john18 Posted November 9, 2010 ID:342292 Share Posted November 9, 2010 This is my wife's machine and it is getting many more messages than my i7 machine. I ran a full scan of MBAM 1.46 Pro (I am licensed) and it found nothing.defogger_disable by jpshortstuff (23.02.10.1)Log created at 15:05 on 09/11/2010 (John)Checking for autostart values...HKCU\~\Run values retrieved.HKLM\~\Run values retrieved.Checking for services/drivers...-=E.O.F=-DDS (Ver_10-11-09.01) - NTFSx86 Run by John at 15:09:00.29 on Tue 11/09/2010Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3071.1994 [GMT -7:00]============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\nvvsvc.exeC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\system32\nvvsvc.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Program Files\Intel\IntelDH\CCU\AlertService.exeC:\Windows\system32\atashost.exeC:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Windows\system32\svchost.exe -k hpdevmgmtC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exeC:\Windows\system32\taskhost.exeC:\Windows\System32\svchost.exe -k HPZ12C:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exeC:\Windows\system32\taskeng.exeC:\Windows\System32\svchost.exe -k LocalServicePeerNetC:\Windows\System32\svchost.exe -k HPZ12C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exeC:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exeC:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exeC:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exeC:\Windows\system32\svchost.exe -k imgsvcC:\Program Files\TeamViewer\Version5\TeamViewer_Service.exeC:\Program Files\TVersity\Media Server\MediaServer.exeC:\Windows\system32\taskeng.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exeC:\hp\support\hpsysdrv.exeC:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exeC:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exeC:\Program Files\BillP Studios\WinPatrol\WinPatrol.exeC:\Program Files\Citrix\ICA Client\concentr.exeC:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exeC:\Program Files\Citrix\ICA Client\wfcrun32.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Windows\ehome\ehmsas.exeC:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Windows\system32\vssvc.exeC:\Program Files\Logitech\SetPoint\SetPoint.exeC:\Windows\system32\DRIVERS\xaudio.exeC:\Windows\system32\vsnapvss.exeC:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXEC:\Windows\system32\wbem\wmiprvse.exeC:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exeC:\Windows\system32\SearchIndexer.exeC:\Windows\system32\svchost.exe -k HPServiceC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\SearchFilterHost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Windows\system32\taskeng.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\Program Files\HP\Digital Imaging\bin\hpqbam08.exeC:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exeC:\Program Files\Secunia\PSI\psi.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exeC:\Users\John\Desktop\dds.scrC:\Windows\system32\conhost.exe============== Pseudo HJT Report ===============uSearch Bar = hxxp://www.google.com/ieuSearch Page = hxxp://www.google.comuStart Page = hxxp://www.msnbc.msn.commDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktopmStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktopuSearchURL,(Default) = hxxp://www.google.com/search/?q=%sBHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No FileBHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dllBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dllBHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.3.0.5\IPSBHO.DLLBHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dllBHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dllBHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dllBHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dllBHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dllBHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dllTB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dllTB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dllTB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dllTB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dllEB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dlluRun: [ehTray.exe] c:\windows\ehome\ehTray.exeuRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startupmRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exemRun: [hpsysdrv] c:\hp\support\hpsysdrv.exemRun: [iAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe" /startupmRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressbootmRun: [<NO NAME>] mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startupmRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttrayStartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exeStartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exeuPolicies-explorer: NoViewOnDrive = 0 (0x0)mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)mPolicies-system: PromptOnSecureDesktop = 0 (0x0)IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.htmlIE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.htmlIE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.htmlIE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.htmlIE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.htmlIE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.htmlIE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.htmlIE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.htmlIE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.htmlIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLLIE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dllTrusted Zone: firstcu.coop\wwwTrusted Zone: firstcu.coop\www.secureTrusted Zone: real.com\rhap-app-4-0Trusted Zone: real.com\rhapregDPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CABDPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} - hxxps://h20364.www2.