38 . 2010-03-21 21:38 -------- d-----w- c:\documents and settings\DM1\Application Data\ATI

2010-03-21 21:38 . 2010-03-21 21:38 -------- d-----w- c:\documents and settings\DM1\Application Data\HP

2010-03-21 18:22 . 2010-03-21 18:22 -------- d-----w- c:\windows\_VOIDnstrpqdwoj

2010-03-17 17:10 . 2010-03-17 17:10 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\ATI

2010-03-06 19:52 . 2010-03-06 19:53 -------- d-----w- c:\program files\Common Files\AVSMedia

2010-03-06 19:52 . 2010-03-06 19:52 -------- d-----w- c:\windows\system32\drivers\umdf

2010-03-06 19:50 . 2010-03-06 19:53 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU

2010-03-06 19:50 . 2008-08-13 16:22 24576 ----a-w- c:\windows\system32\msxml3a.dll

2010-03-06 19:16 . 2002-07-17 15:03 45056 ----a-w- c:\windows\system32\WNASPI32.DLL

2010-03-06 19:16 . 2002-07-17 14:05 16512 ----a-w- c:\windows\system32\drivers\ASPI32.SYS

2010-03-06 19:01 . 2010-03-06 19:01 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys

2010-03-06 18:53 . 2010-03-06 18:53 -------- d-----w- c:\program files\Digiarty

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-22 23:48 . 2006-06-16 04:45 -------- d-----w- c:\program files\DISC

2010-03-21 21:23 . 2006-06-16 04:45 65984 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-03-21 20:56 . 2007-04-30 19:24 -------- d-----w- c:\program files\Petersons

2010-03-21 20:53 . 2008-07-03 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio

2010-03-21 20:53 . 2008-07-03 20:49 -------- d-----w- c:\program files\Common Files\Roxio Shared

2010-03-21 20:53 . 2006-06-16 04:33 -------- d-----w- c:\program files\Common Files\Sonic Shared

2010-03-21 20:34 . 2008-07-03 22:06 256 ----a-w- c:\windows\system32\pool.bin

2010-02-13 01:18 . 2010-02-13 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI

2010-02-13 01:15 . 2010-02-13 01:15 0 ----a-w- c:\windows\ativpsrm.bin

2010-02-13 01:11 . 2010-02-13 01:03 -------- d-----w- c:\program files\ATI Technologies

2010-02-13 01:09 . 2006-06-16 04:53 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-02-13 01:09 . 2010-02-13 01:09 -------- d-----w- c:\program files\Common Files\ATI Technologies

2010-02-12 03:31 . 2010-02-12 03:31 0 ----a-w- c:\windows\nsreg.dat

2010-02-10 16:43 . 2010-02-10 16:42 -------- d-----w- c:\program files\DivX

2010-02-10 16:42 . 2010-02-10 16:42 -------- d-----w- c:\program files\Common Files\DivX Shared

2010-02-10 01:10 . 2010-02-10 01:09 -------- d-----w- c:\program files\Microsoft IntelliPoint

2010-02-10 01:08 . 2010-02-10 01:07 -------- d-----w- c:\program files\Microsoft IntelliType Pro

2010-02-09 23:10 . 2006-06-16 05:13 -------- d-----w- c:\program files\Google

2009-12-31 16:50 . 2004-08-10 04:00 353792 ------w- c:\windows\system32\drivers\srv.sys

2006-08-09 03:23 . 2006-08-09 03:23 22 --sha-w- c:\windows\SMINST\HPCD.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]

"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 16010240]

"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-25 7311360]

"nwiz"="nwiz.exe" [2006-01-25 1519616]

"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]

"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-03-20 90112]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]

"pccguide.exe"="c:\program files\Trend Micro\Internet Security 2006\pccguide.exe" [2005-09-28 897086]

"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-08-07 282624]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-16 180269]

"DISCover"="c:\program files\DISC\DISCover.exe" [2007-10-31 1095256]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-05-21 1501064]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-05-26 1468296]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-08-14 98304]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-3-21 65588]

Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-6-16 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\DISC\\DISCover.exe"=

"c:\\Program Files\\DISC\\DiscStreamHub.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP Rhapsody\\rhapsody.exe"=

"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [9/26/2005 12:23 AM 202768]

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [9/28/2005 8:19 AM 340037]

R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [9/12/2005 7:57 AM 630845]

R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/26/2005 12:23 AM 35856]

R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [9/12/2005 7:59 AM 286788]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/9/2010 6:11 PM 135664]

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [3/6/2010 2:16 PM 16512]

S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [8/30/2006 8:23 PM 39048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.

Contents of the 'Scheduled Tasks' folder

2010-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-09 23:10]

2010-03-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-09 23:10]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

Trusted Zone: trymedia.com

FF - ProfilePath - c:\documents and settings\DM1\Application Data\Mozilla\Firefox\Profiles\u9n6lxul.default\

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJPI150_05.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCDrProfiler - (no file)

AddRemove-AVS Update Manager_is1 - c:\program files\AVS4YOU\AVSUpdateManager\unins000.exe

AddRemove-AVS4YOU Software Navigator_is1 - c:\program files\AVS4YOU\AVSSoftwareNavigator\unins000.exe

AddRemove-AVS4YOU Video Converter 6_is1 - c:\program files\AVS4YOU\AVSVideoConverter6\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-22 19:12

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'EXPLORER.EXE'(3412)

c:\windows\system32\WININET.dll

c:\docume~1\DM1\LOCALS~1\Temp\IadHide5.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\arservice.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\progra~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE

c:\windows\system32\tcpsvcs.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\wscntfy.exe

c:\windows\ARPWRMSG.EXE

c:\windows\eHome\ehmsas.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\DISC\DISCSTREAMHUB.EXE

c:\windows\system\hpsysdrv.exe

c:\program files\Java\jre1.5.0_05\bin\jusched.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

c:\program files\iTunes\iTunesHelper.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2010-03-22 19:18:07 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-23 00:18

Pre-Run: 97,870,159,872 bytes free

Post-Run: 97,749,671,936 bytes free

- - End Of File - - 5FD8DFB230EEC1B657BE12F583B0A4A4

Link to post
Share on other sites

actually - that last step just allowed my MDAM-exe to update

i ran a quickscan and it found 10 infected files - i clicked remove all, and it had to reboot my computer to remove the last 2

so i am doing another quick scan and i will post a log from that scan when it is complete

Link to post
Share on other sites

  • Staff

Hi,

you guys are awesome - who do i donate too - or will buying y'alls product suffice?
I highly recommend buying our product. A lifetime license will keep you protected for a very long time.

We're not quite done yet, so let's continue, and address any remaining issues when you are clean.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.