PDA

View Full Version : Have an alternate DNS when searching, can't start in safe mode or install S&D



hurdlesemo
2009-05-19, 17:09
Dunno what is going on.

Can't start in safe mode, install S&D and when I search and click on resulting links takes me to various other sites - alternate DNS thingy.

Here is hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:04:22 AM, on 5/19/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\HP\ToolboxFX\bin\HPTLBXFX.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AMS Services\TransactNOW\OALaunch.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: TransactNOW SSO Update Monitor.lnk = C:\Program Files\AMS Services\TransactNOW\OALaunch.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - Trusted Zone: *.AMSSetWrite.com (HKLM)
O15 - Trusted Zone: *.silverplume.com (HKLM)
O15 - Trusted Zone: http://*.travelers.com (HKLM)
O15 - Trusted Zone: http://*.travelerspc.com (HKLM)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1239981720140&h=8f9991cf495bc8f22bcd09d8a6c5f4b6/&filename=jinstall-6u13-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 5287 bytes

info.txt logfile of random's system information tool 1.06 2009-05-19 09:57:35

======Uninstall list======

-->C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\Windows\UNNeroMediaHome.exe /UNINSTALL
-->C:\Windows\UNNeroShowTime.exe /UNINSTALL
-->C:\Windows\UNNeroVision.exe /UNINSTALL
-->C:\Windows\UNRecode.exe /UNINSTALL
32 Bit HP BiDi Channel Components Installer-->MsiExec.exe /I{9DE3F260-B88E-42CE-90E7-73C78C37D95E}
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
AMS TransactNOW Single Sign-On-->MsiExec.exe /X{ADC8B312-FBE0-49AE-A0AA-3F5EB104DDB9}
Choice Guard-->MsiExec.exe /I{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
ESET NOD32 Antivirus-->MsiExec.exe /I{86A6E235-C08F-4A14-B14C-793C7D8844A0}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Customer Participation Program 9.0-->C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP LaserJet M2727 MFP Series 5.0-->C:\Program Files\HP\Digital Imaging\{3A915D43-FD4F-4e4f-BEF7-B75C160B0236}\setup\hpzscr01.exe -datfile hppscr07.dat -onestop -forcereboot
HP Update-->MsiExec.exe /X{FE57DE70-95DE-4B64-9266-84DA811053DB}
HPSSupply-->MsiExec.exe /X{487B0B9B-DCD4-440D-89A0-A6EDE1A545A3}
Java(TM) 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216013FF}
Microsoft Office Live Meeting 2007-->MsiExec.exe /I{6E4D4E0B-02F6-46C1-BAE5-1B6B2E486A7B}
Microsoft Office Standard Edition 2003-->MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Mozilla Firefox (3.0.1)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.17)-->C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Nero 7 Essentials-->MsiExec.exe /X{F61DD673-0030-4BB2-A382-7E57E97F1033}
NVIDIA Drivers-->C:\Windows\system32\NVUNINST.EXE UninstallGUI
Ralink Wireless LAN-->C:\Program Files\InstallShield Installation Information\{FAB1F336-1B7C-4057-A7BC-2922CD82A781}\setup.exe -runfromtemp -l0x0009 -removeonly
Rating_Workstation_Complete-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AA0548FD-9E9E-4408-9A2B-65787CDD20FC}\setup.exe" -l0x9 -removeonly
Spelling Dictionaries Support For Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-900000000004}
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{C6CA8874-5F22-4AF0-9BE3-016BF299C536}
Windows Live Messenger-->MsiExec.exe /X{0AAA9C97-74D4-47CE-B089-0B147EF3553C}
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}

=====HijackThis Backups=====

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.20,85.255.112.141 [2009-05-11]
O17 - HKLM\System\CCS\Services\Tcpip\..\{C949B295-A8D0-46F2-B34C-23A1FBDBDB69}: NameServer = 85.255.112.20,85.255.112.141 [2009-05-11]
O17 - HKLM\System\CCS\Services\Tcpip\..\{96D324F5-F94C-416F-9160-DF7C33B2D01D}: NameServer = 85.255.112.20,85.255.112.141 [2009-05-11]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.20,85.255.112.141 [2009-05-11]
O1 - Hosts: ::1 localhost [2009-05-19]
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) [2009-05-19]