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CABDPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cabDPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cabDPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cabDPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dllDPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cabDPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cabDPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cabDPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cabDPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cabDPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cabDPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cabDPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - DPF: {E1E73B44-2D20-47A9-9CA2-B534CEBBF856} - hxxp://support.f-secure.com/enu/home/onlineservices/fshc/fscax.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabDPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15108/CTPID.cabDPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dllHandler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dllHandler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dllNotify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dllAppInit_DLLs: c:\progra~1\google\google~1\GO36F4~1.DLLSEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll================= FIREFOX ===================FF - ProfilePath - c:\users\john\appdata\roaming\mozilla\firefox\profiles\mri7n6g2.default\FF - prefs.js: browser.startup.homepage - hxxp://www.msnbc.msn.com/FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dllFF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dllFF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dllFF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dllFF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dllFF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dllFF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dllFF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dllFF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dllFF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dllFF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dllFF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dllFF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dllFF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dllFF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dllFF - component: c:\users\john\appdata\roaming\mozilla\firefox\profiles\mri7n6g2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dllFF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dllFF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dllFF - plugin: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dllFF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dllFF - plugin: c:\program files\microsoft research\hdview for firefox\nphdview.dllFF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dllFF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dllFF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}---- FIREFOX POLICIES ----c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditionalc:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplifiedc:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditionalc:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified============= SERVICES / DRIVERS ===============R0 stcvsm;StorageCraft Volume Snapshot Driver;c:\windows\system32\drivers\stcvsm.sys [2010-8-6 193440]R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2010-9-21 328752]R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2010-9-21 173104]R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20101029.001\BHDrvx86.sys [2010-11-1 692272]R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2010-9-21 501888]R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]R1 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\hwinfo32\HWiNFO32.SYS [2009-9-28 19064]R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20101108.002\IDSvix86.sys [2010-10-19 353840]R1 sbmount;StorageCraft Image Mount Driver;c:\windows\system32\drivers\sbmount.sys [2009-7-13 102560]R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2010-9-21 116784]R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0403000.005\symtdiv.sys [2010-9-21 339504]R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]R2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2009-10-1 20376]R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2007-2-12 208896]R2 N360;Norton 360;c:\program files\norton 360\engine\4.3.0.5\ccsvchst.exe [2010-9-21 126392]R2 NMSCore;Intel® NMSCore;c:\program files\common files\intel\inteldh\nms\nmscore\NMSCore.exe [2007-6-27 317656]R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2007-2-18 5376]R2 QualityManager;Intel® Quality Manager;c:\program files\intel\inteldh\intel media server\media server\bin\QualityManager.exe [2007-6-27 272600]R2 ShadowProtectSvc;ShadowProtect Service;c:\program files\storagecraft\shadowprotect\ShadowProtectSvc.exe [2010-8-6 1657376]R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-7-9 248936]R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-7-6 1956136]R2 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [2010-8-6 67616]R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-9-21 102448]R3 HSXHWBS3;HSXHWBS3;c:\windows\system32\drivers\HSXHWBS3.sys [2007-12-18 206336]R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\drivers\netr73.sys [2009-6-10 545792]R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-7-7 14904]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-10-27 304464]S2 MCLServiceATL;Intel® Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2007-6-27 157912]S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]S3 DHTRACE;Intel® DHTrace Controller;c:\program files\common files\intel\inteldh\bin\DHTraceController.exe [2007-6-27 39640]S3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [2010-11-3 38352]S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-9-20 30192]S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [2009-6-17 40720]S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [2009-6-17 10384]S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-10-27 