browser / search engine hijacked

Trevor Local
Trevor Local used Ask the Experts™
on
Hello
my browsers (IE, Firefox, Chrome) are being hijacked when using search engines. I ran the Hijackthis app, ran Spybot and Ad-aware several times, ran Malwarebytes and Combofix, as well as my EsetNOD32. The problem still remains. I see the svchost.exe process has 12 instances, and the Combofix deleted one when I ran it (c:\program files\svchost.exe)

Not sure what else I can do. Any ideas?
thanks
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 9:35:08 AM, on 1/28/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\RTDCPL.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\WatchGuard\Mobile VPN\NcpBudgetGui.exe
C:\Program Files\WatchGuard\Mobile VPN\rwsrsu.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\WatchGuard\Mobile VPN\ncpclcfg.exe
C:\Program Files\WatchGuard\Mobile VPN\ncprwsnt.exe
C:\Program Files\WatchGuard\Mobile VPN\ncpsec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WatchGuard\Mobile VPN\rwsrsu.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\YO\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\YO\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\YO\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\YO\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\YO\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Winamp\winamp.exe
C:\PROGRAM FILES\STREAMRIPPER\wstreamripper.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RTDCPL] RTDCPL.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [NcpBudgetGui] "C:\Program Files\WatchGuard\Mobile VPN\NcpBudgetGui.exe" -start
O4 - HKLM\..\Run: [NcpPopup] "C:\Program Files\WatchGuard\Mobile VPN\ncppopup.exe" noerrmsg
O4 - HKLM\..\Run: [NcpRsuGui] "C:\Program Files\WatchGuard\Mobile VPN\rwsrsu.exe" -gui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221633855359
O16 - DPF: {8DD728F1-7A97-4606-968A-F3F27D05ED33} (Digia2 Control) - http://192.168.100.64:8080/Digia2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD1394DA-0B8C-448E-A668-79D58D5E42EA}: NameServer = 68.105.28.12,68.105.29.12
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Ma-Config Service (maconfservice) - Unknown owner - C:\Program Files\ma-config.com\maconfservice.exe
O23 - Service: ncpclcfg - NCP engineering GmbH - C:\Program Files\WatchGuard\Mobile VPN\ncpclcfg.exe
O23 - Service: ncprwsnt - NCP Engineering GmbH - C:\Program Files\WatchGuard\Mobile VPN\ncprwsnt.exe
O23 - Service: NcpSec - Unknown owner - C:\Program Files\WatchGuard\Mobile VPN\ncpsec.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RwsRsu (rwsrsu) - Unknown owner - C:\Program Files\WatchGuard\Mobile VPN\rwsrsu.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 11275 bytes

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
Download & run GMER (rootkit scanner) from (http://www2.gmer.net/gmer.zip)

Start GMER, select all options on the right side, after scanning is finished, click on save. Attach the log file here
Commented:
You have a lot going on there.
Use the links below to decipher the hyjackthis logfile and fix what you can
and download the bootdisk isp's, burn disc and use at startup tho check your files.
I would start with Avira.
Good luck

http://www.bleepingcomputer.com/tutorials/tutorial42.html 

http://www.askvg.com/download-free-bootable-rescue-cds-from-kaspersky-bitdefender-avira-f-secure-and-others/

Commented:
isp's =iso's  
Sorry keys sticking. Need new keyboard.
Usually it's my typing but not this time....
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Top Expert 2007

Commented:
Can you please attach the ComboFix log?
ComboFix does not automatically remove all bad files... often times we need to use its script function to remove leftover bad files, services and reg entries etc.


Also download and run Gmer as already suggested and attach the log here please so we can check it.

In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.

Author

Commented:
centerv- yes, seems it all comes at once!

unfortunately I started to run Gmer and had to leave the house, came back this evening and
it had frozen, including everything else on the desktop. So I hastily powered down the machine before I remembered that Eset had quarantined "nvatabus.sys" - so now Windows (XP) won't boot without that file. So I fired up the XP disk to get to Recovery Console and it tells me that setup can't find any hard disk drives installed.

So, looks like a weekend of reloading for me.....
 
Top Expert 2007

Commented:
Looks like a file patcher that patched system drivers and if you use a not-so-brilliant scanner that just deletes the infected file it has a bad result as you have now experienced. It is not always good to use just any scanner that is available without running some diagnostic tool.
OTL is brilliant for detecting infected files.
Some infections patched any of these system drivers:
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
and others

Commented:
Use the repair install option after booting to your xp disc.
That should leave your programs working but you will need to get the patches again.
Should that repair work for you, have one of the virus boot disc on hand to check pc promptly.
Good luck

Author

Commented:
I replaced the nvatabus.sys and got my pc back up and running. here's the gmer log file:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-30 01:12:58
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\YO\LOCALS~1\Temp\kwliipow.sys


