1.

Solve : Firewall keeps turning off and Google keeps redirecting me?

Answer»

I have a few problems with my system. Every time I boot up my computer the firewall is turned off. I have to turn it on every time. Also, I keep getting redirected to different web pages from Google. I ran a scan with AVG and Lavasoft, and I only found a few tracking cookies. I ran a "Hijack This" scan and attached it. I am not sure if this is the problem, but two of the results are unknown files. Is this the problem?

[attachment deleted by admin]Here is the HijackThis log.



Logfile of HijackThis v1.99.1
Scan saved at 6:57:30 AM, on 3/24/2009
Platform: Unknown Windows (WinNT 6.00.1905 SP1)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Running processes:
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\System32\p2phost.exe
C:\Windows\ehome\ehtray.exe
D:\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE
C:\Users\Sam Hern\Program Files\DNA\btdna.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Users\Sam Hern\Desktop\ht\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [DpAgent] C:\Program Files\DigitalPersona\Bin\dpagent.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HotSync] "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Virtual PDF Printer] C:\Program Files\Virtual PDF Printer\VirtualPDFPrinter.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [lightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [CollaborationHost] C:\Windows\system32\p2phost.exe -s
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [L08AXLRD_3627116] "D:\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" -m
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Sam Hern\Program Files\DNA\btdna.exe"
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD889663-729B-4AD0-9E57-2CB8370BAD94}: NameServer = 85.255.112.225,85.255.112.199
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHostW.exe
O23 - Service: Windows Media CENTER Service Launcher (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: @gpapi.dll,-112 (gpsvc) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: SQL Server (CSSQL05) (MSSQL$CSSQL05) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sCSSQL05 (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

What version of Windows is this? Windows 7?This is Windows Vista Ultimate 32 bit edition. Disable Windows Defender

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

  • Open Windows Defender
  • Click on Tools > Option
  • Scroll down and uncheck Use real-time protection (recommended)
  • After you uncheck this, click on the Save button and then exit Windows Defender
  • Now on your keyboard press and hold Ctrl+Alt and then press the Delete key tow times to bring up the Task Manager.
  • Locate MSASCui.exe then right click on it and choose End Process. Click Yes on the Task Manager Security Warning.
.
After all of the fixes are complete it is very important that you enable real-time protection again.

----------

Install the new version of HJT and post a log from it.

Download TrendMicro HijackThis.exe (HJT) to the Desktop.

  • Double-click on HJTInstall.
  • Click on the Install button.
  • It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
  • Upon install, HijackThis should open for you.
  • Click on the Do a system scan and save a log file button
  • HijackThis will scan and then a log will open in notepad.
  • Copy and then paste the entire contents of the log in your post.
  • Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
OK, I did the above steps. Here is the new log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:56 PM, on 3/25/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\System32\p2phost.exe
C:\Windows\ehome\ehtray.exe
D:\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE
C:\Users\Sam Hern\Program Files\DNA\btdna.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [DpAgent] C:\Program Files\DigitalPersona\Bin\dpagent.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HotSync] "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Virtual PDF Printer] C:\Program Files\Virtual PDF Printer\VirtualPDFPrinter.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [lightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [CollaborationHost] C:\Windows\system32\p2phost.exe -s
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [L08AXLRD_3627116] "D:\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" -m
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Sam Hern\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD889663-729B-4AD0-9E57-2CB8370BAD94}: NameServer = 85.255.112.225,85.255.112.199
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHostW.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 9700 bytes
Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

  • O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
  • O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
  • O17 - HKLM\System\CCS\Services\Tcpip\..\{BD889663-729B-4AD0-9E57-2CB8370BAD94}: NameServer = 85.255.112.225,85.255.112.199
  • O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
  • O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
  • O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
.
Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Reset Vista Network Connections

1. Right-click the network icon in the System Tray.
2. From the pop-up menu, select "Diagnose and Repair".
3. Click "Automatically get new IP settings for the network adapter 'Local Area Connection'". At this stage there is annoyingly no "Reset network adapter" option.
4. In the "Windows needs your permission to continue" box, click Continue.
5. Wait for the "Repairing" window to complete (takes a while).
6. In the Windows Network Diagnostics window, click "Reset the network adapter 'Local Area Connection'".
7. You should see "The problem has been resolved".
8. Click Close.

