[Piros]

Before I do that step, I just want to check with you that it's still necessary.

After the last solution didn't work, I got curious and did some searching online. After looking at about a half-dozen results I stumbled onto the problem. A long time ago I started cleaning my Start Menu occasionally, so that the All Programs window wasn't so long. I've clustered most of my programs into headings like Internet, Protection, Microsoft, Apple, Document Readers, etc.

Anyway, there's a default folder at Start Menu -> All Programs -> Startup

That folder had 3 items: Spyware Guard, Logitech SetPoint, and the AT&T folder that was opening on startup.

I pulled that AT&T folder out of the startup folder and the problem stopped.

I guess at some point I put it in there not realizing that folder ran all the files and folders in it automatically on startup.


So, anyway, as I was saying, I'm not sure that OTL fix is necessary anymore.

[Advertisements]

Yes you're correct, no need to run the OTL fix because it will basically do the same thing.

Please let me know in your next reply if you still have question or concern so we can do the housekeeping to properly remove the tools.

[sempai]

Yes you're correct, no need to run the OTL fix because it will basically do the same thing.

Please let me know in your next reply if you still have question or concern so we can do the housekeeping to properly remove the tools.

[Piros]

I think that's everything. No more errors or folders opening on startup. Computer's running faster in general. No more google redirects. And yesterday PC Tools daily scan only found 2 spyware/adware/trackware cookies that needed removed, compared to before whejn it was 50-100/day.

So, yeah, I think my computer is ready for housekeeping.

[sempai]

Tracking cookies are not harmful, they are files stored on your computer that contains information about your visit to a specific website.

You can disable third party cookies because they are usually issued by advertising companies to keep an eye on where you've been.

To disable third party cookies:

Using Firefox: Go to Tools > Options > Privacy > choose "Custom setting for history" > put a check mark on "Accept cookies from site" and unchecked "Accept third-party cookies" > click OK.


Using IE: Click Tools > Internet Options > Privacy > click Advance > put a check mark on "Override automatic cookie handling" > under first party cookies choose accept > under third-party cookies choose "Block" > click OK.


==================================


Uninstall:

1. ComboFix

• Click Start > Run > copy/paste the following bolded text into the Run box and click OK:
  

  ComboFix /Uninstall

2. Bitdefender

• Go to C:\ > Windows > Downloaded Program Files
• Right click on Bitdefender QuickScan Control and choose Remove.
• Click Yes.

Delete:

1. TDSSKiller

Clean-up with OTL:

• Run OTL
• Click on the CleanUp! button.
• Reboot when ask.

Your log is clean, please change all your offline and online passwords.

Take the time to read below to secure your machine and take the necessary steps to keep it Clean

How to prevent malware

How to increase PC speed

Practice Safe Internet
One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:

• If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
• If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
• If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
• If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article: Foistware, And how to avoid it.
  There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites
• Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
• Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
• When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
• Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
• Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.
• DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.

[Piros]

First, thanks for the cookies thing. I made the changes. That's actually the one thing that went right.

First time I ran combofix's uninstall PC Tools complained about NirCmd messing with some stuff that the Firewall was protecting and I had to allow it all... but then PC Tools disappeared from the system tray and combofix was still on my desktop. I had to restart my computer, disable my anti-virus, and run it again and reboot to get rid of it.

That folder for BitDefender only had the .dll file in it that I downloaded to use BitDefender, so I went ahead and deleted that.

OTL's Cleanup went thru all the step and asked me to let it reboot and I said yes... then it hung shutting down for 10 minutes while I was cooking and I finally had to just hit the reset button myself.

When the computer rebooted, combofix and otl were gone tho so I think that's done.

I read thru your safe internet practices list, and I follow most of them already, so that shouldn't be too hard. I'll read thru the external links later. Thanks for all the help.

[Piros]

Um... I think something we did messed with my computer's sound.

I can listen to the radio on my headphones... and that seems to be about all I can do. Everything I load online whether its youtube or megavideo or somesuch... it shows video and gives no sound.

