Author Topic: [Resolved K]dds (Read 4148 times)

rich1428 · « **on:** February 19, 2012, 05:29:57 PM »

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24
Run by Gary at 18:09:48 on 2012-02-19
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.910 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\spool\drivers\w32x86\3\CTpdpsrv.exe
C:\Program Files\Belkin Storage Manager\StorageManager.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\SetPoint\LBTWiz.exe
C:\Program Files\Browny02\Brother\BrStMonW.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Browny02\BrYNSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Windows\system32\Macromed\Flash\FlashUtil11f_ActiveX.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=%tb_id&%language
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://toolbar.inbox.com/search/ie.aspx?tbid=80117&lng=en
mCustomizeSearch = hxxp://toolbar.inbox.com/help/sa_customize.aspx?tbid=80117
uURLSearchHooks: Inbox Toolbar: {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - c:\progra~1\inboxt~1\Inbox.dll
uURLSearchHooks: N/A: {8ba2cfef-a1bc-4964-aadc-33be1ae5a33c} - c:\program files\weatherblink\bar\1.bin\gcSrcAs.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: TV Center Toolbar: {a7347e8c-1ca6-469b-951e-4a23c4437935} - c:\program files\tv_center\tbTV_1.dll
mURLSearchHooks: H - No File
BHO: : {11bf46c6-b3de-48bd-bf70-3ad85cab80b5} - c:\progra~1\sitera~1\SiteRank.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\toolbar\ctbr.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.0.0.7\AVG Secure Search_toolbar.dll
BHO: Search Assistant BHO: {9b9dcae3-be34-424c-8d73-75e305a9e091} - c:\program files\weatherblink\bar\1.bin\gcSrcAs.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: TV Center Toolbar: {a7347e8c-1ca6-469b-951e-4a23c4437935} - c:\program files\tv_center\tbTV_1.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: {CCB69577-088B-4004-9ED8-FF5BCC83A039} - No File
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Inbox Toolbar: {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - c:\progra~1\inboxt~1\Inbox.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Toolbar BHO: {dc9051c2-8f55-479a-97a4-747980d9047f} - c:\progra~1\weathe~2\bar\1.bin\gcbar.dll
TB: NexusBar: {4e7bd74f-2b8d-469e-c0ff-fd7fa18dbf33} - c:\progra~1\nexusbar\nexusbar.dll
TB: The Weather Channel Toolbar: {2e5e800e-6ac0-411e-940a-369530a35e43} - c:\windows\system32\TwcToolbarIe7.dll
TB: TV Center Toolbar: {a7347e8c-1ca6-469b-951e-4a23c4437935} - c:\program files\tv_center\tbTV_1.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: &Inbox Toolbar: {d7e97865-918f-41e4-9cd0-25ab1c574ce8} - c:\progra~1\inboxt~1\Inbox.dll
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\toolbar\ctbr.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.0.0.7\AVG Secure Search_toolbar.dll
TB: WeatherBlink: {f20de5e0-2a6e-4c54-985f-1cf59551ce39} - c:\program files\weatherblink\bar\1.bin\gcbar.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
EB: Encarta &Researcher: {9455301c-cf6b-11d3-a266-00c04f689c50} - c:\program files\common files\microsoft shared\encarta researcher\EROPROJ.DLL
uRun: [Start WingMan Profiler]
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [<NO NAME>]
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [CTPDPSRV] c:\windows\system32\spool\drivers\w32x86\3\CTPDPSRV.EXE
mRun: [Bluetooth HCI Monitor] RunDll32 HCIMNTR.DLL,RunCheckHCIMode
mRun: [Belkin Storage Manager] "c:\program files\belkin storage manager\StorageManager.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Logitech BT Wizard] LBTWiz.exe -silent
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [BrStsMon00] c:\program files\browny02\brother\BrStMonW.exe /AUTORUN
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRunOnce: [RealUpgradeHelper] "c:\program files\common files\real\update_ob\upgrdhlp.exe" "RealNetworks|RealPlayer|12.0"
dRunOnce: [AutoLaunch] c:\program files\lavasoft\ad-aware\AutoLaunch.exe monthly