----------

Download GooredFix from one of the locations below and save it to your Desktop.

Link #1
Link #2

* Double-click GooredFix.exe to run it.
* Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
* A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: Do not run Option #2 yet.I did all of the instructions except I was not able to reset Vista Network Connections. When I selected "Diagnose and Repair," a window came up and said that it could not find any problems with my Internet connection. Is there another method for reseting the network connections? I posted the log below.

GooredFix v1.92 by jpshortstuff
Log created at 14:00 on 26/03/2009 running Option #1 (Sam Hern)
Firefox version 3.0.7 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"
No thats OK.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFixOK I ran the program and here is the log.


ComboFix 09-03-25.04 - Sam Hern 2009-03-26 16:24:11.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.3070.2277 [GMT -4:00]
Running from: c:\users\Sam Hern\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\program files\PlayMe
c:\program files\PlayMe\Uninstall.exe
c:\programdata\Microsoft\Windows\Start Menu\Programs\PlayMe
c:\programdata\Microsoft\Windows\Start Menu\Programs\PlayMe\Uninstall.lnk
c:\recycler\S-2-3-73-100018799-100001138-100005680-1890.com
c:\users\Sam Hern\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PlayMe
c:\windows\system32\drivers\gaopdxdrhecxnpiagsrtikhnbokuirjyicmltq.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxsrfldxbhwmdeoiqqxjpjswpcxpiefmrr.dll
c:\windows\system32\KBL.LOG
d:\recycler\S-2-3-73-100018799-100001138-100005680-1890.com
E:\Autorun.inf
e:\recycler\S-2-3-73-100018799-100001138-100005680-1890.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-02-26 to 2009-03-26 )))))))))))))))))))))))))))))))
.