I fiddled a bit with updating adobe flash player as well as a clean uninstall/reinstall and got nothing. Then I finally went into Sound and Audio devices to switch over to my speakers and that's when I noticed something was up. I can change between headphones and speakers, supposedly. But after I apply changes, close, and reopen the window, the changes have reverted. Also, I can sample windows error sounds to check the sound problem.

EDIT: Actually, default sound device changes don't even seem to be registering on the volume tab of the sound options even without closing it. The only place its remembering it is on the Audio tab... which is useless if the computer isn't really recognizing it.

Edited by Piros, 22 June 2011 - 11:15 AM.

[Piros]

I think I know what happened... but I dunno how to fix it.

Kaspersky Virus Removal Tool found this:

6/21/2011 7:09:17 AM Detected: Trojan.Win32.Monder.drjy C:\System Volume Information\_restore{C1C19FDC-314C-4E2E-949A-FD68406D5696}\RP4\A0001392.dll
6/21/2011 7:09:43 AM Deleted: Trojan.Win32.Monder.drjy C:\System Volume Information\_restore{C1C19FDC-314C-4E2E-949A-FD68406D5696}\RP4\A0001392.dll

when it did it's virus scan. Right there it removed part of the System Restore.


Then, when I was removing all the PC cleaning tools, OTL locked up my computer and I had to push the hard reset button. I'm assuming it restored itself with THAT system restore, since it should be the newest one I take it, and now I'm missing that DLL. At least that's my best guess anyway.

EDIT: Not to keep changing my answer, but maybe I'm wrong about that. The more I read, the more I find the most commen solution suggested is a problem with whether or not the wavemapper registry subkey is mapped correctly in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Drivers32.

My problem at this point is I checked, and I don't see wavemapper there at all, but when I try and add it it says that name is already taken.

EDIT2: I know now that the wavemapper key exists/existed, I just didnt have registry permission to see it.

EDIT3: I've found 1 situation where firefox will make a sound... when using Ctrl-F to find something on a page and I type enough random characters that there's no match. It makes a dinking noise, like it should.

LastEDIT: I'm running out of ideas here for why this is happening. Most ideas on the internet are wrong for my situation. I even tried turning McciTrayApp.exe back on. I hope you've got some idea when you read this.

Edited by Piros, 22 June 2011 - 12:33 PM.

[sempai]

Did you do system restore? This can be related to your protection blocking Combofix uninstall process so don't try any more possible solution unless I instructed you.


Please re download and run ComboFix

Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

Link 1
Link 2

• It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE

• Close any open windows, including this one.

• Double click on ComboFix.exe & follow the prompts.

• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

• If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.

• When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.

• When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

• Leave your computer alone while ComboFix is running.
• ComboFix will restart your computer if malware is found; allow it to do so.
• ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
• Please do not mouseclick combofix's window while its running because it may call it to stall.
• ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.

[Piros]

Alright, here's the ComboFix log. This was the first time I ran it that it recognized that the Windows Recovery Console is already installed, and didn't say anything about any active firewalls or virus scanners.

