Author Topic: PLEASE HELP!!! Google redirect and no firewall (Read 6797 times)

kb_303 · « **on:** May 08, 2010, 09:16:05 AM »

Alright guys, I know some of the best are on this site and I need some help. I was infected by some anti virus soft crap yesterday which I removed with malware bytes. However I know get informed that my firewall is turned off and I cant get it to turn back on. When using google, I get a normal results page, but when I click on one it redirects me to some other page. Thanks in advance.

kb_303 · « **Reply #1 on:** May 08, 2010, 10:50:00 AM »

SAS LOG

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/08/2010 at 11:26 AM

Application Version : 4.37.1000

Core Rules Database Version : 4907
Trace Rules Database Version: 2719

Scan type : Quick Scan
Total Scan Time : 00:17:21

Memory items scanned : 623
Memory threats detected : 0
Registry items scanned : 572
Registry threats detected : 0
File items scanned : 6666
File threats detected : 2

Adware.Tracking Cookie
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\system@mediacomcable[1].txt

Malware Bytes LOG

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4076

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/8/2010 11:50:59 AM
mbam-log-2010-05-08 (11-50-59).txt

Scan type: Quick scan
Objects scanned: 130623
Time elapsed: 12 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

kb_303 · « **Reply #2 on:** May 08, 2010, 11:22:26 AM »

and the final log.....

hijack this

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:23:00 PM, on 5/8/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Search Settings\SearchSettings.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [tdispVol] TDispVol.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} (System Requirements Lab) - http://ea-src-cdn.systemrequirementslab.com/curi/bin/sysreqlab_srlx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://l.yimg.com/jh/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 11130 bytes

kb_303 · « **Reply #3 on:** May 08, 2010, 11:52:48 AM »

Update:

Ive got the firewall back working
However, any search bar will be redirected. including the search bar at the top right of this page.

I know you guys can help, I'll patiently wait for some answers. THANKS AGAIN!!

kb_303 · « **Reply #4 on:** May 08, 2010, 02:46:16 PM »

I followed all instructions in the self help forum..... Problem still not fixed, most, not all search results are redirected.

Here are the latest logs.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/08/2010 at 03:17 PM

Application Version : 4.37.1000

Core Rules Database Version : 4907
Trace Rules Database Version: 2719

Scan type : Quick Scan
Total Scan Time : 00:16:28

Memory items scanned : 610
Memory threats detected : 0
Registry items scanned : 533
Registry threats detected : 0
File items scanned : 6673
File threats detected : 16

Adware.Tracking Cookie
   C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@burstnet[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@adbrite[2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@fastclick[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@tacoda[1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@advertising[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[2].txt

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4076

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/8/2010 3:43:04 PM
mbam-log-2010-05-08 (15-43-04).txt

Scan type: Quick scan
Objects scanned: 131486
Time elapsed: 14 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:44:31 PM, on 5/8/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [tdispVol] TDispVol.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://l.yimg.com/jh/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 10197 bytes

SuperDave · « **Reply #5 on:** May 10, 2010, 07:12:20 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

=================================

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://l.yimg.com/jh/games/web_games/popcap/bejeweled2/popcaploader_v6.cab

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
=====================================

Please download ComboFix

from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

kb_303 · « **Reply #6 on:** May 13, 2010, 03:49:40 PM »

I cannot get the following command to run: %userprofile%\desktop\commy.exe" /stepdel. I have commy.exe saved to the desktop but windows says it cannot find the file. what am i doing wrong?

SuperDave · « **Reply #7 on:** May 13, 2010, 05:29:48 PM »

Ok. Delete ComboFix from you desktop.

Download ComboFix by sUBs from one of the below links.

Important! You MUST save ComboFix to your desktop

link # 1
Link # 2

Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click on ComboFix.exe & follow the prompts.

Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When the scan completes it will open a text window.

Post the contents of that log in your next reply.

Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.

kb_303 · « **Reply #8 on:** May 13, 2010, 07:13:06 PM »

I disabled my avira antivirus but during the combofix process there was a reboot required which in turn enabled my antivirus and twice I got a warning from it during the combofix process about a trojan.exe or something like that. I chose to ignore these two warnings and let combofix do it's thing. Heres the log.