20952]S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2009-7-13 20992]S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-10-30 27192]S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-23 1343400]S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]=============== Created Last 30 ================2010-11-09 13:19:12 169320 ----a-w- c:\progra~2\microsoft\windows\sqm\manifest\Sqm10135.bin2010-11-05 06:36:13 -------- d-sh--w- C:\Diskeeper2010-11-03 17:57:30 38352 ----a-w- c:\windows\system32\drivers\DKRtWrt.sys2010-11-03 17:57:29 -------- d-----w- c:\program files\common files\Diskeeper Corporation2010-11-03 17:57:29 -------- d-----w- c:\progra~2\Diskeeper Corporation2010-11-03 17:57:28 -------- d-----w- c:\program files\Windows Home Server2010-11-03 17:57:28 -------- d-----w- c:\program files\Diskeeper Corporation2010-11-03 17:56:47 -------- d-----w- c:\program files\Diskeeper Setup Files2010-11-03 14:06:04 -------- d-----w- C:\Files to Diskeeper -Q66002010-10-30 16:22:32 -------- d-----w- c:\users\john\appdata\local\VS Revo Group2010-10-30 16:22:28 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys2010-10-30 05:39:08 -------- d-----w- c:\users\john\appdata\roaming\Valusoft2010-10-30 05:39:08 -------- d-----w- c:\progra~2\Valusoft2010-10-30 04:47:04 -------- d-----w- c:\users\john\appdata\roaming\Ten Heavens2010-10-30 04:45:42 -------- d-----w- c:\users\john\Million2010-10-30 03:45:12 -------- d-----w- c:\users\john\appdata\roaming\Gestalt Games2010-10-30 03:44:10 -------- d-----w- c:\users\john\appdata\roaming\BanzaiInteractive2010-10-30 03:44:10 -------- d-----w- c:\progra~2\BanzaiInteractive2010-10-27 19:37:09 0 ----a-w- c:\windows\system32\REN7C52.tmp2010-10-27 19:37:09 0 ----a-w- c:\windows\system32\REN7C51.tmp2010-10-27 19:37:09 0 ----a-w- c:\windows\system32\REN7C40.tmp2010-10-27 19:27:11 0 ----a-w- c:\windows\system32\RENBB55.tmp2010-10-27 19:27:11 0 ----a-w- c:\windows\system32\RENBB54.tmp2010-10-27 19:27:11 0 ----a-w- c:\windows\system32\RENBB53.tmp2010-10-27 19:18:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-10-27 19:18:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-10-27 19:18:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-10-27 02:13:49 641536 ----a-w- c:\windows\system32\CPFilters.dll2010-10-27 02:13:49 417792 ----a-w- c:\windows\system32\msdri.dll2010-10-27 02:13:48 204288 ----a-w- c:\windows\system32\MSNP.ax2010-10-27 02:13:48 199680 ----a-w- c:\windows\system32\mpg2splt.ax2010-10-27 02:13:44 26504 ----a-w- c:\windows\system32\drivers\Diskdump.sys2010-10-12 23:05:52 738816 ----a-w- c:\windows\system32\wmpmde.dll2010-10-12 23:05:52 363520 ----a-w- c:\windows\system32\StructuredQuery.dll2010-10-12 22:59:28 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll2010-10-12 22:57:25 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll==================== Find3M ====================2010-10-27 19:37:47 472808 ----a-w- c:\windows\system32\deployJava1.dll2010-09-08 18:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx2010-09-08 18:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts2010-09-08 04:30:04 978432 ----a-w- c:\windows\system32\wininet.dll2010-09-08 04:28:15 44544 ----a-w- c:\windows\system32\licmgr10.dll2010-09-08 03:22:31 386048 ----a-w- c:\windows\system32\html.iec2010-09-08 02:48:16 1638912 ----a-w- c:\windows\system32\mshtml.tlb2010-09-01 04:23:49 12625408 ----a-w- c:\windows\system32\wmploc.DLL2010-09-01 02:34:52 2327552 ----a-w- c:\windows\system32\win32k.sys2010-08-31 04:32:30 954752 ----a-w- c:\windows\system32\mfc40.dll2010-08-31 04:32:30 954288 ----a-w- c:\windows\system32\mfc40u.dll2010-08-27 05:46:48 168448 ----a-w- c:\windows\system32\srvsvc.dll2010-08-26 04:39:58 109056 ----a-w- c:\windows\system32\t2embed.dll2010-08-21 05:36:24 224256 ----a-w- c:\windows\system32\schannel.dll2010-08-21 05:33:24 530432 ----a-w- c:\windows\system32\comctl32.dll2010-08-21 05:32:37 316928 ----a-w- c:\windows\system32\spoolsv.exe============= FINISH: 15:10:18.22 ===============Attach.zip Link to post Share on other sites More sharing options...
Gammo Posted November 11, 2010 ID:343119 Share Posted November 11, 2010 Hi,Download ComboFix from one of these locations:Link 1Link 2* IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them: Click meIf you can't disable them then just continue on.Double click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply. Link to post Share on other sites More sharing options...
john18 Posted November 11, 2010 Author ID:343149 Share Posted November 11, 2010 Thank you for your time and instructions. I am printing the cut-and-paste here and also attaching the file so that you can use either.ComboFix 10-11-10.04 - John 11/11/2010 9:32.1.4 - x86Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3071.1646 [GMT -7:00]Running from: c:\users\John\Desktop\ComboFix.exe * Created a new restore point.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\programdata\Microsoft\Network\Downloader\qmgr0.datc:\programdata\Microsoft\Network\Downloader\qmgr1.datc:\users\John\AppData\Roaming\Microsoft\Windows\Recent\Thumbs.dbc:\users\John\g2mdlhlpx.exec:\windows\system32\ccrpTmr6.dllc:\windows\system32\winsusrm.dllc:\windows\system32\X86c:\windows\system32\X86\License.rtfc:\windows\system32\X86\Readme.txtc:\windows\system32\X86\setup.exeJ:\Autorun.inf----- BITS: Possible infected sites -----hxxp://patch.everquest.com:7001.((((((((((((((((((((((((( Files Created from 2010-10-11 to 2010-11-11 ))))))))))))))))))))))))))))))).2010-11-09 13:19 . 2010-11-09 13:19 169320 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10135.bin2010-11-05 06:36 . 2010-11-05 06:36 -------- d-----w- C:\Diskeeper2010-11-03 17:57 . 2010-11-01 19:23 38352 ----a-w- c:\windows\system32\drivers\DKRtWrt.sys2010-11-03 17:57 . 2010-11-03 17:57 -------- d-----w- c:\programdata\Diskeeper Corporation2010-11-03 17:57 . 2010-11-03 17:57 -------- d-----w- c:\program files\Common Files\Diskeeper Corporation2010-11-03 17:57 . 2010-11-03 17:57 -------- d-----w- c:\program files\Windows Home Server2010-11-03 17:57 . 