2009-03-25 23:18 . 2009-03-25 23:18d--------c:\program files\Trend Micro
2009-03-24 00:56 . 2009-03-09 15:0615,688--a------c:\windows\System32\lsdelete.exe
2009-03-23 22:37 . 2009-03-09 15:0664,160--a------c:\windows\System32\drivers\Lbd.sys
2009-03-23 22:36 . 2009-03-23 22:36d--h-c---c:\users\All Users\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-23 22:36 . 2009-03-23 22:36d--h-c---c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-23 22:36 . 2009-03-23 22:36d--------c:\program files\Lavasoft
2009-03-22 20:27 . 2009-03-22 20:27d--h-----C:\$AVG8.VAULT$
2009-03-22 18:29 . 2009-03-22 21:07d--------c:\windows\System32\drivers\Avg
2009-03-22 18:29 . 2009-03-22 18:29d--------c:\program files\AVG
2009-03-22 18:29 . 2009-03-22 18:29325,640--a------c:\windows\System32\drivers\avgldx86.sys
2009-03-22 18:29 . 2009-03-22 18:29107,912--a------c:\windows\System32\drivers\avgtdix.sys
2009-03-22 18:29 . 2009-03-22 18:2910,520--a------c:\windows\System32\avgrsstx.dll
2009-03-22 18:05 . 2009-03-22 18:29d--------c:\users\All Users\avg8
2009-03-22 18:05 . 2009-03-22 18:29d--------c:\programdata\avg8
2009-03-22 15:02 . 2009-03-23 22:37d----c---c:\windows\System32\DRVSTORE
2009-03-22 14:57 . 2009-03-23 22:36d--------c:\users\All Users\Lavasoft
2009-03-22 14:57 . 2009-03-23 22:36d--------c:\programdata\Lavasoft
2009-03-10 20:01 . 2009-02-08 23:102,033,152--a------c:\windows\System32\win32k.sys
2009-03-10 20:01 . 2008-11-27 00:43268,288--a------c:\windows\System32\schannel.dll
2009-03-01 00:47 . 2009-03-01 00:47d--------c:\program files\SpeedFan
2009-03-01 00:47 . 2009-03-01 00:4745--a------c:\windows\System32\initdebug.nfo
2009-03-01 00:10 . 2009-03-01 00:23d--------c:\program files\Notebook Hardware Control
2009-02-26 18:22 . 2008-06-19 21:14781,344--a------c:\windows\System32\PresentationNative_v0300.dll
2009-02-26 18:22 . 2008-06-19 21:14622,080--a------c:\windows\System32\icardagt.exe
2009-02-26 18:22 . 2008-06-19 21:14326,160--a------c:\windows\System32\PresentationHost.exe
2009-02-26 18:22 . 2008-06-19 21:14105,016--a------c:\windows\System32\PresentationCFFRasterizerNative_v0300.dll
2009-02-26 18:22 . 2008-06-19 21:1497,800--a------c:\windows\System32\infocardapi.dll
2009-02-26 18:22 . 2008-06-19 21:1443,544--a------c:\windows\System32\PresentationHostProxy.dll
2009-02-26 18:22 . 2008-06-19 21:1437,384--a------c:\windows\System32\infocardcpl.cpl
2009-02-26 18:22 . 2008-06-19 21:1411,264--a------c:\windows\System32\icardres.dll
2009-02-26 18:13 . 2008-07-27 14:0396,760--a------c:\windows\System32\dfshim.dll
2009-02-26 18:12 . 2008-07-27 14:03282,112--a------c:\windows\System32\mscoree.dll
2009-02-26 18:12 . 2008-07-27 14:0341,984--a------c:\windows\System32\netfxperf.dll
2009-02-26 18:11 . 2008-07-27 14:03158,720--a------c:\windows\System32\mscorier.dll
2009-02-26 18:11 . 2008-07-27 14:0383,968--a------c:\windows\System32\mscories.dll
2009-02-26 18:08 . 2008-12-15 23:298,147,456--a------c:\windows\System32\wmploc.DLL
2009-02-26 18:08 . 2008-12-16 01:317,680--a------c:\windows\System32\spwmp.dll
2009-02-26 18:08 . 2008-12-16 01:314,096--a------c:\windows\System32\msdxm.ocx
2009-02-26 18:08 . 2008-12-16 01:314,096--a------c:\windows\System32\dxmasf.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-26 20:32---------d-----wc:\users\Sam Hern\AppData\Roaming\DNA
2009-03-25 12:13---------d-----wc:\program files\Java
2009-03-23 02:3228,124----a-wc:\users\All Users\nvModes.dat
2009-03-23 02:3228,124----a-wc:\programdata\nvModes.dat
2009-03-21 17:01---------d-----wc:\users\Sam Hern\AppData\Roaming\BitTorrent
2009-03-11 11:26---------d-----wc:\program files\Windows Mail
2009-03-11 05:26---------d-----wc:\programdata\Microsoft Help
2009-03-09 09:19410,984----a-wc:\windows\System32\deploytk.dll
2009-02-26 22:52---------d-----wc:\program files\Microsoft Silverlight
2009-02-26 22:34---------d-----wc:\program files\Microsoft SQL Server
2009-01-16 14:5973,728----a-wc:\windows\System32\RtNicProp32.dll
2009-01-15 06:11827,392----a-wc:\windows\System32\wininet.dll
2008-06-05 23:3528,124----a-wc:\users\Sam Hern\AppData\Roaming\nvModes.dat
2008-06-03 01:50262,144----a-wc:\programdata\ntuser.dat
2008-01-21 02:41174--sha-wc:\program files\desktop.ini
2003-09-16 05:1999,544----a-wc:\windows\inf\virprn.exe
2003-09-16 05:1990,624----a-wc:\windows\inf\prtproc.dll
2003-09-16 05:1918,950----a-wc:\windows\inf\virpntd.dll
2003-09-16 05:1910,240----a-wc:\windows\inf\virport.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-20 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]
"CollaborationHost"="c:\windows\system32\p2phost.exe" [2008-01-20 192000]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-20 125952]
"L08AXLRD_3627116"="d:\microsoft student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" [2007-05-21 351000]
"BitTorrent DNA"="c:\users\Sam Hern\Program Files\DNA\btdna.exe" [2008-12-19 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2007-09-20 671744]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-10-24 178712]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-22 1932568]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-09-05 727592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification PackagesREG_MULTI_SZ scecli DPPWDFLT