ComboFix 10-05-13.02 - ****** ******** 05/13/2010 19:48:33.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.195 [GMT -5:00]
Running from: c:\documents and settings\**************\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
   /wow section - STAGE 32A
Access is denied.
The system cannot find the path specified.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Search Settings
c:\program files\Search Settings\kb127\SearchSettingsRes409.dll
c:\program files\Search Settings\SearchSettings.exe
c:\windows\system32\igfxrara.lrc
c:\windows\system32\igfxrchs.lrc
c:\windows\system32\igfxrcht.lrc
c:\windows\system32\igfxrcsy.lrc
c:\windows\system32\igfxrdan.lrc
c:\windows\system32\igfxrdeu.lrc
c:\windows\system32\igfxrell.lrc
c:\windows\system32\igfxrenu.lrc
c:\windows\system32\igfxresp.lrc
c:\windows\system32\igfxrfin.lrc
c:\windows\system32\igfxrfra.lrc
c:\windows\system32\igfxrheb.lrc
c:\windows\system32\igfxrhun.lrc
c:\windows\system32\igfxrita.lrc
c:\windows\system32\igfxrjpn.lrc
c:\windows\system32\igfxrkor.lrc
c:\windows\system32\igfxrnld.lrc
c:\windows\system32\igfxrnor.lrc
c:\windows\system32\igfxrplk.lrc
c:\windows\system32\igfxrptb.lrc
c:\windows\system32\igfxrptg.lrc
c:\windows\system32\igfxrrus.lrc
c:\windows\system32\igfxrsve.lrc
c:\windows\system32\igfxrtha.lrc
c:\windows\system32\igfxrtrk.lrc
c:\windows\system32\Thumbs.db

Infected copy of c:\windows\system32\drivers\tcpip.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-04-14 to 2010-05-14 )))))))))))))))))))))))))))))))
.