ComboFix 11-06-22.03 - Mr Smith 06/23/2011 6:30.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1174 [GMT -5:00]
Running from: c:\documents and settings\Mr Smith\Desktop\ComboFix.exe
AV: Internet Security Anti-Virus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: Internet Security Firewall *Disabled* {2BF21FEC-A5BE-424D-BDD7-3229CC84ED22}
.
.
((((((((((((((((((((((((( Files Created from 2011-05-23 to 2011-06-23 )))))))))))))))))))))))))))))))
.
.
2011-06-22 18:26 . 2011-06-22 18:26 8646 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2011-06-22 18:26 . 2011-06-22 18:26 6429 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2011-06-22 18:26 . 2011-06-22 18:26 63115 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2011-06-22 18:26 . 2011-06-22 18:26 4599 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2011-06-22 18:26 . 2011-06-22 18:26 9310 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2011-06-22 18:26 . 2011-06-22 18:26 5927 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2011-06-22 18:26 . 2011-06-22 18:26 8613 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2011-06-22 18:26 . 2011-06-22 18:26 1651 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2011-06-22 18:25 . 2011-06-22 18:25 6910 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2011-06-22 18:25 . 2011-06-22 18:25 18541 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2011-06-22 18:25 . 2011-06-22 18:25 8288 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2011-06-22 18:25 . 2011-06-22 18:25 6208 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2011-06-22 18:25 . 2011-06-22 18:25 51852 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2011-06-22 18:25 . 2011-06-22 18:25 20719 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2011-06-22 18:25 . 2011-06-22 18:25 7271 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2011-06-22 18:25 . 2011-06-22 18:25 23327 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2011-06-22 18:25 . 2011-06-22 18:25 8782 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2011-06-22 17:02 . 2011-06-22 17:20 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-22 10:59 . 2011-06-22 10:59 -------- d-----w- c:\documents and settings\Mr Smith\Local Settings\Application Data\Temp
2011-06-22 09:45 . 2011-06-22 09:45 -------- d-----w- c:\program files\Common Files\Java
2011-06-22 09:45 . 2011-06-22 09:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-21 16:21 . 2011-06-21 16:21 -------- d-----w- c:\documents and settings\Mr Smith\Application Data\QuickScan
2011-06-15 05:17 . 2011-06-15 05:17 -------- d-----w- c:\program files\awesome
2011-06-13 05:23 . 2011-06-13 05:23 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-06-11 05:20 . 2011-06-18 17:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-06-11 05:20 . 2011-06-11 05:20 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2011-06-11 05:20 . 2011-06-11 05:20 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer
2011-06-11 05:18 . 2011-06-11 05:20 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
2011-06-06 17:55 . 2011-06-06 17:55 183696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-06-06 17:55 . 2011-06-06 17:55 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-05-26 10:39 . 2011-05-26 10:39 -------- d-----w- c:\program files\Comical
2011-05-25 11:36 . 2011-05-25 11:36 -------- d-----w- c:\documents and settings\Mr Smith\Local Settings\Application Data\cYo
2011-05-25 11:36 . 2011-05-25 11:36 -------- d-----w- c:\documents and settings\Mr Smith\Application Data\cYo
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-22 09:44 . 2010-05-14 05:23 472808 -c--a-w- c:\windows\system32\deployJava1.dll
2011-05-29 14:11 . 2011-03-18 07:49 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 14:11 . 2011-03-18 07:49 22712 -c--a-w- c:\windows\system32\drivers\mbam.sys
2011-05-02 15:31 . 2007-04-23 21:49 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-04 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe" [2002-10-15 1818624]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2010-04-23 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-04 13670504]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-04 110696]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"PCTools FGuard"="c:\program files\PC Tools Security\BDT\FGuard.exe" [2011-01-07 108496]
"Nektra OEAPI"="c:\program files\Common Files\PC Tools\Outlook Express API\Launcher.exe" [2008-07-21 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2009-10-22 1577984]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
.
c:\documents and settings\Mr Smith\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Loadout Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Loadout Manager.lnk