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Sam Hern^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^YouTube Uploader.lnk]
path=c:\users\Sam Hern\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YouTube Uploader.lnk
backup=c:\windows\pss\YouTube Uploader.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 02:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-08-07 23:14 119280 c:\users\Sam Hern\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OnScreenDisplay]
--a------ 2007-09-04 16:54 554320 c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
--a------ 2007-09-19 17:31 202032 c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D567C9C4-9372-4263-82E8-5B53DCC4E665}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{22F77B24-07A2-4E74-AEF1-994026E286BA}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E6B34721-BB08-4E9D-A3FB-DBF3C4530AF2}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{1F87F909-2EA4-4E41-8C59-6AF4A5644ED1}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{97FFE196-3F9B-4AF7-BEFD-EB0AC8FF3C88}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{7C92D134-56D2-48CF-8849-6D6B8E72EA3F}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{FD28CF17-C718-44AA-8644-ACC2F740B9C3}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{EBE4857C-43EE-4328-AAF2-970343011E23}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{7640D92A-E994-464B-8BB3-D2DB0F1D8238}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3975E01C-D56B-4629-815E-3D70A1B4F0A9}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{031E2B37-4578-4034-A8BD-D3663A717BFE}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{2F47012C-F760-47BE-BF4D-97DF237CF2A4}"= TCP:c:\program files\DNA\btdna.exe:DNA
"TCP Query User{74DE3353-CCC7-4789-96AE-649315BFCBFB}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{7A47D0AC-4C07-43F9-AD8A-B5E9EEFBFDE6}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{45DCF8F0-D2C6-4626-9C38-008DC137F38C}"= UDP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{E143B07B-DADE-47CA-80A7-EDD0B3395BAF}"= TCP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"TCP Query User{C5484B3D-C2F7-4E30-82F8-4D6B83807D85}c:\\program files\\rhapsody\\rhapsody.exe"= UDP:c:\program files\rhapsody\rhapsody.exe:RealNetworks Rhapsody
"UDP Query User{40CEAEF1-1981-4329-849C-A8E3D17323E1}c:\\program files\\rhapsody\\rhapsody.exe"= TCP:c:\program files\rhapsody\rhapsody.exe:RealNetworks Rhapsody
"TCP Query User{B4D25E5D-95F4-45AD-BAF6-6E4A75088FCC}c:\\program files\\maxima-5.16.3\\wxmaxima\\wxmaxima.exe"= UDP:c:\program files\maxima-5.16.3\wxmaxima\wxmaxima.exe:wxMaxima
"UDP Query User{C9F4853B-34E1-4FE0-95E1-8607C815477E}c:\\program files\\maxima-5.16.3\\wxmaxima\\wxmaxima.exe"= TCP:c:\program files\maxima-5.16.3\wxmaxima\wxmaxima.exe:wxMaxima
"TCP Query User{963E5FF3-B9CA-4F67-976F-CF2B9B5B3FD9}d:\\bittorrent\\bittorrent.exe"= UDP:d:\bittorrent\bittorrent.exe:bittorrent