2010-05-08 17:15 . 2010-05-08 17:15   388096   ----a-r-   c:\documents and settings\Ashley Broadway\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-08 17:15 . 2010-05-08 17:15   --------   d-----w-   c:\program files\Trend Micro
2010-05-08 17:06 . 2010-05-08 17:06   --------   d-----w-   c:\program files\Common Files\Java
2010-05-08 17:05 . 2010-05-08 17:05   503808   ----a-w-   c:\documents and settings\Ashley Broadway\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43b4eeed-n\msvcp71.dll
2010-05-08 17:05 . 2010-05-08 17:05   61440   ----a-w-   c:\documents and settings\Ashley Broadway\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-60df0a0f-n\decora-sse.dll
2010-05-08 17:05 . 2010-05-08 17:05   499712   ----a-w-   c:\documents and settings\Ashley Broadway\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43b4eeed-n\jmc.dll
2010-05-08 17:05 . 2010-05-08 17:05   348160   ----a-w-   c:\documents and settings\Ashley Broadway\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43b4eeed-n\msvcr71.dll
2010-05-08 17:05 . 2010-05-08 17:05   12800   ----a-w-   c:\documents and settings\Ashley Broadway\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-60df0a0f-n\decora-d3d.dll
2010-05-08 17:05 . 2010-04-12 22:29   411368   ----a-w-   c:\windows\system32\deployJava1.dll
2010-05-08 16:07 . 2010-05-08 16:07   63488   ----a-w-   c:\documents and settings\Ashley Broadway\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-08 16:07 . 2010-05-08 16:07   52224   ----a-w-   c:\documents and settings\Ashley Broadway\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-08 16:07 . 2010-05-08 16:07   117760   ----a-w-   c:\documents and settings\Ashley Broadway\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-08 16:06 . 2010-05-08 16:06   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-08 16:05 . 2010-05-08 16:05   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-05-08 16:05 . 2010-05-08 16:05   --------   d-----w-   c:\documents and settings\Ashley Broadway\Application Data\SUPERAntiSpyware.com
2010-05-08 16:03 . 2010-05-08 16:03   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-05-08 15:37 . 2010-05-08 15:38   --------   d-----w-   c:\program files\CCleaner
2010-05-08 15:28 . 2010-05-08 15:53   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
2010-05-08 15:28 . 2010-05-08 15:28   --------   d-----w-   c:\documents and settings\Ashley Broadway\Application Data\OnlineArmor
2010-05-08 15:27 . 2010-04-20 09:13   24440   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2010-05-08 15:27 . 2010-04-20 09:13   29560   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2010-05-08 15:27 . 2010-04-20 09:13   228216   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2010-05-08 15:27 . 2010-05-08 15:27   --------   d-----w-   c:\program files\Tall Emu
2010-05-08 04:46 . 2010-05-08 04:46   --------   d-----w-   c:\documents and settings\Ashley Broadway\Application Data\Malwarebytes
2010-05-08 04:45 . 2010-04-29 20:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-08 04:45 . 2010-05-08 04:46   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-05-08 04:45 . 2010-05-08 04:45   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-08 04:45 . 2010-04-29 20:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-05-08 04:32 . 2010-05-08 15:55   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-05-08 03:31 . 2010-05-08 04:58   --------   d-----w-   c:\documents and settings\Ashley Broadway\Local Settings\Application Data\rdqyqhqrv
2010-04-15 22:14 . 2010-04-15 22:14   --------   d-----w-   c:\documents and settings\Ashley Broadway\Application Data\HP
2010-04-15 22:10 . 2010-04-15 22:10   --------   d-----w-   c:\documents and settings\All Users\Application Data\HP
2010-04-15 22:10 . 2010-04-15 22:10   --------   d-----w-   c:\program files\Common Files\HP
2010-04-15 22:07 . 2010-04-15 22:07   --------   d-----w-   c:\program files\Hewlett-Packard
2010-04-15 22:05 . 2010-04-15 22:05   --------   d-----w-   c:\program files\Common Files\Hewlett-Packard
2010-04-15 22:04 . 2005-03-14 18:39   65536   ----a-w-   c:\windows\system32\HPZinw12.exe
2010-04-15 22:04 . 2005-03-14 17:05   204800   ----a-w-   c:\windows\system32\HPZipr12.dll
2010-04-15 22:04 . 2005-03-14 17:05   69632   ----a-w-   c:\windows\system32\HPZipm12.exe
2010-04-15 22:04 . 2005-03-14 17:03   278584   ----a-w-   c:\windows\system32\HPZidr12.dll
2010-04-15 22:04 . 2005-03-08 16:55   57344   ----a-w-   c:\windows\system32\HPZisn12.dll
2010-04-15 22:04 . 2005-03-08 16:55   94208   ----a-w-   c:\windows\system32\HPZipt12.dll
2010-04-15 22:03 . 2010-04-15 22:10   --------   d-----w-   c:\program files\HP
2010-04-15 22:01 . 2010-04-15 22:12   110030   ----a-w-   c:\windows\hpoins08.dat
2010-04-15 22:01 . 2006-01-24 07:11   7577   ------w-   c:\windows\hpomdl08.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-08 17:11 . 2006-02-16 09:28   --------   d-----w-   c:\program files\Java
2010-05-08 04:17 . 2009-02-23 05:32   --------   d-----w-   c:\documents and settings\Ashley Broadway\Application Data\AOL
2010-05-08 04:17 . 2006-02-16 09:55   --------   d-----w-   c:\documents and settings\All Users\Application Data\AOL
2010-05-08 04:11 . 2010-03-29 03:11   --------   d-----w-   c:\program files\Absolutist.com
2010-04-08 13:32 . 2009-03-22 15:48   --------   d-----w-   c:\program files\LimeWire
2010-04-08 13:32 . 2010-04-08 12:41   --------   d-----w-   c:\program files\Ask.com
2010-03-11 12:38 . 2006-02-15 14:04   832512   ----a-w-   c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2006-02-15 14:02   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2006-02-15 14:02   17408   ----a-w-   c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2006-02-15 14:04   430080   ----a-w-   c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2006-02-15 14:03   455680   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2006-02-15 14:03   2146304   ----a-w-   c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59   2024448   ----a-w-   c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-06 2017280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" [2005-03-11 73728]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"NDSTray.exe"="NDSTray.exe" [BU]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 49152]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2010-04-20 6678008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-15 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2010-04-20 925688]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140083713\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [5/8/2010 10:27 AM 228216]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [5/8/2010 10:27 AM 24440]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [5/8/2010 10:27 AM 29560]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/6/2010 5:10 PM 68168]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/17/2009 11:17 AM 108289]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [5/8/2010 10:27 AM 1284600]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [5/8/2010 10:27 AM 3364856]
.
Contents of the 'Scheduled Tasks' folder