======Security center information======

AV: ESET NOD32 Antivirus 3.0
AS: ESET NOD32 Antivirus 3.0
AS: Windows Defender

======System event log======

Computer Name: Rachel
Event Code: 7026
Message: The following boot-start or system-start driver(s) failed to load:
i8042prt
Record Number: 38118
Source Name: Service Control Manager
Time Written: 20090519142625.000000-000
Event Type: Error
User:

Computer Name: Rachel
Event Code: 8003
Message: The master browser has received a server announcement from the computer VICKI that believes that it is the master browser for the domain on transport NetBT_Tcpip_{96D324F5-F94C-416F-9160-DF7C33B2D01D. The master browser is stopping or an election is being forced.
Record Number: 38133
Source Name: bowser
Time Written: 20090519143410.941616-000
Event Type: Error
User:

Computer Name: Rachel
Event Code: 10005
Message: DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server:
{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
Record Number: 38136
Source Name: Microsoft-Windows-DistributedCOM
Time Written: 20090519143608.000000-000
Event Type: Error
User:

Computer Name: Rachel
Event Code: 7009
Message: A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
Record Number: 38138
Source Name: Service Control Manager
Time Written: 20090519143608.000000-000
Event Type: Error
User:

Computer Name: Rachel
Event Code: 7000
Message: The Windows Search service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.
Record Number: 38139
Source Name: Service Control Manager
Time Written: 20090519143608.000000-000
Event Type: Error
User:

=====Application event log=====

Computer Name: Rachel
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 9396
Source Name: Microsoft-Windows-WMI
Time Written: 20090519133826.000000-000
Event Type: Error
User:

Computer Name: Rachel
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 9441
Source Name: Microsoft-Windows-WMI
Time Written: 20090519142625.000000-000
Event Type: Error
User:

Computer Name: Rachel
Event Code: 3013
Message: The entry <C:\USERS\JOSH\DESKTOP\JOSH FOLDER\5.11.09 COLUMN.DOC> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Record Number: 9442
Source Name: Microsoft-Windows-Search
Time Written: 20090519142633.000000-000
Event Type: Error
User:

Computer Name: Rachel
Event Code: 3013
Message: The entry <C:\USERS\JOSH\DESKTOP\JOSH FOLDER\GOLF DISTRICTS.DOC> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Record Number: 9443
Source Name: Microsoft-Windows-Search
Time Written: 20090519142633.000000-000
Event Type: Error
User:

Computer Name: Rachel
Event Code: 3013
Message: The entry <C:\USERS\JOSH\DESKTOP\JOSH FOLDER\TRACK CONFERENCE.DOC> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Record Number: 9444
Source Name: Microsoft-Windows-Search
Time Written: 20090519142634.000000-000
Event Type: Error
User:

=====Security event log=====

Computer Name: Rachel
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 13124
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090519145734.447489-000
Event Type: Audit Failure
User:

Computer Name: Rachel
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 13125
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090519145734.472878-000
Event Type: Audit Failure
User:

Computer Name: Rachel
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 13126
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090519145734.504126-000
Event Type: Audit Failure
User:

Computer Name: Rachel
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 13127
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090519145734.531468-000
Event Type: Audit Failure
User:

Computer Name: Rachel
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 13128
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090519145734.569552-000
Event Type: Audit Failure
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 107 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=6b02
"NUMBER_OF_PROCESSORS"=2
"TRACE_FORMAT_SEARCH_PATH"=\\NTREL202.ntdev.corp.microsoft.com\4F18C3A5-CA09-4DBD-B6FC-219FDD4C6BE0\TraceFormat
"DFSTRACINGON"=FALSE