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\setpoint.lnk - c:\program files\setpoint\SetPoint.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Crawler Search - tbr:iemenu
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {9455301C-CF6B-11D3-A266-00C04F689C50} - {9455301C-CF6B-11D3-A266-00C04F689C50} - c:\program files\common files\microsoft shared\encarta researcher\EROPROJ.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
LSP: xfire_lsp_9028.dll
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{EAF64AAF-7747-4755-B0AB-18ECFF9758C7} : DhcpNameServer = 192.168.2.1 192.168.2.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - c:\progra~1\inboxt~1\Inbox.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: msero - {B0D92A71-886B-453B-A649-1B91F93801E7} - c:\program files\common files\microsoft shared\encarta researcher\MSERO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\toolbar\ctbr.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\10.0.6\ViProtocol.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\gary\appdata\roaming\mozilla\firefox\profiles\dc0e44lf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.startup.homepage - hxxp://www.inbox.com/homepage.aspx?tbid=80117&lng=en
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=XNxdm016YYus&ptnrS=XNxdm016YYus&ptb=67E1AB6E-AB04-438F-98F7-9DDF0D8E9C55&psa=&ind=2012021017&st=kwd&n=77ed0119&searchfor=
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\crawler\toolbar\firefox\components\xcomm.dll
FF - component: c:\program files\crawler\toolbar\firefox\components\xshared.dll
FF - component: c:\program files\crawler\toolbar\firefox\components\xsupport.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\program files\mozilla firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - component: c:\program files\siteranker\firefox\components\siterank.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\users\gary\appdata\roaming\mozilla\firefox\profiles\dc0e44lf.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\gary\appdata\roaming\mozilla\firefox\profiles\dc0e44lf.default\extensions\{62760fd6-b943-48c9-ab09-f99c6fe96088}\platform\winnt\components\ebayAccessComponent.dll
FF - component: c:\users\gary\appdata\roaming\mozilla\firefox\profiles\dc0e44lf.default\extensions\{62760fd6-b943-48c9-ab09-f99c6fe96088}\platform\winnt\components\ebayShortcutMaker.dll
FF - component: c:\users\gary\appdata\roaming\mozilla\firefox\profiles\dc0e44lf.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\weatherblink\bar\1.bin\NPgcStub.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\gary\appdata\roaming\mozilla\firefox\profiles\dc0e44lf.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-7 64160]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-6-15 249648]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-4-25 21504]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-12-25 24652]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134736]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
R3 BrSerIb;Brother Serial Interface Driver(WDM);c:\windows\system32\drivers\BrSerIb.sys [2011-10-23 71424]
R3 BrUsbSIb;Brother Serial USB Driver(WDM);c:\windows\system32\drivers\BrUsbSib.sys [2011-10-23 11520]
R3 BrYNSvc;BrYNSvc;c:\program files\browny02\BrYNSvc.exe [2011-10-23 245760]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-12-2 25600]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c999edd5ad2300;Google Update Service (gupdate1c999edd5ad2300);c:\program files\google\update\GoogleUpdate.exe [2009-2-28 133104]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-7-7 195336]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-10-24 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-22 1493352]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-9-10 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-2-28 133104]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1036104]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
S4 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-2-9 1153368]