2009-06-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Ashley Broadway\Application Data\Mozilla\Firefox\Profiles\em12wm4b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.dallascowboys.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKLM-Run-PadTouch - c:\program files\TOSHIBA\Touch and Launch\PadExe.exe
HKLM-RunOnce-<NO NAME> - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-13 20:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(488)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-05-13 20:07:14
ComboFix-quarantined-files.txt 2010-05-14 01:07

Pre-Run: 95,261,241,344 bytes free
Post-Run: 96,094,842,880 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 3BD096F2E1B3056D2D11EEFEE6E3281F

SuperDave · « **Reply #9 on:** May 14, 2010, 11:34:18 AM »

P2P - I see you have P2P software installed on your machine. (LimeWire) We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
=========================================
I strongly recommend you to remove Ask from your computer because it is;

•Promoting its toolbars on sites targeted to kids.

•Promoting its toolbars through ads that appear to be part of other companies' sites.

•Promoting its toolbars through other companies' spyware.

•Installing without any disclosure whatsoever and without any consent whatsoever.

•Soliciting installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.

•Making confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

See Here for more info.

If you choose to follow my recommendation then please go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

•AskBarDis or anything related to Ask

Then please find and delete this folder in bold (if present):
C:\Program Files\AskBarDis.
======================================
You have Viewpoint installed.

Viewpoint Media Player/Manager/Toolbar is considered as Foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

More information:

* ViewMgr.exe - Useless
* Viewpoint to Plunge Into Adware

It is suggested to remove the program now. Go to Start > Control Panel > Add/Remove Programs - (Vista & Win7 is Programs and Features) and remove the following programs if present.

* Viewpoint
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
* Viewpoint Experience Technology
======================================

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
File::
c:\documents and settings\Ashley Broadway\Local Settings\Application Data\rdqyqhqrv
Folder::
c:\documents and settings\Ashley Broadway\Local Settings\Application Data\rdqyqhqrv
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

===================================
I'd like us to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

kb_303 · « **Reply #10 on:** May 14, 2010, 03:53:43 PM »

I intended to remove all of the above, however the only thing that I could find from the list was one Viewpoint item. Heres the Combofix log.

ComboFix 10-05-13.02 - Ashley Broadway 05/14/2010 16:27:25.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.249 [GMT -5:00]
Running from: c:\documents and settings\Ashley Broadway\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ashley Broadway\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

FILE ::
"c:\documents and settings\Ashley Broadway\Local Settings\Application Data\rdqyqhqrv"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ashley Broadway\Local Settings\Application Data\rdqyqhqrv

.
((((((((((((((((((((((((( Files Created from 2010-04-14 to 2010-05-14 )))))))))))))))))))))))))))))))
.