-----------------EOF-----------------


"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Logfile of random's system information tool 1.06 (written by random/random)
Run by Josh at 2009-05-19 10:04:58
Microsoft® Windows Vista™ Business Service Pack 1
System drive C: has 63 GB (63%) free of 100 GB
Total RAM: 3230 MB (63% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:00 AM, on 5/19/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\HP\ToolboxFX\bin\HPTLBXFX.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AMS Services\TransactNOW\OALaunch.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Josh\Downloads\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Josh.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: TransactNOW SSO Update Monitor.lnk = C:\Program Files\AMS Services\TransactNOW\OALaunch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - Trusted Zone: *.AMSSetWrite.com (HKLM)
O15 - Trusted Zone: *.silverplume.com (HKLM)
O15 - Trusted Zone: http://*.travelers.com (HKLM)
O15 - Trusted Zone: http://*.travelerspc.com (HKLM)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1239981720140&h=8f9991cf495bc8f22bcd09d8a6c5f4b6/&filename=jinstall-6u13-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 5290 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-04-17 35840]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-20 1008184]
"NvSvc"=C:\Windows\system32\nvsvc.dll [2008-04-30 96800]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2008-04-30 13515296]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2008-04-30 92704]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2008-03-13 1443072]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2007-05-08 54840]
"ToolBoxFX"=C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe [2008-01-10 53248]
""= []
"HPUsageTracking"=C:\Program Files\HP\HP UT\bin\hppusg.exe [2007-08-31 36864]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-04-17 148888]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2008-01-20 1233920]
"WindowsWelcomeCenter"=oobefldr.dll,ShowWelcomeCenter []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2007-05-04 149040]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-05-04 161328]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Ralink Wireless Utility.lnk]
C:\PROGRA~1\RALINK\Common\RaUI.exe [2007-04-25 946176]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
TransactNOW SSO Update Monitor.lnk - C:\Program Files\AMS Services\TransactNOW\OALaunch.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 2 months======

2009-05-19 09:59:45 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-05-19 09:57:32 ----D---- C:\rsit
2009-05-19 09:37:22 ----D---- C:\Users\Josh\AppData\Roaming\AMS Services
2009-05-19 08:40:16 ----D---- C:\Users\Josh\AppData\Roaming\Macromedia
2009-05-19 08:40:16 ----D---- C:\Users\Josh\AppData\Roaming\Adobe
2009-05-19 08:38:12 ----D---- C:\Users\Josh\AppData\Roaming\HP
2009-05-19 08:37:50 ----D---- C:\Users\Josh\AppData\Roaming\Mozilla
2009-05-19 08:36:56 ----D---- C:\Users\Josh\AppData\Roaming\Identities
2009-05-19 08:36:47 ----SD---- C:\Users\Josh\AppData\Roaming\Microsoft
2009-05-18 15:23:50 ----D---- C:\Program Files\Microsoft
2009-05-18 15:23:34 ----D---- C:\Program Files\Windows Live SkyDrive
2009-05-18 15:21:40 ----D---- C:\Program Files\Common Files\Windows Live
2009-05-11 09:50:21 ----D---- C:\Program Files\Trend Micro
2009-04-29 09:16:54 ----D---- C:\Windows\Minidump
2009-04-29 09:14:35 ----D---- C:\ProgramData\Spybot - Search & Destroy
2009-04-29 09:14:35 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-04-17 10:21:18 ----A---- C:\Windows\system32\javaws.exe
2009-04-17 10:21:18 ----A---- C:\Windows\system32\javaw.exe
2009-04-17 10:21:18 ----A---- C:\Windows\system32\java.exe
2009-04-17 10:21:08 ----D---- C:\Program Files\Java
2009-04-17 10:03:35 ----D---- C:\RECYCLER
2009-04-16 08:39:26 ----A---- C:\Windows\system32\winhttp.dll
2009-04-16 08:39:24 ----A---- C:\Windows\system32\xolehlp.dll
2009-04-16 08:39:24 ----A---- C:\Windows\system32\msdtcprx.dll
2009-04-16 08:39:18 ----A---- C:\Windows\system32\rpcss.dll
2009-04-16 08:39:17 ----A---- C:\Windows\system32\ntoskrnl.exe
2009-04-16 08:39:17 ----A---- C:\Windows\system32\ntkrnlpa.exe
2009-04-16 08:39:16 ----A---- C:\Windows\system32\sdohlp.dll
2009-04-16 08:39:16 ----A---- C:\Windows\system32\printfilterpipelinesvc.exe
2009-04-16 08:39:16 ----A---- C:\Windows\system32\printfilterpipelineprxy.dll
2009-04-16 08:39:16 ----A---- C:\Windows\system32\iasrecst.dll
2009-04-16 08:39:16 ----A---- C:\Windows\system32\iashost.exe
2009-04-16 08:39:16 ----A---- C:\Windows\system32\iasdatastore.dll
2009-04-16 08:39:16 ----A---- C:\Windows\system32\iasads.dll
2009-04-16 08:39:12 ----A---- C:\Windows\system32\lsasrv.dll
2009-04-16 08:39:11 ----A---- C:\Windows\system32\secur32.dll
2009-04-16 08:39:11 ----A---- C:\Windows\system32\kernel32.dll
2009-04-16 08:39:11 ----A---- C:\Windows\system32\apilogen.dll
2009-04-16 08:39:11 ----A---- C:\Windows\system32\amxread.dll
2009-04-16 08:39:00 ----A---- C:\Windows\system32\mshtml.dll
2009-04-16 08:38:57 ----A---- C:\Windows\system32\ieframe.dll
2009-04-16 08:38:55 ----A---- C:\Windows\system32\urlmon.dll
2009-04-16 08:38:55 ----A---- C:\Windows\system32\iertutil.dll
2009-04-16 08:38:54 ----A---- C:\Windows\system32\wininet.dll
2009-04-16 08:38:54 ----A---- C:\Windows\system32\msfeeds.dll
2009-04-16 08:38:54 ----A---- C:\Windows\system32\iedkcs32.dll
2009-04-16 08:38:53 ----A---- C:\Windows\system32\occache.dll
2009-04-16 08:38:53 ----A---- C:\Windows\system32\ieUnatt.exe
2009-04-16 08:38:53 ----A---- C:\Windows\system32\ieencode.dll
2009-04-16 08:38:53 ----A---- C:\Windows\system32\ieaksie.dll
2009-04-16 08:38:52 ----A---- C:\Windows\system32\mstime.dll
2009-04-16 08:38:52 ----A---- C:\Windows\system32\jsproxy.dll
2009-04-07 11:27:10 ----D---- C:\Program Files\MSECache
2009-04-06 10:16:20 ----D---- C:\ProgramData\zvprt50
2009-04-06 10:11:55 ----D---- C:\hp_LJM2727_full_solution_AM_EMEA1