S4 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\10.0.6\ToolbarUpdater.exe [2012-1-18 909152]
S4 WeatherBlinkService;WeatherBlinkService;c:\progra~1\weathe~2\bar\1.bin\gcbarsvc.exe [2011-10-7 42504]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2012-02-19 22:57:59   --------   d-----w-   c:\users\gary\appdata\local\{C50494DD-43DA-4506-9D73-6FE6A49362AD}
2012-02-19 22:57:39   --------   d-----w-   c:\users\gary\appdata\local\{307E1E13-121D-4196-BF56-B6BFA53A671E}
2012-02-19 03:49:23   --------   dcsh--w-   C:\$RECYCLE.BIN
2012-02-17 20:07:40   --------   d-----w-   c:\users\gary\appdata\local\{D7FF343B-A71E-4B2B-A738-10F7F237FE21}
2012-02-17 20:07:28   --------   d-----w-   c:\users\gary\appdata\local\{8046EB82-3AD7-47E7-930C-EF1453D9E3B7}
2012-02-17 05:10:59   88144   ----a-w-   c:\users\gary\appdata\local\WeatherBlink Installer(02b2cd1c).exe
2012-02-16 19:38:55   --------   d-----w-   c:\users\gary\appdata\local\{34BA365E-7B9E-40AF-892E-8EF9AFC9AD62}
2012-02-16 19:38:39   --------   d-----w-   c:\users\gary\appdata\local\{F018F6D6-E621-40DA-B5F4-64DFF4B83A7A}
2012-02-16 19:37:28   88144   ----a-w-   c:\users\gary\appdata\local\WeatherBlink Installer(00a5b0da).exe
2012-02-15 21:52:56   88144   ----a-w-   c:\users\gary\appdata\local\WeatherBlink Installer(01a255a6).exe
2012-02-15 14:29:17   680448   ----a-w-   c:\windows\system32\msvcrt.dll
2012-02-15 14:29:16   2044416   ----a-w-   c:\windows\system32\win32k.sys
2012-02-15 14:29:14   2409784   ----a-w-   c:\program files\windows mail\OESpamFilter.dat
2012-02-15 03:14:04   --------   d-----w-   c:\users\gary\appdata\local\{EC3B0A5B-C6DC-4806-B83B-B37AE7106E60}
2012-02-15 03:13:53   --------   d-----w-   c:\users\gary\appdata\local\{B9D92272-CD52-4D54-BA05-353E4EB24526}
2012-02-14 22:08:34   88144   ----a-w-   c:\users\gary\appdata\local\WeatherBlink Installer(00b7f089).exe
2012-02-14 19:41:38   --------   d-----w-   c:\users\gary\appdata\local\{C915D741-A27E-42D5-81B1-672CB44E32A6}
2012-02-14 19:41:24   --------   d-----w-   c:\users\gary\appdata\local\{D4BA6901-2366-4520-AE6D-CC94878F51B1}
2012-02-11 23:02:16   --------   d-----w-   c:\users\gary\appdata\local\{015A4CC1-D27D-4565-BF86-54E2A058DEAE}
2012-02-11 23:02:05   --------   d-----w-   c:\users\gary\appdata\local\{6613C844-B8AC-4B8E-9535-DDF87A41E5F7}
2012-02-11 00:09:23   --------   d-----w-   c:\users\gary\appdata\local\{5DEA593B-3D36-4318-B2F1-D45B607B4EEE}
2012-02-11 00:09:12   --------   d-----w-   c:\users\gary\appdata\local\{EE4E45C2-7BE1-47B9-ACBA-01715C0A5E84}
2012-02-10 22:05:00   88144   ----a-w-   c:\users\gary\appdata\local\WeatherBlink Installer(0106bfab).exe
2012-02-10 04:13:16   --------   d-----w-   c:\users\gary\appdata\local\{53F23BBB-2F10-41CF-8896-8D50426AF212}
2012-02-10 04:13:06   --------   d-----w-   c:\users\gary\appdata\local\{5F6C3809-3A9D-41D3-B5E0-08A8A6C4335C}
2012-02-10 03:50:12   --------   d-----w-   c:\users\gary\appdata\local\{AE3E6DE5-D5E3-4163-89E3-25248683263F}
2012-02-10 03:49:54   --------   d-----w-   c:\users\gary\appdata\local\{7FF539BC-E8C4-41C6-871F-D1C7A9D8CA96}
2012-02-10 03:09:15   --------   d-----w-   c:\users\gary\appdata\local\{D71D4CA5-3AC7-46FF-93DB-19CBE336CDF8}
2012-02-10 03:09:02   --------   d-----w-   c:\users\gary\appdata\local\{770B4283-F591-48BA-9BBB-5570E01FED28}
2012-02-08 06:28:21   --------   d-----w-   c:\users\gary\appdata\local\{49B7EBFD-D467-4968-B9D8-D2F1D403F0B0}
2012-02-08 06:28:09   --------   d-----w-   c:\users\gary\appdata\local\{E277D3A3-DE7D-48CC-9A28-0B57B58BBF3E}
.
==================== Find3M ====================
.
2012-02-17 20:04:10   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-14 03:04:54   1798656   ----a-w-   c:\windows\system32\jscript9.dll
2011-12-14 02:57:18   1127424   ----a-w-   c:\windows\system32\wininet.dll
2011-12-14 02:56:58   1427456   ----a-w-   c:\windows\system32\inetcpl.cpl
2011-12-14 02:50:04   2382848   ----a-w-   c:\windows\system32\mshtml.tlb
2011-11-25 15:59:48   376320   ----a-w-   c:\windows\system32\winsrv.dll
.
============= FINISH: 18:12:50.57 ===============