2010-05-08 17:15 . 2010-05-08 17:15   388096   ----a-r-   c:\documents and settings\Ashley Broadway\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-08 17:15 . 2010-05-08 17:15   --------   d-----w-   c:\program files\Trend Micro
2010-05-08 17:06 . 2010-05-08 17:06   --------   d-----w-   c:\program files\Common Files\Java
2010-05-08 17:05 . 2010-05-08 17:05   503808   ----a-w-   c:\documents and settings\Ashley Broadway\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43b4eeed-n\msvcp71.dll
2010-05-08 17:05 . 2010-05-08 17:05   61440   ----a-w-   c:\documents and settings\Ashley Broadway\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-60df0a0f-n\decora-sse.dll
2010-05-08 17:05 . 2010-05-08 17:05   499712   ----a-w-   c:\documents and settings\Ashley Broadway\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43b4eeed-n\jmc.dll
2010-05-08 17:05 . 2010-05-08 17:05   348160   ----a-w-   c:\documents and settings\Ashley Broadway\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43b4eeed-n\msvcr71.dll
2010-05-08 17:05 . 2010-05-08 17:05   12800   ----a-w-   c:\documents and settings\Ashley Broadway\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-60df0a0f-n\decora-d3d.dll
2010-05-08 17:05 . 2010-04-12 22:29   411368   ----a-w-   c:\windows\system32\deployJava1.dll
2010-05-08 16:07 . 2010-05-08 16:07   63488   ----a-w-   c:\documents and settings\Ashley Broadway\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-08 16:07 . 2010-05-08 16:07   52224   ----a-w-   c:\documents and settings\Ashley Broadway\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-08 16:07 . 2010-05-08 16:07   117760   ----a-w-   c:\documents and settings\Ashley Broadway\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-08 16:06 . 2010-05-08 16:06   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-08 16:05 . 2010-05-08 16:05   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-05-08 16:05 . 2010-05-08 16:05   --------   d-----w-   c:\documents and settings\Ashley Broadway\Application Data\SUPERAntiSpyware.com
2010-05-08 16:03 . 2010-05-08 16:03   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-05-08 15:37 . 2010-05-08 15:38   --------   d-----w-   c:\program files\CCleaner
2010-05-08 15:28 . 2010-05-08 15:53   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
2010-05-08 15:28 . 2010-05-08 15:28   --------   d-----w-   c:\documents and settings\Ashley Broadway\Application Data\OnlineArmor
2010-05-08 15:27 . 2010-04-20 09:13   24440   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2010-05-08 15:27 . 2010-04-20 09:13   29560   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2010-05-08 15:27 . 2010-04-20 09:13   228216   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2010-05-08 15:27 . 2010-05-08 15:27   --------   d-----w-   c:\program files\Tall Emu
2010-05-08 04:46 . 2010-05-08 04:46   --------   d-----w-   c:\documents and settings\Ashley Broadway\Application Data\Malwarebytes
2010-05-08 04:45 . 2010-04-29 20:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-08 04:45 . 2010-05-08 04:46   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-05-08 04:45 . 2010-05-08 04:45   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-08 04:45 . 2010-04-29 20:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-05-08 04:32 . 2010-05-08 15:55   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-04-15 22:14 . 2010-04-15 22:14   --------   d-----w-   c:\documents and settings\Ashley Broadway\Application Data\HP
2010-04-15 22:10 . 2010-04-15 22:10   --------   d-----w-   c:\documents and settings\All Users\Application Data\HP
2010-04-15 22:10 . 2010-04-15 22:10   --------   d-----w-   c:\program files\Common Files\HP
2010-04-15 22:07 . 2010-04-15 22:07   --------   d-----w-   c:\program files\Hewlett-Packard
2010-04-15 22:05 . 2010-04-15 22:05   --------   d-----w-   c:\program files\Common Files\Hewlett-Packard
2010-04-15 22:04 . 2005-03-14 18:39   65536   ----a-w-   c:\windows\system32\HPZinw12.exe
2010-04-15 22:04 . 2005-03-14 17:05   204800   ----a-w-   c:\windows\system32\HPZipr12.dll
2010-04-15 22:04 . 2005-03-14 17:05   69632   ----a-w-   c:\windows\system32\HPZipm12.exe
2010-04-15 22:04 . 2005-03-14 17:03   278584   ----a-w-   c:\windows\system32\HPZidr12.dll
2010-04-15 22:04 . 2005-03-08 16:55   57344   ----a-w-   c:\windows\system32\HPZisn12.dll
2010-04-15 22:04 . 2005-03-08 16:55   94208   ----a-w-   c:\windows\system32\HPZipt12.dll
2010-04-15 22:03 . 2010-04-15 22:10   --------   d-----w-   c:\program files\HP
2010-04-15 22:01 . 2010-04-15 22:12   110030   ----a-w-   c:\windows\hpoins08.dat
2010-04-15 22:01 . 2006-01-24 07:11   7577   ------w-   c:\windows\hpomdl08.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-08 17:11 . 2006-02-16 09:28   --------   d-----w-   c:\program files\Java
2010-05-08 04:17 . 2009-02-23 05:32   --------   d-----w-   c:\documents and settings\Ashley Broadway\Application Data\AOL
2010-05-08 04:17 . 2006-02-16 09:55   --------   d-----w-   c:\documents and settings\All Users\Application Data\AOL
2010-05-08 04:11 . 2010-03-29 03:11   --------   d-----w-   c:\program files\Absolutist.com
2010-04-08 13:32 . 2009-03-22 15:48   --------   d-----w-   c:\program files\LimeWire
2010-04-08 13:32 . 2010-04-08 12:41   --------   d-----w-   c:\program files\Ask.com
2010-03-11 12:38 . 2006-02-15 14:04   832512   ----a-w-   c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2006-02-15 14:02   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2006-02-15 14:02   17408   ----a-w-   c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2006-02-15 14:04   430080   ----a-w-   c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2006-02-15 14:03   455680   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2006-02-15 14:03   2146304   ----a-w-   c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59   2024448   ----a-w-   c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-06 2017280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" [2005-03-11 73728]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"NDSTray.exe"="NDSTray.exe" [BU]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 49152]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2010-04-20 6678008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-15 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2010-04-20 925688]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140083713\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [5/8/2010 10:27 AM 228216]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [5/8/2010 10:27 AM 24440]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [5/8/2010 10:27 AM 29560]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/6/2010 5:10 PM 68168]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/17/2009 11:17 AM 108289]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [5/8/2010 10:27 AM 1284600]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [5/8/2010 10:27 AM 3364856]
.
Contents of the 'Scheduled Tasks' folder