---- System - GMER 1.0.15 ----

SSDT            Lbd.sys (Boot Driver/Lavasoft AB)                                                                   ZwCreateKey [0xBA92887E]
SSDT            Lbd.sys (Boot Driver/Lavasoft AB)                                                                   ZwSetValueKey [0xBA928BFE]

---- Kernel code sections - GMER 1.0.15 ----

.text           C:\WINDOWS\system32\DRIVERS\nv4_mini.sys                                                            section is writeable [0xB872E380, 0x21F24D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text           C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1084] kernel32.dll!SetUnhandledExceptionFilter  7C8449FD 4 Bytes  [C2, 04, 00, 00]

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                              eamon.sys (Amon monitor/ESET)
AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass0                                                             VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                           epfwtdir.sys
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                           Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume1                                                              snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume2                                                              snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume3                                                              snapman.sys (Acronis Snapshot API/Acronis)

Device          \Driver\usbohci \Device\USBFDO-0                                                                    hcmon.sys (VMware USB monitor/VMware, Inc.)
Device          \Driver\usbehci \Device\USBFDO-1                                                                    hcmon.sys (VMware USB monitor/VMware, Inc.)

AttachedDevice  \FileSystem\Fastfat \Fat                                                                            fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice  \FileSystem\Fastfat \Fat                                                                            eamon.sys (Amon monitor/ESET)

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout                  15
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota                     10000
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler                                   yes
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk                                  
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout                  90
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota                    10000

---- EOF - GMER 1.0.15 ----

Open in new window

Author

Commented:
and here's the combofix log file:

ComboFix 10-01-27.03 - YO 01/27/2010  20:12:00.1.4 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2045.1608 [GMT -8:00]
Running from: c:\documents and settings\YO\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
 * Resident AV is active

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\adC32.dll
c:\program files\svchost.exe
c:\windows\Fonts\MyriadPro-Regular.otf

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AdbUpd
-------\Service_AdbUpd


(((((((((((((((((((((((((   Files Created from 2009-12-28 to 2010-01-28  )))))))))))))))))))))))))))))))
.

2010-01-28 03:22 . 2010-01-28 03:23	--------	d-----w-	c:\program files\schtml
2010-01-28 03:18 . 2010-01-28 03:18	--------	d-----w-	C:\Your PC Protector
2010-01-28 03:16 . 2010-01-28 04:10	43520	----a-w-	c:\program files\alggui.exe
2010-01-28 03:16 . 2010-01-28 04:11	56	----a-w-	c:\program files\wp4.dat
2010-01-28 03:16 . 2010-01-28 04:11	2	----a-w-	c:\program files\wp3.dat
2010-01-28 03:16 . 2010-01-28 03:16	36	----a-w-	c:\program files\skynet.dat
2010-01-28 03:16 . 2010-01-28 03:16	--------	d-----w-	c:\program files\Your PC Protector
2010-01-28 03:15 . 2010-01-28 03:15	1041416	----a-w-	c:\program files\wpp.exe
2010-01-28 01:50 . 2010-01-28 01:50	--------	d-----w-	c:\documents and settings\YO\Application Data\Malwarebytes
2010-01-28 01:50 . 2010-01-08 00:07	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-28 01:50 . 2010-01-28 01:50	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-28 01:50 . 2010-01-08 00:07	19160	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-01-28 01:50 . 2010-01-28 01:50	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-01-27 23:03 . 2010-01-27 23:03	--------	d-----w-	c:\program files\TrendMicro
2010-01-27 22:56 . 2010-01-27 22:56	--------	d-----w-	c:\windows\system32\wbem\Repository
2010-01-27 22:55 . 2010-01-27 22:55	--------	d-----w-	c:\program files\Lavasoft
2010-01-27 17:52 . 2010-01-27 22:55	--------	dc----w-	c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}(2)
2010-01-27 05:59 . 2010-01-27 22:55	--------	d-----w-	c:\program files\Lavasoft(2)
2010-01-25 07:15 . 2010-01-26 06:19	--------	d-----w-	c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2010-01-18 23:19 . 2010-01-18 23:19	--------	d-----w-	c:\program files\uTorrent
2010-01-18 23:18 . 2010-01-28 03:17	--------	d-----w-	c:\documents and settings\YO\Application Data\uTorrent
2010-01-06 23:22 . 2010-01-27 17:47	--------	d-----w-	c:\documents and settings\YO\Application Data\vlc
2010-01-06 22:21 . 2010-01-06 22:21	--------	d-----w-	c:\documents and settings\YO\Local Settings\Application Data\HandBrake
2010-01-06 22:21 . 2010-01-06 22:21	--------	d-----w-	c:\documents and settings\YO\Application Data\HandBrake
2010-01-06 22:21 . 2010-01-27 23:39	--------	d-----w-	c:\program files\Handbrake
2010-01-06 18:38 . 2010-01-06 21:15	--------	d-----w-	c:\documents and settings\All Users\Application Data\DVD Shrink
2010-01-06 18:38 . 2010-01-06 18:38	--------	d-----w-	c:\program files\DVD Shrink