backup=c:\windows\pss\Loadout Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Mr Smith^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Mr Smith\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 17:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bing Bar]
2010-03-24 21:26 243544 ----a-w- c:\program files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-03-21 18:56 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jomantha]
2008-06-13 17:19 159744 ----a-w- c:\program files\n52te\n52teHid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
2008-03-14 10:00 136512 ----a-w- c:\program files\McAfee\Common Framework\UdaterUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 -c--a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-12-24 14:06 1242448 ----a-w- h:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-04-01 18:49 36352 -c--a-w- c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"HssTrayService"=3 (0x3)
"HssSrv"=2 (0x2)
"HotspotShieldService"=2 (0x2)
"Diskeeper"=2 (0x2)
"DAUpdaterSvc"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\IceChat7\\IceChat7.exe"=
"c:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
"c:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
"h:\\Program Files\\Steam\\Steam.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\World of Warcraft\\Blizzard Downloader.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader
"6881:TCP"= 6881:TCP:Blizzard Downloader
"6882:TCP"= 6882:TCP:Blizzard Downloader
"6883:TCP"= 6883:TCP:Blizzard Downloader
"8086:TCP"= 8086:TCP:WoW
"8087:TCP"= 8087:TCP:WoW
"9081:TCP"= 9081:TCP:WoW
"9090:TCP"= 9090:TCP:WoW
"9097:TCP"= 9097:TCP:WoW
"9100:TCP"= 9100:TCP:WoW
"6885:TCP"= 6885:TCP:Blizzard Downloader
"6886:TCP"= 6886:TCP:Blizzard Downloader
"6887:TCP"= 6887:TCP:Blizzard Downloader
"6889:TCP"= 6889:TCP:Blizzard Downloader
"6890:TCP"= 6890:TCP:Blizzard Downloader
"6891:TCP"= 6891:TCP:Blizzard Downloader
"6892:TCP"= 6892:TCP:Blizzard Downloader
"6893:TCP"= 6893:TCP:Blizzard Downloader
"6895:TCP"= 6895:TCP:Blizzard Downloader
"6896:TCP"= 6896:TCP:Blizzard Downloader
"6897:TCP"= 6897:TCP:Blizzard Downloader
"6899:TCP"= 6899:TCP:Blizzard Downloader
"35608:TCP"= 35608:TCP:Limewire
"18230:UDP"= 18230:UDP:uTorrent
"5000:TCP"= 5000:TCP:Vent
"5000:UDP"= 5000:UDP:Vent
"6100:TCP"= 6100:TCP:Vent
"6100:UDP"= 6100:UDP:Vent
"1380:TCP"= 1380:TCP:WAR
"10622:TCP"= 10622:TCP:WAR
"57574:TCP"= 57574:TCP:Pando Media Booster
"57574:UDP"= 57574:UDP:Pando Media Booster
"34983:TCP"= 34983:TCP:uTorrentPortTCP
"34983:UDP"= 34983:UDP:uTorrentPortUDP
"6667:UDP"= 6667:UDP:IceChat
"56459:TCP"= 56459:TCP:Pando Media Booster
"56459:UDP"= 56459:UDP:Pando Media Booster
"8376:TCP"= 8376:TCP:League of Legends Launcher
"8376:UDP"= 8376:UDP:League of Legends Launcher
"6967:TCP"= 6967:TCP:League of Legends Launcher
"6967:UDP"= 6967:UDP:League of Legends Launcher
"8377:TCP"= 8377:TCP:League of Legends Launcher
"8377:UDP"= 8377:UDP:League of Legends Launcher
"6958:TCP"= 6958:TCP:League of Legends Launcher
"6958:UDP"= 6958:UDP:League of Legends Launcher
"4000:TCP"= 4000:TCP:Diablo 2
"15397:TCP"= 15397:TCP:spport
"14022:TCP"= 14022:TCP:spport
"29848:TCP"= 29848:TCP:spport
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [3/21/2011 4:43 AM 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [3/21/2011 4:43 AM 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [3/21/2011 4:43 AM 656320]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/1/2008 1:11 PM 717296]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [3/21/2011 4:43 AM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [3/21/2011 4:43 AM 69392]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [3/21/2011 4:43 AM 251560]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [3/21/2011 4:47 AM 247760]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [3/21/2011 4:43 AM 160448]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [3/21/2011 4:43 AM 89472]
R3 pctNdisMP;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [3/21/2011 4:43 AM 56536]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [3/21/2011 4:43 AM 33552]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [7/23/2003 2:16 PM 22821]
S3 JmtFltr;n52te;c:\windows\system32\drivers\JmtFltr.sys [2/15/2009 3:10 PM 48896]
S3 LiveTurbineMessageService;Turbine Message Service - Live;"h:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe" --> h:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [?]
S3 LiveTurbineNetworkService;Turbine Network Service - Live;"h:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe" --> h:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 pctNdis;PC Tools Firewall Intermediate Filter Service;c:\windows\system32\drivers\pctNdis.sys [3/21/2011 4:43 AM 56536]