2009-06-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Ashley Broadway\Application Data\Mozilla\Firefox\Profiles\em12wm4b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.dallascowboys.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-14 16:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(496)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1464)
c:\windows\system32\WININET.dll
c:\program files\Tall Emu\Online Armor\OAwatch.dll
c:\windows\system32\TDispVol.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\TDispVol.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\AGRSMMSG.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\TPSMain.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Tall Emu\Online Armor\OAhlp.exe
c:\windows\system32\dllhost.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-05-14 16:47:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-14 21:47
ComboFix2.txt 2010-05-14 01:07

Pre-Run: 95,946,596,352 bytes free
Post-Run: 95,916,834,816 bytes free

- - End Of File - - 6A093E5B973730AB57132D842CF47885

SuperDave · « **Reply #11 on:** May 14, 2010, 06:26:03 PM »

Ok. This should get rid of them. After you run this ComboFix script, please run the ESET scan as described in Reply # 9

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

DDS::
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

Folder::
c:\program files\Ask.com
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

Please send me another HJT log.

kb_303 · « **Reply #12 on:** May 14, 2010, 08:01:58 PM »

I was in the process of running the ESET scan which took over 3 hours, but didn't find any infections and therefore didnt give me a log. I followed that up with another combofix and then HJT. Here are the respective logs.

ComboFix 10-05-13.02 - Ashley Broadway 05/14/2010 20:38:26.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.220 [GMT -5:00]
Running from: c:\documents and settings\Ashley Broadway\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ashley Broadway\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Ask.com
c:\program files\Ask.com\btn_search.png
c:\program files\Ask.com\limewire_logo.png

.
((((((((((((((((((((((((( Files Created from 2010-04-15 to 2010-05-15 )))))))))))))))))))))))))))))))
.