======List of files/folders modified in the last 2 months======

2009-05-19 10:04:57 ----D---- C:\Windows\Temp
2009-05-19 10:03:49 ----HD---- C:\ProgramData
2009-05-19 10:03:49 ----D---- C:\Windows\system32\drivers
2009-05-19 10:03:49 ----D---- C:\Windows\Prefetch
2009-05-19 09:59:45 ----RD---- C:\Program Files
2009-05-19 09:54:02 ----SHD---- C:\Windows\Installer
2009-05-19 09:54:02 ----HD---- C:\Config.Msi
2009-05-19 09:54:02 ----A---- C:\Windows\ODBC.INI
2009-05-19 09:36:15 ----D---- C:\ProgramData\Adobe
2009-05-19 09:36:13 ----D---- C:\Program Files\Common Files\Adobe
2009-05-19 09:36:04 ----D---- C:\Windows\System32
2009-05-19 09:29:02 ----D---- C:\Windows\inf
2009-05-19 09:29:02 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-05-19 09:24:35 ----D---- C:\Windows
2009-05-19 08:37:17 ----SHD---- C:\$Recycle.Bin
2009-05-19 08:36:47 ----RD---- C:\Users
2009-05-18 15:24:12 ----D---- C:\Windows\winsxs
2009-05-18 15:23:45 ----D---- C:\Windows\system32\catroot
2009-05-18 15:23:39 ----D---- C:\Program Files\Common Files\microsoft shared
2009-05-18 15:23:19 ----D---- C:\Program Files\Windows Live
2009-05-18 15:21:40 ----D---- C:\Program Files\Common Files
2009-05-18 15:21:39 ----SD---- C:\ProgramData\Microsoft
2009-05-14 08:42:02 ----D---- C:\Program Files\Windows Mail
2009-05-07 02:16:29 ----A---- C:\Windows\system32\mrt.exe
2009-04-29 17:17:07 ----D---- C:\Windows\system32\catroot2
2009-04-17 10:21:32 ----SD---- C:\Windows\Downloaded Program Files
2009-04-17 10:21:10 ----A---- C:\Windows\system32\deploytk.dll
2009-04-17 09:10:35 ----D---- C:\Windows\system32\wbem
2009-04-17 09:10:32 ----D---- C:\Windows\system32\manifeststore
2009-04-17 09:10:32 ----D---- C:\Windows\AppPatch
2009-04-17 09:10:32 ----D---- C:\Program Files\Internet Explorer
2009-04-17 08:51:56 ----A---- C:\Windows\win.ini
2009-04-17 08:50:49 ----SHD---- C:\System Volume Information
2009-04-07 11:27:29 ----D---- C:\Program Files\Microsoft Office
2009-04-06 10:16:31 ----RSD---- C:\Windows\assembly
2009-04-06 10:16:30 ----D---- C:\Program Files\HP