rich1428 · « **Reply #1 on:** February 19, 2012, 05:38:19 PM »

I downloaded a Trojan Horse, Generic 26. CIPK. which turned screen black. There are no icons except one for recycle bin. A computer repair software appeared and I was able to disable it. I can still access all my files and programs by going to start menu, clicking on programs. Strart menu is missing a lot of the usual things.

kevinf80 · « **Reply #2 on:** February 19, 2012, 05:40:46 PM »

Hello rich1428 and welcome to SpywareHammer,

I'm kevinf80 and I will be helping with any malware issues you may have with your system.

Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Either print or Save to Notepad all instructions and please follow them carefully, if there's something you don't understand or that will not work please let me know and we will go through it together.
Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.
If you have any P2P applications installed such as BitTorrent, uTorrent, Limewire etc etc, please uninstall them before we begin.
If you are using Cracked or Illegal software your thread will be locked and all help will cease.

You started a second thread, please do not do that. I`ve merged the two together, keep replies in this thread only.

Do the following:

Step 1

download the following program to your desktop:

Unhide tool

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.
Please be patient as this may take several minutes to run, it will scan and fix all Hard drives on your system. You will see a new window with the drive being processed, typically C:\ as below:

Changing as the next drive is processed as below, (if required):

You will get a success alert at the end.

Re-boot and see if your files are present.

Step 2

Please download Malwarebytes Anti-Malware and save it to your desktop.
Alernative D/L mirror
Alternative D/L mirror

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Let me see the log from Malwarebytes, also give update on current issues

Kevin

kevinf80 · « **Reply #3 on:** February 25, 2012, 07:23:43 AM »

Do you still need assistance rich1428?

Hoov · « **Reply #4 on:** February 26, 2012, 07:46:58 AM »

rich1428 please don't click on the report to moderator link, use the Reply button or the quick reply button at the bottom of the page. The report to moderator button is for reporting a violation of the rules to the moderators. Kevinf80 does not get those.

rich1428 · « **Reply #5 on:** February 28, 2012, 11:08:17 PM »

I used unhide twice, the first time it restored icons to desktop. The second time I disabled AVG according to instriuctions. I still don't have key elements in my start menu like control panel and computer among other things. I did two scans with spywarehammer, the first time it shut computer down. The second time, I finished the scan and am uploading log. Thank you for your patience in this matter. I am new at using forums.
Gary Ryan

kevinf80 · « **Reply #6 on:** February 28, 2012, 11:17:22 PM »

Hello Gary,

Do not attach logs unless specifically asked, copy and paste them in your reply. If you are unable to copy and paste to your reply, and your only option is to attach then you must zip them up first.

Right click on the file > select >send to > compressed (zipped) folder. The zipped folder can the be attached to your reply.

The file you have attached is unreadable.....

Kevin

rich1428 · « **Reply #7 on:** March 01, 2012, 11:27:12 PM »

I did a full scan by accident. This is the report. I still don't have some Windows items in the start menu like control panel and computer. Thank you for your patience. I've never done a forum before.
Gary

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.28.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Gary :: GARY-PC [administrator]