2010-11-03 17:57 -------- d-----w- c:\program files\Diskeeper Corporation2010-11-03 17:56 . 2010-11-03 17:57 -------- d-----w- c:\program files\Diskeeper Setup Files2010-11-03 14:06 . 2010-11-06 16:08 -------- d-----w- C:\Files to Diskeeper -Q66002010-10-30 16:22 . 2010-10-30 16:22 -------- d-----w- c:\users\John\AppData\Local\VS Revo Group2010-10-30 16:22 . 2009-12-30 19:21 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys2010-10-30 05:39 . 2010-10-30 05:39 -------- d-----w- c:\users\John\AppData\Roaming\Valusoft2010-10-30 05:39 . 2010-10-30 05:39 -------- d-----w- c:\programdata\Valusoft2010-10-30 04:47 . 2010-10-30 04:47 -------- d-----w- c:\users\John\AppData\Roaming\Ten Heavens2010-10-30 04:45 . 2010-10-30 04:45 -------- d-----w- c:\users\John\Million2010-10-30 03:45 . 2010-10-30 03:45 -------- d-----w- c:\users\John\AppData\Roaming\Gestalt Games2010-10-30 03:44 . 2010-10-30 03:44 -------- d-----w- c:\users\John\AppData\Roaming\BanzaiInteractive2010-10-30 03:44 . 2010-10-30 03:44 -------- d-----w- c:\programdata\BanzaiInteractive2010-10-27 19:37 . 2010-10-27 19:37 0 ----a-w- c:\windows\system32\REN7C52.tmp2010-10-27 19:37 . 2010-10-27 19:37 0 ----a-w- c:\windows\system32\REN7C51.tmp2010-10-27 19:37 . 2010-10-27 19:37 0 ----a-w- c:\windows\system32\REN7C40.tmp2010-10-27 19:27 . 2010-10-27 19:27 0 ----a-w- c:\windows\system32\RENBB55.tmp2010-10-27 19:27 . 2010-10-27 19:27 0 ----a-w- c:\windows\system32\RENBB54.tmp2010-10-27 19:27 . 2010-10-27 19:27 0 ----a-w- c:\windows\system32\RENBB53.tmp2010-10-27 19:18 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-10-27 19:18 . 2010-10-27 19:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-10-27 19:18 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-10-27 02:13 . 2010-08-04 06:18 641536 ----a-w- c:\windows\system32\CPFilters.dll2010-10-27 02:13 . 2010-08-04 06:17 417792 ----a-w- c:\windows\system32\msdri.dll2010-10-27 02:13 . 2010-08-04 06:15 204288 ----a-w- c:\windows\system32\MSNP.ax2010-10-27 02:13 . 2010-08-04 06:15 199680 ----a-w- c:\windows\system32\mpg2splt.ax2010-10-27 02:13 . 2010-07-13 05:22 26504 ----a-w- c:\windows\system32\drivers\Diskdump.sys2010-10-12 23:05 . 2010-08-21 05:36 738816 ----a-w- c:\windows\system32\wmpmde.dll2010-10-12 23:05 . 2010-05-05 06:46 363520 ----a-w- c:\windows\system32\StructuredQuery.dll2010-10-12 22:59 . 2009-08-20 06:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll2010-10-12 22:57 . 2010-09-23 01:10 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-10-27 19:37 . 2010-05-10 14:55 472808 ----a-w- c:\windows\system32\deployJava1.dll2010-09-08 18:17 . 2010-09-08 18:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx2010-09-08 18:17 . 2010-09-08 18:17 69632 ----a-w- c:\windows\system32\QuickTime.qts2010-08-21 05:32 . 2010-09-14 20:24 316928 ----a-w- c:\windows\system32\spoolsv.exe2009-09-13 06:05 . 2009-09-13 06:05 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll2009-09-13 06:06 . 2009-09-13 06:06 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll2009-09-13 06:06 . 2009-09-13 06:06 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll2009-09-13 06:06 . 2009-09-13 06:06 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll2009-09-13 06:06 . 2009-09-13 06:06 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll2009-09-13 06:07 . 2009-09-13 06:07 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll2009-09-13 06:06 . 2009-09-13 06:06 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll2009-09-13 06:06 . 2009-09-13 06:06 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll2009-08-14 20:33 . 2009-08-14 20:33 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll2009-09-13 06:06 . 2009-09-13 06:06 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll2010-08-11 07:17 . 2010-08-11 07:17 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2009-07-14 144384]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-22 68856]"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-01-23 160592][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-11 30192]"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2008-06-03 178712]"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2007-06-27 439512]"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-09 320832]"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-23 270336]Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-24 813584][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 5 (0x5)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableUIADesktopToggle"= 0 (0x0)"PromptOnSecureDesktop"= 0 (0x0)[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]2009-07-20 19:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dllR2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 135664]R3 DHTRACE;Intel® DHTrace Controller;c:\program files\Common Files\Intel\IntelDH\bin\DHTraceController.exe [2007-06-27 39640]R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-11 30192]R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\Drivers\LEqdUsb.Sys [2009-06-17 40720]R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\Drivers\LHidEqd.Sys [2009-06-17 10384]R3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe [2009-07-14 20992]R3 PLCND532;PLCND532 NDIS Protocol Driver;c:\windows\system32\Drivers\PLCND532.sys [x]R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27192]R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-23 1343400]R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]S0 stcvsm;StorageCraft Volume Snapshot Driver;c:\windows\system32\DRIVERS\stcvsm.sys [2010-07-16 193440]S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\SYMDS.SYS [2009-10-15 328752]S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\SYMEFA.SYS [2010-04-22 173104]S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20101104.001\BHDrvx86.sys [2010-11-04 691248]S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\ccHPx86.sys [2010-02-26 501888]S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2009-09-09 65584]S1 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\HWiNFO32\HWiNFO32.SYS [2009-07-16 