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 CSC;Offline Files Driver; C:\Windows\system32\drivers\csc.sys [2008-01-20 350720]
R1 easdrv;easdrv; C:\Windows\system32\DRIVERS\easdrv.sys [2008-03-13 29704]
R1 epfwtdir;epfwtdir; C:\Windows\system32\DRIVERS\epfwtdir.sys [2008-03-13 33800]
R2 eamon;EAMON; C:\Windows\system32\DRIVERS\eamon.sys [2008-03-13 40456]
R3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
R3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\Windows\system32\DRIVERS\nvmfdx32.sys [2008-04-30 1042464]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2008-04-30 7928864]
R3 nvsmu;nvsmu; C:\Windows\system32\DRIVERS\nvsmu.sys [2008-04-30 13312]
R3 rt61x86;Ralink RT61 Wireless Driver for Windows Vista; C:\Windows\system32\DRIVERS\netr61.sys [2006-12-13 286208]
R3 StillCam;Still Serial Digital Camera Driver; C:\Windows\system32\DRIVERS\serscan.sys [2008-01-20 9216]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-20 11264]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-20 5632]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-20 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-20 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-20 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-20 6016]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-20 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-20 83328]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-20 6656]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-20 386616]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2008-01-20 21504]
R2 ekrn;Eset Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-03-13 472320]
R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\Windows\system32\svchost.exe [2008-01-20 21504]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-20 21504]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-20 21504]
R3 hpqcxs08;hpqcxs08; C:\Windows\system32\svchost.exe [2008-01-20 21504]
R3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2008-01-20 21504]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2008-03-13 19200]
S3 Fax;@%systemroot%\system32\fxsresm.dll,-118; C:\Windows\system32\fxssvc.exe [2008-01-20 523776]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-05-04 267824]
S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2008-01-20 21504]
S3 wbengine;@%systemroot%\system32\wbengine.exe,-104; C:\Windows\system32\wbengine.exe [2008-01-20 917504]

-----------------EOF-----------------

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Blade81
2009-05-20, 17:43
Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

hurdlesemo
2009-05-21, 16:53
ComboFix 09-05-20.A1 - Josh 05/21/2009 8:47.1 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.3230.2519 [GMT -5:00]
Running from: c:\users\Josh\Downloads\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
SP: ESET NOD32 Antivirus 3.0 *disabled* (Updated) {E5E70D32-0101-4B98-A4D6-D1D15C3BB448}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\users\Laxton\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HeroCodec
c:\windows\system32\drivers\gxvxckxbhreowbqxppecriptobmqevfeibvmd.sys
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxcdqsbmdvvnsustlhblsiptpdtimjiphyp.dll
E:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.