2010-05-14 22:01 . 2010-05-14 22:01   --------   d-----w-   c:\program files\ESET
2010-05-08 17:15 . 2010-05-08 17:15   --------   d-----w-   c:\program files\Trend Micro
2010-05-08 17:06 . 2010-05-08 17:06   --------   d-----w-   c:\program files\Common Files\Java
2010-05-08 17:05 . 2010-04-12 22:29   411368   ----a-w-   c:\windows\system32\deployJava1.dll
2010-05-08 16:06 . 2010-05-08 16:06   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-08 16:05 . 2010-05-08 16:05   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-05-08 16:05 . 2010-05-08 16:05   --------   d-----w-   c:\documents and settings\Ashley Broadway\Application Data\SUPERAntiSpyware.com
2010-05-08 16:03 . 2010-05-08 16:03   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-05-08 15:37 . 2010-05-08 15:38   --------   d-----w-   c:\program files\CCleaner
2010-05-08 15:28 . 2010-05-08 15:53   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
2010-05-08 15:28 . 2010-05-08 15:28   --------   d-----w-   c:\documents and settings\Ashley Broadway\Application Data\OnlineArmor
2010-05-08 15:27 . 2010-04-20 09:13   24440   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2010-05-08 15:27 . 2010-04-20 09:13   29560   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2010-05-08 15:27 . 2010-04-20 09:13   228216   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2010-05-08 15:27 . 2010-05-08 15:27   --------   d-----w-   c:\program files\Tall Emu
2010-05-08 04:46 . 2010-05-08 04:46   --------   d-----w-   c:\documents and settings\Ashley Broadway\Application Data\Malwarebytes
2010-05-08 04:45 . 2010-04-29 20:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-08 04:45 . 2010-05-08 04:46   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-05-08 04:45 . 2010-05-08 04:45   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-08 04:45 . 2010-04-29 20:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-05-08 04:32 . 2010-05-08 15:55   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-04-15 22:14 . 2010-04-15 22:14   --------   d-----w-   c:\documents and settings\Ashley Broadway\Application Data\HP
2010-04-15 22:10 . 2010-04-15 22:10   --------   d-----w-   c:\documents and settings\All Users\Application Data\HP
2010-04-15 22:10 . 2010-04-15 22:10   --------   d-----w-   c:\program files\Common Files\HP
2010-04-15 22:07 . 2010-04-15 22:07   --------   d-----w-   c:\program files\Hewlett-Packard
2010-04-15 22:05 . 2010-04-15 22:05   --------   d-----w-   c:\program files\Common Files\Hewlett-Packard
2010-04-15 22:04 . 2005-03-14 18:39   65536   ----a-w-   c:\windows\system32\HPZinw12.exe
2010-04-15 22:04 . 2005-03-14 17:05   204800   ----a-w-   c:\windows\system32\HPZipr12.dll
2010-04-15 22:04 . 2005-03-14 17:05   69632   ----a-w-   c:\windows\system32\HPZipm12.exe
2010-04-15 22:04 . 2005-03-14 17:03   278584   ----a-w-   c:\windows\system32\HPZidr12.dll
2010-04-15 22:04 . 2005-03-08 16:55   57344   ----a-w-   c:\windows\system32\HPZisn12.dll
2010-04-15 22:04 . 2005-03-08 16:55   94208   ----a-w-   c:\windows\system32\HPZipt12.dll
2010-04-15 22:03 . 2010-04-15 22:10   --------   d-----w-   c:\program files\HP
2010-04-15 22:01 . 2010-04-15 22:12   110030   ----a-w-   c:\windows\hpoins08.dat
2010-04-15 22:01 . 2006-01-24 07:11   7577   ------w-   c:\windows\hpomdl08.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-08 17:15 . 2010-05-08 17:15   388096   ----a-r-   c:\documents and settings\Ashley Broadway\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-08 17:11 . 2006-02-16 09:28   --------   d-----w-   c:\program files\Java
2010-05-08 17:05 . 2010-05-08 17:05   503808   ----a-w-   c:\documents and settings\Ashley Broadway\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43b4eeed-n\msvcp71.dll
2010-05-08 17:05 . 2010-05-08 17:05   61440   ----a-w-   c:\documents and settings\Ashley Broadway\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-60df0a0f-n\decora-sse.dll
2010-05-08 17:05 . 2010-05-08 17:05   499712   ----a-w-   c:\documents and settings\Ashley Broadway\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43b4eeed-n\jmc.dll
2010-05-08 17:05 . 2010-05-08 17:05   348160   ----a-w-   c:\documents and settings\Ashley Broadway\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43b4eeed-n\msvcr71.dll
2010-05-08 17:05 . 2010-05-08 17:05   12800   ----a-w-   c:\documents and settings\Ashley Broadway\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-60df0a0f-n\decora-d3d.dll
2010-05-08 16:07 . 2010-05-08 16:07   63488   ----a-w-   c:\documents and settings\Ashley Broadway\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-08 16:07 . 2010-05-08 16:07   52224   ----a-w-   c:\documents and settings\Ashley Broadway\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-08 16:07 . 2010-05-08 16:07   117760   ----a-w-   c:\documents and settings\Ashley Broadway\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-08 04:17 . 2009-02-23 05:32   --------   d-----w-   c:\documents and settings\Ashley Broadway\Application Data\AOL
2010-05-08 04:17 . 2006-02-16 09:55   --------   d-----w-   c:\documents and settings\All Users\Application Data\AOL
2010-05-08 04:11 . 2010-03-29 03:11   --------   d-----w-   c:\program files\Absolutist.com
2010-04-08 13:32 . 2009-03-22 15:48   --------   d-----w-   c:\program files\LimeWire
2010-03-11 12:38 . 2006-02-15 14:04   832512   ----a-w-   c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2006-02-15 14:02   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2006-02-15 14:02   17408   ----a-w-   c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2006-02-15 14:04   430080   ----a-w-   c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2006-02-15 14:03   455680   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2006-02-15 14:03   2146304   ----a-w-   c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59   2024448   ----a-w-   c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-06 2017280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" [2005-03-11 73728]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"NDSTray.exe"="NDSTray.exe" [BU]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 49152]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2010-04-20 6678008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-15 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2010-04-20 925688]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140083713\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [5/8/2010 10:27 AM 228216]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [5/8/2010 10:27 AM 24440]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [5/8/2010 10:27 AM 29560]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/6/2010 5:10 PM 68168]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/17/2009 11:17 AM 108289]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [5/8/2010 10:27 AM 1284600]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [5/8/2010 10:27 AM 3364856]
.
Contents of the 'Scheduled Tasks' folder