2/28/2012 1:45:07 PM
mbam-log-2012-02-28 (13-45-07).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 1152201
Time elapsed: 6 hour(s), 22 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 79
HKLM\SYSTEM\CurrentControlSet\Services\WeatherBlinkService (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{8ba2cfef-a1bc-4964-aadc-33be1ae5a33c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{9b9dcae3-be34-424c-8d73-75e305a9e091} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B9DCAE3-BE34-424C-8D73-75E305A9E091} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{9B9DCAE3-BE34-424C-8D73-75E305A9E091} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9B9DCAE3-BE34-424C-8D73-75E305A9E091} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{5d557a1d-85f9-4049-8267-f0275e435dd2} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{a7ec9f40-1b68-46f5-afe7-97bcd8ff67c3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{19A42F40-E285-4300-BEDF-AFFA58AC1AC2} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\WeatherBlink.ToolbarPlugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\WeatherBlink.ToolbarPlugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WeatherBlinkbar Uninstall (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{dc9051c2-8f55-479a-97a4-747980d9047f} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DC9051C2-8F55-479A-97A4-747980D9047F} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{DC9051C2-8F55-479A-97A4-747980D9047F} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{DC9051C2-8F55-479A-97A4-747980D9047F} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{e581fe6d-8a02-4075-aab2-c6d9fd413870} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{8e899d62-b42e-456b-87ad-acc4039eef5d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{2E715E15-82CF-4748-9BDD-F1925AABFCB8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{393f1621-f8c2-4e27-a179-438b9f1ea6f7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{a66f331b-51cb-42c8-b1b3-83ced369b007} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{710AC531-FB66-4ED3-BB1C-D996A8C061B4} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{af56afd8-9a47-416c-9621-e942ac2c40af} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\WeatherBlink.DynamicBarButton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\WeatherBlink.DynamicBarButton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{b723368d-0a5e-4b26-a060-8b88821a9f26} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{57255d88-1563-48f6-8f11-6ce4528ab662} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{24F5C593-9CAC-43F7-84C5-E624A93F3F5F} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\WeatherBlink.FeedManager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\WeatherBlink.FeedManager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{fa55e01e-29d3-41db-a3d4-3b49d0f76d39} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{74cf76df-fc33-464e-8e5f-7b924062ebc8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{756F4B2F-6D42-4137-BD39-15402241A683} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\WeatherBlink.HTMLPanel.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\WeatherBlink.HTMLPanel (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{FA55E01E-29D3-41DB-A3D4-3B49D0F76D39} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{1552FE9D-B6B5-49E8-9EFF-E799D6B2285A} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\WeatherBlink.HTMLMenu.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\WeatherBlink.HTMLMenu (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1552FE9D-B6B5-49E8-9EFF-E799D6B2285A} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{36169815-c88b-4dfd-b916-19a931fba610} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{bbbe0e78-38f1-4f5d-ac78-d448c5b7906a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{39D9A663-48D3-44CA-BC04-FDC2E82E4476} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{b9cc7880-7265-447e-9b8b-fbbada2d244b} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\WeatherBlink.MultipleButton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\WeatherBlink.MultipleButton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{17c05144-21b3-4101-8189-dadc63c559ed} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{7ee4e692-b4a5-49d6-a65b-fca2a2442bcd} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{3758E856-DBCD-48CC-9470-85FB80E9808C} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\WeatherBlink.XMLSessionPlugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\WeatherBlink.XMLSessionPlugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{17C05144-21B3-4101-8189-DADC63C559ED} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{984dbd34-51a4-4ac8-9ba7-788ece5c9e31} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\WeatherBlink.Radio.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\WeatherBlink.Radio (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{ce1e0069-1450-4762-b4c7-e5959a7ffc4e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\WeatherBlink.ScriptButton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\WeatherBlink.ScriptButton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{1d71ec44-6a2b-42f4-b69f-97c1d89752c8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{25d40f93-9cd4-4b41-a542-c2521961e529} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{30193C45-563B-4D6B-9130-99DC79F1D4B1} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1D71EC44-6A2B-42F4-B69F-97C1D89752C8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{81478fde-e670-4e65-8233-65bcb55deaf2} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{2ed066d0-4d6c-45ba-abe7-e41136f4075d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{2E162AD8-73F5-4FAF-8D97-DB206B956CC2} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\WeatherBlink.ThirdPartyInstaller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\WeatherBlink.ThirdPartyInstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{81478FDE-E670-4E65-8233-65BCB55DEAF2} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{4d662a10-3b3d-4794-aae6-1973d7516fc4} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\WeatherBlink.UrlAlertButton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\WeatherBlink.UrlAlertButton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\WeatherBlink.PseudoTransparentPlugin (AdwareMyWebSearch) -> Quarantined and deleted successfully.
HKCR\WeatherBlink.PseudoTransparentPlugin.1 (AdwareMyWebSearch) -> Quarantined and deleted successfully.
HKCR\WeatherBlink.RadioSettings (AdwareMyWebSearch) -> Quarantined and deleted successfully.
HKCR\WeatherBlink.RadioSettings.1 (AdwareMyWebSearch) -> Quarantined and deleted successfully.
HKCR\WeatherBlink.SettingsPlugin (AdwareMyWebSearch) -> Quarantined and deleted successfully.
HKCR\WeatherBlink.SettingsPlugin.1 (AdwareMyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\WeatherBlink (AdwareMyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\MozillaPlugins\@WeatherBlink.com/Plugin (AdwareMyWebSearch) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks|{8BA2CFEF-A1BC-4964-AADC-33BE1AE5A33C} (Adware.MyWebSearch) -> Data: -> Quarantined and deleted successfully.

Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 40
C:\Program Files\WeatherBlink\bar\1.bin\gcbarsvc.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\gcSrcAs.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\gcbar.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\gcimpipe.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\gcauxstb.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\gcbrmon.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\gcbrstub.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\gcdatact.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\gcdlghk.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\gcdyn.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\gcfeedmg.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\gchighin.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\gchtml.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\gchtmlmu.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\gchttpct.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\gcidle.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\gcieovr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\gcmedint.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\gcmlbtn.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\gcmsg.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\gcPlugin.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\gcradio.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\gcregfft.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\gcregiet.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\gcscript.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\gcskin.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\gcskplay.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\gctpinst.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\gcuabtn.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\NPgcStub.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WeatherBlink\bar\1.bin\T8RES.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\SystemRestore\FRStaging\Program Files\WeatherBlink\bar\1.bin\gcbar.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\SystemRestore\FRStaging\Program Files\WeatherBlink\bar\1.bin\gcbrmon.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\SystemRestore\FRStaging\Program Files\WeatherBlink\bar\1.bin\gcbrstub.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\SystemRestore\FRStaging\Program Files\WeatherBlink\bar\1.bin\gcSrcAs.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\SystemRestore\FRStaging\Users\Gary\AppData\LocalLow\WeatherBlinkEI\Installr\Cache\01152BB6.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Users\Gary\AppData\Local\Temp\734D.tmp (Trojan.FakeAlert.FS) -> Quarantined and deleted successfully.
C:\Users\Gary\AppData\Local\Temp\5772.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Users\Gary\AppData\Local\Temp\AA54.tmp (Trojan.FakeAlert.FS) -> Quarantined and deleted successfully.
C:\Users\Gary\AppData\LocalLow\WeatherBlinkEI\Installr\Cache\01152BB6.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.

(end)

kevinf80 · « **Reply #8 on:** March 02, 2012, 01:25:39 AM »

Hiya Gary,

You`re doing just fine. When you ran unhide me it will have produced a log, it will be in the same place as unhide me ran from, eg if unhide me is on your Desktop, that is where the log will be. Can I see that log please.

Regarding the missing entries in start menu do the following:

Right click on the start button and select "Properties" in the new window under the Start menu tab select "customize" as below

A new window will open, from the list scroll to and check the for the missing options from your start menu, ensure you select each missing item, i`ve given a screen shot of the two you mention below.

When complete select "OK" in the next window select "Apply" then "OK" Re-boot and check the items are restored.

Run the following and let me see the log:

Download aswMBR from Here
If it asks to update during the process please allow this to happen.

Save aswMBR.exe to your Desktop
Double click aswMBR.exe to run it
Ensure Quick scan is selected,then select Scan button to start the scan as illustrated below

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

Once the scan finishes click Save log to save the log to your Desktop.

Copy and paste the contents of aswMBR.txt back here for review
You will also notice another file created on the desktop named MBR.dat. Right-click that file and select Send To and then Compressed (zipped) file. Attach that zipped file to your next reply as well.