19064]S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20101109.001\IDSvix86.sys [2010-10-19 353840]S1 sbmount;StorageCraft Image Mount Driver; [x]S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\Ironx86.SYS [2010-04-29 116784]S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\N360\0403000.005\SYMTDIV.SYS [2010-05-06 339504]S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]S2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2009-03-06 20376]S2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2007-02-12 208896]S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-04-29 304464]S2 N360;Norton 360;c:\program files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe [2010-02-26 126392]S2 NMSCore;Intel® NMSCore;c:\program files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe [2007-06-27 317656]S2 nmsunidr;UniDriver for NMS;c:\windows\system32\DRIVERS\nmsunidr.sys [2007-02-19 5376]S2 QualityManager;Intel® Quality Manager;c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe [2007-06-27 272600]S2 ShadowProtectSvc;ShadowProtect Service;c:\program files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe [2010-07-16 1657376]S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-09-14 1956136]S2 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [2010-07-16 67616]S3 DKRtWrt;DKRtWrt;c:\windows\system32\DRIVERS\DKRtWrt.sys [2010-11-01 38352]S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-28 102448]S3 HSXHWBS3;HSXHWBS3;c:\windows\system32\DRIVERS\HSXHWBS3.sys [2007-04-26 206336]S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-04-29 20952]S3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2009-07-13 545792]S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-07-07 14904]--- Other Services/Drivers In Memory ---*Deregistered* - SYMFW[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12HPService REG_MULTI_SZ HPSLPSVChpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvcgetPlusHelper REG_MULTI_SZ getPlusHelpernosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper.Contents of the 'Scheduled Tasks' folder2010-11-11 c:\windows\Tasks\Google Software Updater.job- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-22 05:29]2010-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 23:22]2010-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 23:22]..------- Supplementary Scan -------.uStart Page = hxxp://www.msnbc.msn.commStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktopuSearchURL,(Default) = hxxp://www.google.com/search/?q=%sIE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.htmlIE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.htmlIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.htmlIE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.htmlIE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.htmlIE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.htmlTrusted Zone: firstcu.coop\wwwTrusted Zone: firstcu.coop\www.secureTrusted Zone: real.com\rhap-app-4-0Trusted Zone: real.com\rhapregHandler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dllFF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\mri7n6g2.default\FF - prefs.js: browser.startup.homepage - hxxp://www.msnbc.msn.com/FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dllFF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dllFF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dllFF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dllFF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dllFF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dllFF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dllFF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dllFF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dllFF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dllFF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dllFF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dllFF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dllFF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\components\coFFPlgn.dllFF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dllFF - component: c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\mri7n6g2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dllFF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dllFF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dllFF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dllFF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dllFF - plugin: c:\program files\Microsoft Research\HDView for Firefox\nphdview.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dllFF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dllFF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\---- FIREFOX POLICIES ----c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditionalc:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplifiedc:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditionalc:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplifiedc:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);.[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]"ImagePath"="\"c:\program files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.3.0.5\diMaster.dll\" /prefetch:1".--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]"Enabled"=dword:00000001[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]@Denied: (A 2) (Everyone)@="IFlashBroker4"[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}"[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0"[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]@Denied: (A) (Users)@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)"BlindDial"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]@Denied: (A) (Users)@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)"BlindDial"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).Completion time: 2010-11-11 09:41:24ComboFix-quarantined-files.txt 2010-11-11 16:41Pre-Run: 393,863,929,856 bytes freePost-Run: 394,981,974,016 bytes free- - End Of File - - C249A55BE8FA3A29C24C99A33AF0A024ComboFix.txt Link to post Share on other sites More sharing options...