S3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [3/21/2011 4:43 AM 125248]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [3/21/2011 4:43 AM 70536]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys --> c:\windows\system32\drivers\ScreamingBAudio.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [3/21/2011 4:42 AM 366840]
S3 ThreatFire;ThreatFire;c:\program files\PC Tools Security\TFEngine\TFService.exe service --> c:\program files\PC Tools Security\TFEngine\TFService.exe service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe --> c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [?]
S3 XDva349;XDva349;\??\c:\windows\system32\XDva349.sys --> c:\windows\system32\XDva349.sys [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - PCTSDInjDriver32
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-28 c:\windows\Tasks\doxillionShakeIcon.job
- c:\program files\NCH Software\Doxillion\doxillion.exe [2011-03-15 05:18]
.
2011-03-12 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2011-03-09 12:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net
uInternet Connection Wizard,ShellNext = hxxp://www.onlineregister.com/viewsonic
uInternet Settings,ProxyOverride = *.local
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: aol.com\music
Trusted Zone: shoutcast.com
Trusted Zone: winamp.com
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Mr Smith\Application Data\Mozilla\Firefox\Profiles\5lg58vfa.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.wowhead.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - Ext: Move Media Player: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: oldbar: {46868735-c3fa-47ce-8ce7-cce51a66aceb} - %profile%\extensions\{46868735-c3fa-47ce-8ce7-cce51a66aceb}
FF - Ext: Extended Statusbar: {daf44bf7-a45e-4450-979c-91cf07434c3d} - %profile%\extensions\{daf44bf7-a45e-4450-979c-91cf07434c3d}
FF - Ext: Tiny Menu: {d33c2f7c-b1e6-4d46-ab0e-be1f6d05c904} - %profile%\extensions\{d33c2f7c-b1e6-4d46-ab0e-be1f6d05c904}
FF - Ext: zblack: {50931610-3d8e-11dd-ae16-0800200c9a66} - %profile%\extensions\{50931610-3d8e-11dd-ae16-0800200c9a66}
FF - Ext: YoYo Games InstantPlay: [email protected] - %profile%\extensions\[email protected]
FF - Ext: FoxyTunes: {463F6CA5-EE3C-4be1-B7E6-7FEE11953374} - %profile%\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}
FF - Ext: FoxyTunes Skin - OnyxOrbs: {469CEB59-8266-438b-91D9-82F56D595E15} - %profile%\extensions\{469CEB59-8266-438b-91D9-82F56D595E15}
FF - Ext: Solid State ION: [email protected] - %profile%\extensions\[email protected]
FF - Ext: EPUBReader: {5384767E-00D9-40E9-B72F-9CC39D655D6F} - %profile%\extensions\{5384767E-00D9-40E9-B72F-9CC39D655D6F}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Browser Defender Toolbar: {cb84136f-9c44-433a-9048-c5cd9df1dc16} - c:\program files\PC Tools Security\BDT\Firefox
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-DivX Download Manager - c:\program files\DivX\DivX Plus Web Player\DDmService.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-23 06:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\e2d79ca0]
"imagepath"="\??\c:\windows\TEMP\199.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1659004503-413027322-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:09,09,22,15,86,8b,fb,81,4f,2d,57,a1,7f,6f,17,59,7f,ff,43,89,27,
6b,49,e1,e7,fd,68,50,57,34,c2,59,ad,82,c4,63,cd,5d,95,a3,10,90,bd,22,e4,b7,\
"rkeysecu"=hex:29,52,7b,02,92,e8,87,b3,48,af,b8,d4,08,42,c7,8b
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1340)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\program files\PC Tools Security\TFEngine\TFMon.dll
c:\program files\PC Tools Security\TFEngine\TFRK.dll
.
- - - - - - - > 'lsass.exe'(1396)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
- - - - - - - > 'explorer.exe'(5516)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-06-23 06:48:57
ComboFix-quarantined-files.txt 2011-06-23 11:48
.
Pre-Run: 10,824,605,696 bytes free
Post-Run: 11,044,933,632 bytes free
.
- - End Of File - - D5B96574D3DCFBCBEAE210B4D187F3E2

[sempai]

How's the audio issue after that combofix run?

[Piros]

Sound looks to be working again.

[sempai]

That's great, please disable your AV and Firewall then uninstall Combofix. Make sure to re enable them afterward.

• Click Start > Run > copy/paste the following bolded text into the Run box and click OK:
  

  ComboFix /Uninstall

[Piros]

I uninstalled ComboFix. I saw the difference. This time when ComboFix was done installing there was a popup that announced it. And my sound still works after. Thanks.

[sempai]

That's great, congrats and happy surfing again.

[sempai]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.