In your reply let me see the logs from unhideme and aswMBR, also let me know if the missing item were returned to your start menu....

Kevin

rich1428 · « **Reply #9 on:** March 04, 2012, 03:52:21 PM »

Here is the unhide file.
Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/forums/topic405109.html

Program started at: 03/02/2012 12:27:56 PM
Windows Version: Windows Vista

Please be patient while your files are made visible again.

Thank you,
Gary

Processing the C:\ drive
Finished processing the C:\ drive. 1029005 files processed.

Processing the D:\ drive
Finished processing the D:\ drive. 11869 files processed.

Restoring the Start Menu.
* 90 Shortcuts and Desktop items were restored.

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
No registry changes detected.

Program finished at: 03/02/2012 12:53:15 PM
Execution time: 0 hours(s), 25 minute(s), and 19 seconds(s)

kevinf80 · « **Reply #10 on:** March 04, 2012, 04:47:40 PM »

What about the missing entries you mention from the start menu "Control Panel and Computer" did you manage to restore them with my instructions?

Have you ran aswMBR, can I see the log?

rich1428 · « **Reply #11 on:** March 06, 2012, 12:59:16 PM »

I was able to restore the items that you gave me instructions for. I tried to run aswmbr three times. This is why I am late in replying. Each time I returned to the computer, I was at the Windows log in screen. Message indicated a Windows shutdown. The last time, I did get a log before it shut down.
Thank You,
Gary
swMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
Run date: 2012-03-04 20:43:47
-----------------------------
20:43:47.182 OS Version: Windows 6.0.6002 Service Pack 2
20:43:47.182 Number of processors: 2 586 0xF0D
20:43:47.182 ComputerName: GARY-PC UserName: Gary
20:43:48.524 Initialize success
20:43:57.291 AVAST engine defs: 12030401
20:44:08.353 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
20:44:08.353 Disk 0 Vendor: ST3320620AS 3.ADG Size: 305245MB BusType: 3
20:44:08.384 Disk 0 MBR read successfully
20:44:08.384 Disk 0 MBR scan
20:44:08.384 Disk 0 Windows VISTA default MBR code
20:44:08.384 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 54 MB offset 63
20:44:08.400 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 112640
20:44:08.416 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 294949 MB offset 21084160
20:44:08.431 Disk 0 scanning sectors +625139712
20:44:08.509 Disk 0 scanning C:\Windows\system32\drivers
20:44:24.608 Service scanning
20:44:55.888 Service Wdf01000 C:\Windows\system32\drivers\Wdf01000.sys **LOCKED** 32
20:44:59.696 Modules scanning
20:45:21.474 Disk 0 trace - called modules:
20:45:21.552 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS >>UNKNOWN [0x88258059]<<
20:45:21.552 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x869f36d0]
20:45:21.568 3 CLASSPNP.SYS[89bab8b3] -> nt!IofCallDriver -> [0x868221e8]
20:45:21.568 5 acpi.sys[806966bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x86826b98]
20:45:22.426 AVAST engine scan C:\Windows
20:45:30.493 AVAST engine scan C:\Windows\system32
20:51:43.149 AVAST engine scan C:\Windows\system32\drivers
20:52:12.494 AVAST engine scan C:\Users\Gary
21:31:31.241 File: C:\Users\Gary\AppData\Local\Temp\jar_cache3367983247202405674.tmp **INFECTED** Win32:Malware-gen
21:31:31.397 File: C:\Users\Gary\AppData\Local\Temp\jar_cache3592074060664246505.tmp **INFECTED** Win32:Malware-gen
11:54:37.331 Disk 0 MBR has been saved successfully to "C:\Users\Gary\Desktop\MBR.dat"
11:54:37.877 The log file has been saved successfully to "C:\Users\Gary\Desktop\aswMBR.txt"

.

kevinf80 · « **Reply #12 on:** March 06, 2012, 01:46:02 PM »

Ok run the following:

Step 1

Download

TFC to your desktop, from either of the following links
Link 1
Link 2

Save any open work. TFC will close all open application windows.
Double-click TFC.exe to run the program. Vista or Windows 7 users right click and select “Run as Administartor”
If prompted, click "Yes" to reboot.