2009-05-21 13:50 . 2009-05-21 13:50 -------- d-----w c:\users\Josh\AppData\Local\temp
2009-05-21 13:50 . 2009-05-21 13:50 -------- d-----w c:\users\Vicki\AppData\Local\temp
2009-05-21 13:50 . 2009-05-21 13:50 -------- d-----w c:\users\TESTACCOUNT\AppData\Local\temp
2009-05-19 14:57 . 2009-05-19 14:57 -------- d-----w C:\rsit
2009-05-19 14:37 . 2009-05-19 14:37 -------- d-----w c:\users\Josh\AppData\Roaming\AMS Services
2009-05-19 13:41 . 2009-05-19 14:33 -------- d-----w c:\users\Josh\AppData\Local\Adobe
2009-05-19 13:38 . 2009-05-19 13:38 -------- d-----w c:\users\Josh\AppData\Roaming\HP
2009-05-19 13:37 . 2009-05-19 13:37 -------- d-----w c:\users\Josh\AppData\Local\Mozilla
2009-05-19 13:37 . 2009-05-19 13:37 67792 ----a-w c:\users\Josh\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-19 13:37 . 2009-05-19 13:37 -------- d-----r c:\users\Josh\Searches
2009-05-19 13:33 . 2009-05-19 13:33 -------- d-----w c:\users\Vicki\Tracing
2009-05-18 20:23 . 2009-05-18 20:23 -------- d-----w c:\program files\Microsoft
2009-05-18 20:23 . 2009-05-18 20:23 -------- d-----w c:\program files\Windows Live SkyDrive
2009-05-18 20:21 . 2009-05-18 20:21 -------- d-----w c:\program files\Common Files\Windows Live
2009-05-11 14:50 . 2009-05-11 14:50 -------- d-----w c:\program files\Trend Micro
2009-04-29 14:14 . 2009-05-19 14:22 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-29 14:14 . 2009-04-29 14:14 -------- d-----w c:\programdata\Spybot - Search & Destroy
2009-04-29 14:14 . 2009-04-29 14:14 -------- d-----w c:\users\All Users\Spybot - Search & Destroy
2009-04-24 19:05 . 2009-04-24 19:05 -------- d-----w c:\users\Vicki\AppData\Local\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-19 14:36 . 2008-12-19 21:09 -------- d-----w c:\program files\Common Files\Adobe
2009-05-18 20:23 . 2008-11-10 16:55 -------- d-----w c:\program files\Windows Live
2009-05-14 13:42 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-17 15:21 . 2008-12-19 16:40 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-17 15:21 . 2009-04-17 15:21 -------- d-----w c:\program files\Java
2009-04-07 16:27 . 2009-04-07 16:27 -------- d-----w c:\program files\MSECache
2009-04-06 15:20 . 2009-02-12 19:30 153557 ----a-w c:\windows\hppins07.dat
2009-04-06 15:16 . 2008-11-07 18:21 -------- d-----w c:\program files\HP
2009-04-06 15:16 . 2009-02-12 19:30 153516 ----a-w c:\windows\system32\hppins07.dat
2009-04-06 15:15 . 2008-11-07 19:27 608 --sha-w c:\windows\system32\winzvprt5.sys
2009-03-17 03:38 . 2009-04-16 13:39 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-16 13:39 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-10 19:00 . 2009-01-15 20:56 60744 ----a-w c:\users\TESTACCOUNT\g2mdlhlpx.exe
2009-03-03 04:46 . 2009-04-16 13:39 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-16 13:39 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:40 . 2009-04-16 13:38 827392 ----a-w c:\windows\system32\wininet.dll
2009-03-03 04:39 . 2009-04-16 13:39 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-16 13:39 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-16 13:39 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-16 13:38 78336 ----a-w c:\windows\system32\ieencode.dll
2009-03-03 04:37 . 2009-04-16 13:39 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-16 13:39 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-16 13:39 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-16 13:39 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-16 13:39 17408 ----a-w c:\windows\system32\iashost.exe
2009-03-03 02:28 . 2009-04-16 13:38 26624 ----a-w c:\windows\system32\ieUnatt.exe
2009-02-20 18:56 . 2008-11-10 18:48 460088 ----a-w c:\windows\system32\WriterPDF.dll
2009-02-20 18:56 . 2009-03-04 16:18 656696 ----a-w c:\windows\system32\Skylon2.dll
2009-02-20 18:56 . 2008-11-10 18:48 279864 ----a-w c:\windows\system32\LANYARD.DLL
2009-02-20 18:56 . 2008-11-10 18:48 390456 ----a-w c:\windows\system32\SEAREACH.DLL
2009-02-20 18:49 . 2008-11-10 18:48 20480 ----a-w c:\windows\system32\AMSRKVer.dll
2009-02-20 18:26 . 2008-11-10 18:48 111952 ----a-w c:\windows\system32\RatingUtils.dll
2008-01-21 02:43 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-04-30 96800]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-04-30 13515296]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-04-30 92704]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2008-01-10 53248]
"HPUsageTracking"="c:\program files\HP\HP UT\bin\hppusg.exe" [2007-08-31 36864]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-17 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
TransactNOW SSO Update Monitor.lnk - c:\program files\AMS Services\TransactNOW\OALaunch.exe [2008-6-5 173872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Ralink Wireless Utility.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk
backup=c:\windows\pss\Ralink Wireless Utility.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{693D36AE-0208-43AE-9250-C5848E0803CD}"= UDP:c:\program files\HP\hp laserjet m2727\Fax Config utility0.exe:HP Networked Printer Installer
"{170EC23E-3936-4DB2-924C-C744A276EEF5}"= TCP:c:\program files\HP\hp laserjet m2727\Fax Config utility0.exe:HP Networked Printer Installer
"{99A31C7C-563E-4800-8E89-899867E71AEE}"= UDP:c:\program files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:Microsoft Office Live Meeting 2007
"{73EDE47E-9204-4476-9BB0-8DE22DEBDF38}"= TCP:c:\program files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:Microsoft Office Live Meeting 2007
"{7919EFDA-C01B-4FDC-BD66-BA71AF3FC64E}"= UDP:c:\program files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:Microsoft Office Live Meeting 2007
"{E2023E51-8830-4284-885D-D0331F0E9718}"= TCP:c:\program files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:Microsoft Office Live Meeting 2007
"TCP Query User{684BB475-B336-447A-901C-3BC2B07F4D99}c:\\program files\\hp\\hp laserjet m2727\\hppfaxnc0.exe"= UDP:c:\program files\hp\hp laserjet m2727\hppfaxnc0.exe:HP LaserJet SendFax Application
"UDP Query User{318D9D68-E27E-4274-92C8-8057391277C3}c:\\program files\\hp\\hp laserjet m2727\\hppfaxnc0.exe"= TCP:c:\program files\hp\hp laserjet m2727\hppfaxnc0.exe:HP LaserJet SendFax Application