"UDP Query User{6E848298-2BFD-409C-A1E2-5ADF9943BA1F}d:\\bittorrent\\bittorrent.exe"= TCP:d:\bittorrent\bittorrent.exe:bittorrent
"{0AD427A8-1AFC-40D5-9CF8-B1FADF91048C}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{A8850746-E9F3-4A33-AE53-D24E4E8DF483}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{CE3D63F4-F9A7-45D7-BF74-20C925F7461E}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{B410286C-844F-46A6-ADBE-CC8F116F176D}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{2E9A9144-1144-4500-AE67-9045DF1314F1}"= UDP:d:\bittorrent\bittorrent.exe:BitTorrent
"{B9E89948-C54B-4B85-9B4C-E7BDF8062A20}"= TCP:d:\bittorrent\bittorrent.exe:BitTorrent
"TCP Query User{DC907F5F-AF2F-41A5-B7C1-7BE807577058}c:\\program files\\rhapsody\\rhapsody.exe"= UDP:c:\program files\rhapsody\rhapsody.exe:RealNetworks Rhapsody
"UDP Query User{4CA96B6E-6FB2-4697-A7B6-DE5FB2E9CF79}c:\\program files\\rhapsody\\rhapsody.exe"= TCP:c:\program files\rhapsody\rhapsody.exe:RealNetworks Rhapsody
"TCP Query User{D7780A0A-2D27-48FC-9357-358FCA8EBE96}c:\\program files\\cambridgesoft\\chemoffice2008\\chem3d\\chem3d.exe"= UDP:c:\program files\cambridgesoft\chemoffice2008\chem3d\chem3d.exe:ChemBio3D Ultra 11.0.1
"UDP Query User{3DF3FFC7-D459-4FF2-A5B8-9D1C550CDEE4}c:\\program files\\cambridgesoft\\chemoffice2008\\chem3d\\chem3d.exe"= TCP:c:\program files\cambridgesoft\chemoffice2008\chem3d\chem3d.exe:ChemBio3D Ultra 11.0.1
"TCP Query User{8E36830A-5984-4DB2-95F6-52B564945646}c:\\program files\\cambridgesoft\\chemoffice2008\\chemdraw\\chemdraw.exe"= UDP:c:\program files\cambridgesoft\chemoffice2008\chemdraw\chemdraw.exe:ChemBioDraw Ultra 11.0.1
"UDP Query User{FA2D4C84-F53D-4E86-A945-7AE34D8A145C}c:\\program files\\cambridgesoft\\chemoffice2008\\chemdraw\\chemdraw.exe"= TCP:c:\program files\cambridgesoft\chemoffice2008\chemdraw\chemdraw.exe:ChemBioDraw Ultra 11.0.1
"TCP Query User{A3A2F845-DFAA-4B19-8669-8D51FC3827F0}c:\\program files\\cambridgesoft\\chemoffice2008\\chem3d\\chem3d.exe"= UDP:c:\program files\cambridgesoft\chemoffice2008\chem3d\chem3d.exe:ChemBio3D Ultra 11.0.1
"UDP Query User{01868467-4557-4149-8A5F-CB1CC2181D19}c:\\program files\\cambridgesoft\\chemoffice2008\\chem3d\\chem3d.exe"= TCP:c:\program files\cambridgesoft\chemoffice2008\chem3d\chem3d.exe:ChemBio3D Ultra 11.0.1
"{46016AC4-9D05-4E0F-9D2D-EFCC56D59EC0}"= Disabled:UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{D918C5DD-AADE-4A53-BD22-A09A4B0FFCB6}"= Disabled:TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{62C36177-5BA7-4755-AFAA-1793BA53A8AC}"= UDP:c:\program files\Lavasoft\Ad-Aware\Ad-Aware.exe:Ad-Aware
"{F14F7880-473D-4ADE-907C-477B87D86C89}"= TCP:c:\program files\Lavasoft\Ad-Aware\Ad-Aware.exe:Ad-Aware
"{F81E8F30-7595-471A-A41C-1F3554F59D53}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{5D80DF93-0883-40B8-AF75-7E8920CAB823}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
"d:\\BitTorrent\\bittorrent.exe"= d:\bittorrent\bittorrent.exe:*:Enabled:BitTorrent