Gammo Posted November 11, 2010 ID:343185 Share Posted November 11, 2010 Hi,Download TFC to your desktopOpen the file and close any other windows.It will close all programs itself when run, make sure to let it run uninterrupted.Click the Start button to begin the process. The program should not take long to finish its jobOnce its finished it should reboot your machine, if not, do this yourself to ensure a complete clean~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Start Malwarebytes' Anti-MalwareOnce the program has loaded, click the "Update" tab and click the "Check For updates" button.Once the updates were downloaded, click the "Scanner" tab, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~I'd like us to scan your machine with ESET OnlineScanHold down Control and click on the following link to open ESET OnlineScan in a new window.ESET OnlineScanClick the button.For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)Click on to download the ESET Smart Installer. Save it to your desktop.Double click on the icon on your desktop.Check Click the button.Accept any security warnings from your browser.Check Push the Start button.ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.When the scan completes, push Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.Push the button.Push Link to post Share on other sites More sharing options...
john18 Posted November 11, 2010 Author ID:343454 Share Posted November 11, 2010 The MBAM scan was negative, but ESET found one possible threat. Finally, I am attaching a few days worth of IP-BLOCK messages to show what started these questions on both my i7 computer and this computer. This computer does get more block messages and from different IP addresses.Once again, thank you for looking into this matter.Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 5096Windows 6.1.7600Internet Explorer 8.0.7600.1638511/11/2010 1:38:22 PMmbam-log-2010-11-11 (13-38-22).txtScan type: Quick scanObjects scanned: 184966Time elapsed: 7 minute(s), 11 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)ESET Result follows:C:\Program Files\The Perfect Tree\Perfect Tree.exe probably unknown NewHeur_PE virusprotection_log_2010_11_08.txtprotection_log_2010_11_09.txtprotection_log_2010_11_10.txtprotection_log_2010_11_11.txt Link to post Share on other sites More sharing options...
Gammo Posted November 12, 2010 ID:343802 Share Posted November 12, 2010 Hi,Open notepad by going to Start > Run and type notepad.exe in the box that appears. In the window that pops up please copy and paste the following:@echo off>Router_Log_Gammo.txt (ipconfig /allnslookup google.comnslookup yahoo.comping -n 2 google.comping -n 2 yahoo.comroute print)start Router_Log_Gammo.txtdel %0In Notepad click on the "File" menu > Save As... Under "File name" type Router_Gammo.batChange "Save as type" to All FilesSave it to your DesktopDouble click on Router_Gammo.bat. It will open a notepad windows. Please post the contents of this file in your next reply. Link to post Share on other sites More sharing options...
john18 Posted November 12, 2010 Author ID:343849 Share Posted November 12, 2010 Once again, thank you for your time and effort. The information follows.Windows IP Configuration Host Name . . . . . . . . . . . . : John-PC Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : domain.actdsltmpWireless LAN adapter Wireless Network Connection: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : USB Wireless 802.11 b/g Adaptor Physical Address. . . . . . . . . : 00-16-44-76-13-7E DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : YesEthernet adapter Local Area Connection: Connection-specific DNS Suffix . : domain.actdsltmp Description . . . . . . . . . . . : Intel® 82566DC-2 Gigabit Network Connection Physical Address. . . . . . . . . : 00-1E-8C-36-28-C0 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::6cee:a768:20e:b2dc%10(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.0.3(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Thursday, November 11, 2010 1:28:42 PM Lease Expires . . . . . . . . . . : Saturday, November 13, 2010 6:46:02 AM Default Gateway . . . . . . . . . : 192.168.0.1 DHCP Server . . . . . . . . . . . : 192.168.0.1 DHCPv6 IAID . . . . . . . . . . . : 201334412 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0E-F9-E2-94-00-1E-8C-36-28-C0 DNS Servers . . . . . . . . . . . : 192.168.0.1 205.171.3.65 NetBIOS over Tcpip. . . . . . . . : EnabledTunnel adapter isatap.{5C7600EE-5BA4-4D2E-A861-2D1B1023BD6D}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft ISATAP Adapter Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : YesTunnel adapter Teredo Tunneling Pseudo-Interface: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:103f:f:9e83:b5ba(Preferred) Link-local IPv6 Address . . . . . : fe80::103f:f:9e83:b5ba%14(Preferred) Default Gateway . . . . . . . . . : :: NetBIOS over Tcpip. . . . . . . . : DisabledTunnel adapter isatap.domain.actdsltmp: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2 Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : YesServer: qwestmodem.domain.actdsltmpAddress: 192.168.0.1DNS request timed out. timeout was 2 seconds.DNS request timed out. timeout was 2 seconds.Name: google.comAddresses: 74.125.19.99 74.125.19.103 74.125.19.104 74.125.19.147Server: qwestmodem.domain.actdsltmpAddress: 192.168.0.1DNS request timed out. timeout