2009-06-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Ashley Broadway\Application Data\Mozilla\Firefox\Profiles\em12wm4b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.dallascowboys.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-14 20:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(492)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2888)
c:\windows\system32\WININET.dll
c:\program files\Tall Emu\Online Armor\OAwatch.dll
c:\windows\system32\TDispVol.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\TDispVol.exe
c:\windows\eHome\ehmsas.exe
c:\windows\AGRSMMSG.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\system32\TPSMain.exe
c:\windows\system32\TPSBattM.exe
c:\windows\system32\wscntfy.exe
c:\program files\TOSHIBA\ConfigFree\CFSServ.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Tall Emu\Online Armor\OAhlp.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-05-14 21:00:15 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-15 02:00
ComboFix2.txt 2010-05-14 21:47
ComboFix3.txt 2010-05-14 01:07

Pre-Run: 95,807,287,296 bytes free
Post-Run: 95,774,167,040 bytes free

- - End Of File - - 2F886E9D66F0E537D7C9BA88796B47FC

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:33 PM, on 5/14/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [tdispVol] TDispVol.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 9232 bytes

SuperDave · « **Reply #13 on:** May 15, 2010, 01:21:53 PM »

Are you still getting the redirects?

kb_303 · « **Reply #14 on:** May 15, 2010, 01:33:08 PM »

No, things appear to be working fine now. I really appreciate your time and effort in helping me out.

Computer Hope Forum

News:

Author Topic: PLEASE HELP!!! Google redirect and no firewall (Read 6797 times)

kb_303

PLEASE HELP!!! Google redirect and no firewall

kb_303

Re: PLEASE HELP!!! Google redirect and no firewall

kb_303

Re: PLEASE HELP!!! Google redirect and no firewall

kb_303

Re: PLEASE HELP!!! Google redirect and no firewall

kb_303

Re: PLEASE HELP!!! Google redirect and no firewall

SuperDave

Re: PLEASE HELP!!! Google redirect and no firewall

kb_303

Re: PLEASE HELP!!! Google redirect and no firewall

SuperDave

Re: PLEASE HELP!!! Google redirect and no firewall

kb_303

Re: PLEASE HELP!!! Google redirect and no firewall

SuperDave

Re: PLEASE HELP!!! Google redirect and no firewall

kb_303

Re: PLEASE HELP!!! Google redirect and no firewall

SuperDave

Re: PLEASE HELP!!! Google redirect and no firewall

kb_303

Re: PLEASE HELP!!! Google redirect and no firewall

SuperDave

Re: PLEASE HELP!!! Google redirect and no firewall

kb_303

Re: PLEASE HELP!!! Google redirect and no firewall