TFC will automatically close any open programs, including your Desktop. Let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. TFC may re-boot your system, if not Re-boot it yourself to complete cleaning process <---- Very Important

Keep TFC it is an excellent utility to keep your system optimized, it empties all user temp folders, Java cache etc etc. Always remember to re-boot after a run, even if not prompted

Step 2

Run ESET Online Scan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.

ESET OnlineScan

Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

Check
Click the button.
Accept any security warnings from your browser.
Check
Leave the tick out of remove found threats
Push the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

You can refer to this animation by neomage if needed.
Frequently asked questions available Here Please read them before running the scan.

Also be aware this scan can take several hours to complete depending on the size of your system.

ESET log can be found here "C:\Program Files\ESET\EsetOnlineScanner\log.txt".

Let me see the log from ESET in next reply..

Kevin

rich1428 · « **Reply #13 on:** March 08, 2012, 12:08:25 AM »

C:\Users\Gary\AppData\Local\Temp\jar_cache3367983247202405674.tmp   Win32/Agent.STT trojan
C:\Users\Gary\AppData\Local\Temp\jar_cache3592074060664246505.tmp   Win32/Agent.STT trojan
C:\Users\Gary\AppData\Local\Temp\jar_cache430370682781056772.tmp   Java/Exploit.CVE-2011-3544.AT trojan
C:\Users\Gary\AppData\Local\Temp\Low\CouponBarIE.dll   probably a variant of Win32/Adware.Softomate.AD application
C:\Users\Gary\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\2fd6e594-55617fe0   multiple threats
C:\Users\Gary\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\66e05ad7-78a035e1   a variant of Java/Exploit.CVE-2011-3544.AO trojan
C:\Users\Gary\Desktop\couponprinter.exe   probably a variant of Win32/Adware.Softomate.AD application
C:\Users\Gary\Desktop\setup.exe   multiple threats
C:\Users\Gary\Downloads\couponprinter(2).exe   probably a variant of Win32/Adware.Softomate.AD application
C:\Users\Gary\Downloads\couponprinter.exe   probably a variant of Win32/Adware.Softomate.AD application
This is the logfile, Thank you again.

kevinf80 · « **Reply #14 on:** March 08, 2012, 12:35:48 AM »

Run the folowing:

Please download OTM by OldTimer.
Alternative Mirror 1
Alternative Mirror 2
Save it to your desktop.
Double click OTM.exe to start the tool. Vista or Windows 7 users right click and select Run as Administrator. Be aware all processes will stopped during run, also Desktop will disappear, this will be put back on completion....

Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code: [Select]

:Services
:Files
C:\Users\Gary\AppData\Local\Temp\jar_cache3367983247202405674.tmp
C:\Users\Gary\AppData\Local\Temp\jar_cache3592074060664246505.tmp
C:\Users\Gary\AppData\Local\Temp\jar_cache430370682781056772.tmp
C:\Users\Gary\AppData\Local\Temp\Low\CouponBarIE.dll
C:\Users\Gary\Desktop\couponprinter.exe
C:\Users\Gary\Desktop\setup.exe
C:\Users\Gary\Downloads\couponprinter(2).exe
C:\Users\Gary\Downloads\couponprinter.exe
ipconfig /flushdns /c
:Commands
[EmptyTemp]
[reboot]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Let me see the log from OTM, give an update on current issues/concerns.

Thanks,

Kevin

News:

Author Topic: [Resolved K]dds (Read 4148 times)

rich1428

[Resolved K]dds

rich1428

Re: [Resolved K]dds

kevinf80

Re: [Resolved K]dds

kevinf80

Re: [Resolved K]dds

Hoov

Re: [Resolved K]dds

rich1428

Re: [Resolved K]dds

kevinf80

Re: [Resolved K]dds

rich1428

Re: [Resolved K]dds

kevinf80

Re: [Resolved K]dds

rich1428

Re: [Resolved K]dds

kevinf80

Re: [Resolved K]dds

rich1428

Re: [Resolved K]dds

kevinf80

Re: [Resolved K]dds

rich1428

Re: [Resolved K]dds

kevinf80

Re: [Resolved K]dds