R1 epfwtdir;epfwtdir;c:\windows\System32\drivers\epfwtdir.sys [3/13/2008 5:52 PM 33800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/13/2008 5:49 PM 472320]
R3 rt61x86;Ralink RT61 Wireless Driver for Windows Vista;c:\windows\System32\drivers\netr61.sys [11/5/2008 2:33 PM 286208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: AMSSetWrite.com
Trusted Zone: silverplume.com
Trusted Zone: travelers.com
Trusted Zone: travelerspc.com
FF - ProfilePath - c:\users\Josh\AppData\Roaming\Mozilla\Firefox\Profiles\fq4wzs6u.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 08:50
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-21 8:51
ComboFix-quarantined-files.txt 2009-05-21 13:50

Pre-Run: 66,134,876,160 bytes free
Post-Run: 67,205,144,576 bytes free

146 --- E O F --- 2009-05-21 13:39

hurdlesemo
2009-05-21, 17:07
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:00 AM, on 5/19/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\HP\ToolboxFX\bin\HPTLBXFX.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AMS Services\TransactNOW\OALaunch.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Josh\Downloads\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Josh.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: TransactNOW SSO Update Monitor.lnk = C:\Program Files\AMS Services\TransactNOW\OALaunch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - Trusted Zone: *.AMSSetWrite.com (HKLM)
O15 - Trusted Zone: *.silverplume.com (HKLM)
O15 - Trusted Zone: http://*.travelers.com (HKLM)
O15 - Trusted Zone: http://*.travelerspc.com (HKLM)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1239981720140&h=8f9991cf495bc8f22bcd09d8a6c5f4b6/&filename=jinstall-6u13-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 5290 bytes

Blade81
2009-05-21, 17:14
Hi

That looks better :)

Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner)

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.



Read the requirements and privacy statement then click on the Accept button.



The program will launch and start to download the latest definition files.



You will be prompted to install an application from Kaspersky. Click Run



Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives



Click on My Computer under Scan.



Once the scan is complete, it will display the results. Click on View Scan Report.



Click on Save Report As....



Change the Files of type to Text file (.txt) before clicking on the Save button.



Save this report to a convenient place.



Copy and paste that information into your topic. Post also a fresh hjt log and let me know how's the system running.



The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.

If you need a tutorial, see here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)

Blade81
2009-05-30, 02:37
Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.