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [2009-03-23 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2009-03-22 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2009-03-22 107912]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-22 298264]
R2 MSSQL$CSSQL05;SQL Server (CSSQL05);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-24 29263712]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\System32\drivers\ATSwpWDF.sys [2008-10-02 482176]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [2008-11-17 3668480]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\System32\drivers\HCW85BDA.sys [2008-06-02 968832]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]

--- Other Services/Drivers In Memory ---

*Deregistered* - CO_Mon
*Deregistered* - SymEvent

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcsREG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac93ab1f-3b4a-11dd-8138-89ef840a8b75}]
\shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
%SystemRoot%\system32\soundschemes2.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder

2009-03-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:06]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe
HKLM-Run-Virtual PDF Printer - c:\program files\Virtual PDF Printer\VirtualPDFPrinter.exe
MSConfigStartUp-HPAdvisor - c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
MSConfigStartUp-hpWirelessAssistant - c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
MSConfigStartUp-QPService - c:\program files\HP\QuickPlay\QPService.exe
MSConfigStartUp-WAWifiMessage - c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
FF - ProfilePath - c:\users\Sam Hern\AppData\Roaming\Mozilla\Firefox\Profiles\ute3ick1.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\CambridgeSoft\ChemOffice2008\Chem3D\npChem3DPlugin.dll
FF - plugin: c:\program files\CambridgeSoft\ChemOffice2008\ChemDraw\NPCDP32.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll
FF - plugin: c:\users\Sam Hern\AppData\Local\Google\Update\1.2.121.17\npGoogleOneClick.dll
FF - plugin: c:\users\Sam Hern\Program Files\DNA\plugins\npbtdna.dll
FF - plugin: d:\palm\PACKAG~1\NPInstal.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-26 16:31:22
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(768)
c:\windows\system32\DPPWDFLT.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\program files\DigitalPersona\Bin\DpHostW.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgnsx.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2009-03-26 16:35:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-26 20:35:27

Pre-Run: 47,323,611,136 bytes free
Post-Run: 47,615,905,792 bytes free

308--- E O F ---2009-03-19 18:54:54
To completely remove Norton/Symantec go to add remove programs and uninstall anything with Norton, Symantec or Live Update in the name.

Download the Norton Removal Tool (SymNRT) to your Desktop.

Once downloaded please close ALL open browsers, also save any work because this may require a restart.
  • Go to your desktop and double click on the removal tool and then click Setup.
  • Once open Click Next
  • Accept the license agreement and click Next
  • Type in the letters/numbers that you see into the text box then click Next.
  • Then click Next and the tool will start running.
  • Once finished restart the PC.
  • Delete Nortonremoval tool from your Desktop.
.
----------

Download Malwarebytes' Anti-Malware (MBAM)

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and Paste the entire report in your next reply.
    .
    Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

    ----------

    How is the computer running now?All of the problems seem to be fixed. I did the Malwarebyte's scan as well as a Lavasoft scan. There were two tracking cookies which I deleted, but that was it. The firewall stays on when I turn on the computer and I am not redirected to other sites when I am on Google. THANK you so much for your help!

    Malwarebytes' Anti-Malware 1.34
    Database version: 1904
    Windows 6.0.6001 Service Pack 1

    3/26/2009 5:55:37 PM
    mbam-log-2009-03-26 (17-55-37).txt

    Scan type: Quick Scan
    Objects scanned: 67580
    Time elapsed: 2 minute(s), 30 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    Final steps. Let me know if you have any questions.
    .
    • Click START then RUN
    • Now type Combofix /u in the runbox
    • Make sure there's a space between Combofix and /u
    • Then hit Enter.
    .
    .
    The above procedure will:
    • Delete: ComboFix and its associated files and folders.
    • Reset the clock settings.
    • Hide file extensions, if required.
    • Hide System/Hidden files, if required.
    • Set a new, clean Restore Point.
    .
    ----------

    Use the Secunia Software Inspector to check for out of date software.
    • Click Start Now
    • Check the box next to Enable thorough system inspection.
    • Click Start
    • Allow the scan to finish and scroll down to see if any updates are needed.
    • Update anything listed.
    .
    ----------

    Go to Microsoft Windows Update and get all critical updates.

    ----------

    I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity THEFT, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

    SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
    * Using SpywareBlaster to protect your computer from Spyware and Malware
    * If you don't know what ActiveX controls are, see here

    Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

    Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.OK, I updated my computer also. Thanks again for all of your help. I really APPRECIATE it.Your welcome.

    Safe surfing...


    Discussion

    No Comment Found

    Related InterviewSolutions