was 2 seconds.DNS request timed out. timeout was 2 seconds.Name: yahoo.comAddresses: 69.147.125.65 72.30.2.43 98.137.149.56 209.191.122.70 67.195.160.76Pinging google.com [74.125.19.147] with 32 bytes of data:Reply from 74.125.19.147: bytes=32 time=43ms TTL=56Reply from 74.125.19.147: bytes=32 time=43ms TTL=56Ping statistics for 74.125.19.147: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 43ms, Maximum = 43ms, Average = 43msPinging yahoo.com [209.191.122.70] with 32 bytes of data:Reply from 209.191.122.70: bytes=32 time=57ms TTL=53Reply from 209.191.122.70: bytes=32 time=57ms TTL=53Ping statistics for 209.191.122.70: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 57ms, Maximum = 57ms, Average = 57ms===========================================================================Interface List 11...00 16 44 76 13 7e ......USB Wireless 802.11 b/g Adaptor 10...00 1e 8c 36 28 c0 ......Intel® 82566DC-2 Gigabit Network Connection 1...........................Software Loopback Interface 1 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter 14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface 15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2===========================================================================IPv4 Route Table===========================================================================Active Routes:Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.3 20 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.0.0 255.255.255.0 On-link 192.168.0.3 276 192.168.0.3 255.255.255.255 On-link 192.168.0.3 276 192.168.0.255 255.255.255.255 On-link 192.168.0.3 276 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.0.3 276 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.0.3 276===========================================================================Persistent Routes: NoneIPv6 Route Table===========================================================================Active Routes: If Metric Network Destination Gateway 14 58 ::/0 On-link 1 306 ::1/128 On-link 14 58 2001::/32 On-link 14 306 2001:0:4137:9e76:103f:f:9e83:b5ba/128 On-link 10 276 fe80::/64 On-link 14 306 fe80::/64 On-link 14 306 fe80::103f:f:9e83:b5ba/128 On-link 10 276 fe80::6cee:a768:20e:b2dc/128 On-link 1 306 ff00::/8 On-link 14 306 ff00::/8 On-link 10 276 ff00::/8 On-link===========================================================================Persistent Routes: None Link to post Share on other sites More sharing options...
Gammo Posted November 12, 2010 ID:343864 Share Posted November 12, 2010 Hi,Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done with your internet connection disabled, so you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.I'm out of ideas, but since you're experiencing the issue on multiple PC's, it might be a case of Zlob/DNSchanger that change the router's DNS settings.1. Very important: First disconnect your computer from the internet.2. Router Reset: Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).Important: Follow steps 3, 4 and 5 on both of you PC's simultaneously!3. Reset the IP/DNS settings of your interent connection:Go to Start -> Control Panel -> Double click on Network Connections.Right click on your default connection (usually Local Area Connection or Wireless Network Connection) and select Properties.Select the General tab.Double click on Internet Protocol (TCP/IP).Under General tab:Select "Obtain an IP address automatically".Select "Obtain DNS server address automatically".[*]Click OK twice to save the settings.[*]Reboot if you had to change any setting.4. Flush the DNS cache:Click the Start logo in the bottom left corner of the screenClick on RunIn the command window copy/paste the following:ipconfig /flushdnsThen hit enter.Exit the command window.5. Reconnect: Once you have followed all the above steps you can reconnect your computer to the internet.Does this resolve the problem? Link to post Share on other sites More sharing options...
john18 Posted November 12, 2010 Author ID:344069 Share Posted November 12, 2010 All three computers (there are a total of three computers, but only two have MBAM Pro) run Windows 7 and maybe because of the prior setup options I used my menus are different. What I ended up doing was going into advanced Local Area Connection Properties, selecting "Internet Protocol Version 4 (TCP/IP4)", seleting Properties, and then making sure that the settings were correct. I rebooted at that point anyway just to be sure. Also, I had to go into All Programs > Accessories > Command Prompt to get the correct prompt to do the flush command.As of now, about 30 minutes after completing the procedure, I have not yet seen an IP-BLOCK message. I will keep an eye out and also check the logs periodically.I do have two questions. When I reset my router I was expecting to lose my passwords, MAC addresses and other information. I didn't. Should I have lost that information because I held the appropriate reset button in for 20 seconds just to be sure. I also had to unplug the router to get it to reboot properly.Second, if you are allowed to give an opinion, is there any problem with me running Clear Cloud's DNS service as a way of surfing safer? Their website can be found here.I will let you know if I see anymore messages. In the meantime thank you for your help and enjoy your weekend. Link to post Share on other sites More sharing options...
Gammo Posted November 13, 2010 ID:344559 Share Posted November 13, 2010 Hi,Should I have lost that information because I held the appropriate reset button in for 20 seconds just to be sure.As far as I know it depends on the router, but I'm not an expert on this,.Second, if you are allowed to give an opinion, is there any problem with me running Clear Cloud's DNS service as a way of surfing safer? Their website can be found here.I don't know the service, but I can't see why their would be a problem with you running it. I use OpenDNS myself. Link to post Share on other sites More sharing options...
john18 Posted November 13, 2010 Author ID:344581 Share Posted November 13, 2010 I'll look into Open DNS.As for the computers the i7 has not shown an IP-Block since yesterday's procedure. The Q6600 has had a few IP-Blocks today. I will upload the logs in awhile, primarily after my wife stops playing games on it. Link to post Share on other sites More sharing options...
john18 Posted November 13, 2010 Author ID:344689 Share Posted November 13, 2010 Just a fast update.I went ahead and purchased the $10.00 subscription to OpenDNS Premium and have enabled it in the router and have loaded the OpenDNS Updater onto each computer since we have dynamic IP addresses. Prior to doing this the i7 computer did receive one IP-BLOCK and the Q6600 received a few. I am holding off posting the logs until I see whether OpenDNS made any difference at all in whether or not we still receive the IP-BLOCK messages. Link to post Share on other sites More sharing options...
Gammo Posted November 13, 2010 ID:344741 Share Posted November 13, 2010 Hi,If you're still receiving IP blocks, then I suggest you install the new MBAM 1.50 beta: http://forums.malwarebytes.org/index.php?showtopic=67218Notifications of blocked malicious websites now include additional details such as type, port, and process on Windows Vista and higher.The notification now includes the related process. Please tell me the process(es). Link to post Share on other sites More sharing options...
john18 Posted November 14, 2010 Author ID:344874 Share Posted November 14, 2010 I just downloaded and installed it on all the machines. I will update the thread no later than Monday morning here. Thanks again. Link to post Share on other sites More sharing options...
Gammo Posted November 14, 2010 ID:344941 Share Posted November 14, 2010 OK. Please keep me posted on the IP blocks. Link to post Share on other sites More sharing options...
john18 Posted November 15, 2010 Author ID:345629 Share Posted November 15, 2010 Hi Gammo,I have attached two logs from this computer from after I installed the MBAM 1.50 beta. They are fairly sizable so I posted them as attachments. If you prefer that I simply post them as text into the messages please let me know. I will look at the i7 machine's logs and if I have any issues with it I will post them in it's thread.Thank you and have a good day.protection_log_2010_11_14.txtprotection_log_2010_11_15.txt Link to post Share on other sites More sharing options...
Gammo Posted November 16, 2010 ID:346303 Share Posted November 16, 2010 Hi,Your logs appear to be clean, but since you're still receiving IP blocks your PC is probably still infected.I'm not an expert on MBAM's IP protection module, and it is probably gonna take quite some extra steps until I've found the culprit.Because of this, I recommend you contact the help desk at support@malwarebytes.org (you can do this as a paying customer). They know more about MBAM's IP blocker than me, and will provide faster replies.If you agree to do this, I'll post my cleanup instructions. Please wait with emailing the help desk until you've followed my cleanup instructions. Link to post Share on other sites More sharing options...
john18 Posted November 16, 2010 Author ID:346387 Share Posted November 16, 2010 Hi Gammo.I will go ahead and contact the Help Desk with the problem, so please post whatever instructions you need to and then I will contact the Help Desk once I have followed the instructions.Thank you very much. Link to post Share on other sites More sharing options...
Gammo Posted November 16, 2010 ID:346409 Share Posted November 16, 2010 Hi,Remove Combofix now that we're done with it.Please press the Windows Key and R on your keyboard. This will bring up the Run... command.Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")Please follow the prompts to uninstall Combofix.You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Download OTC to your desktop and run itA list of tool components used in the Cleanup of malware will be downloaded.If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.Click Yes to begin the Cleanup process and remove these components, including this application.You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes. Link to post Share on other sites More sharing options...
john18 Posted November 17, 2010 Author ID:346515 Share Posted November 17, 2010 Thank you Gammo for all your help. I will contact the Help Desk tomorrow. Please leave both my threads open long enough for me to copy and paste the link so that the Help Desk can see what we have done.I really appreciate the help. Link to post Share on other sites More sharing options...
Gammo Posted November 17, 2010 ID:346694 Share Posted November 17, 2010 You're welcome. Good luck at the help desk. Link to post Share on other sites More sharing options...
Recommended Posts