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-28 04:22 . 2009-07-08 02:56	--------	d-----w-	c:\documents and settings\LocalService\Application Data\VMware
2010-01-28 04:22 . 2009-07-08 02:54	--------	d-----w-	c:\documents and settings\All Users\Application Data\VMware
2010-01-28 03:16 . 2010-01-28 03:16	9	----a-w-	c:\program files\nuar.old
2010-01-27 23:32 . 2008-09-18 01:16	--------	d-----w-	c:\program files\Google
2010-01-27 23:03 . 2010-01-27 23:03	388096	----a-r-	c:\documents and settings\YO\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-27 22:58 . 2008-09-18 01:40	--------	d-----w-	c:\documents and settings\All Users\Application Data\Google Updater
2010-01-27 22:55 . 2009-07-12 07:48	--------	d-----w-	c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-27 06:13 . 2009-04-18 18:36	--------	d-----w-	c:\documents and settings\YO\Application Data\FileZilla
2010-01-27 05:56 . 2009-07-12 07:48	--------	d-----w-	c:\program files\Common Files\Wise Installation Wizard
2010-01-26 06:19 . 2008-09-17 04:14	1324	----a-w-	c:\windows\system32\d3d9caps.dat
2010-01-15 07:27 . 2008-10-04 08:22	--------	d-----w-	c:\documents and settings\YO\Application Data\dvdcss
2010-01-12 19:56 . 2009-07-08 03:02	--------	d-----w-	c:\documents and settings\YO\Application Data\VMware
2009-12-10 00:32 . 2009-02-23 20:14	--------	d-----w-	c:\program files\Digsby
2009-12-10 00:03 . 2008-09-17 07:10	--------	d-----w-	c:\program files\Spybot - Search & Destroy
2009-11-28 02:07 . 2008-09-17 07:25	42040	----a-w-	c:\documents and settings\YO\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-04 21:05 . 2009-11-04 21:01	118894	----a-w-	c:\windows\hpoins30.dat
2006-05-03 10:06 . 2009-01-27 23:58	163328	--sh--r-	c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2009-01-27 23:58	31232	--sh--r-	c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-01-27 23:58	216064	--sh--r-	c:\windows\system32\nbDX.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152]
"CTHelper"="CTHELPER.EXE" [2006-12-12 19456]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-12-12 20480]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"RTDCPL"="RTDCPL.EXE" [2005-07-08 12298240]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-09 7561216]
"NvMediaCenter"="NvMCTray.dll" [2006-03-09 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"NcpBudgetGui"="c:\program files\WatchGuard\Mobile VPN\NcpBudgetGui.exe" [2009-01-19 2625536]
"NcpPopup"="c:\program files\WatchGuard\Mobile VPN\ncppopup.exe" [2008-09-25 618496]
"NcpRsuGui"="c:\program files\WatchGuard\Mobile VPN\rwsrsu.exe" [2008-12-02 850432]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-06-12 05:43	640376	----a-w-	c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2006-07-21 07:13	126976	----a-w-	c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2006-07-21 07:15	1848218	----a-w-	c:\program files\Acronis\TrueImageEnterpriseServer\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2008-06-12 09:25	37232	----a-w-	c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 09:38	34672	----a-w-	c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-06-30 02:17	133104	----atw-	c:\documents and settings\YO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-02-07 01:51	3885408	----a-w-	c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 17:50	155648	----a-w-	c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-27 00:18	413696	----a-w-	c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2006-07-21 07:12	1106531	----a-w-	c:\program files\Acronis\TrueImageEnterpriseServer\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray]
2009-03-27 05:57	64048	----a-w-	c:\program files\VMware\VMware Player\hqtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-08-03 23:02	36352	----a-w-	c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)
"gupdate1c938be3a800930"=2 (0x2)
"AcrSch2Svc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ABC\\abc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Podmailing\\podmailing.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=
"c:\\Program Files\\WatchGuard\\Mobile VPN\\NCPMON.exe"=
"c:\\Program Files\\Acronis\\TrueImageEnterpriseServer\\TrueImage.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 xmasscsi;xmasscsi;c:\windows\system32\drivers\xmasscsi.sys [9/16/2008 11:07 PM 5504]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [12/21/2007 7:21 AM 33800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [12/21/2007 7:21 AM 468224]
R2 ncpclcfg;ncpclcfg;c:\program files\WatchGuard\Mobile VPN\ncpclcfg.exe [7/14/2009 12:10 PM 86016]
R2 ncprwsnt;ncprwsnt;c:\program files\WatchGuard\Mobile VPN\NCPRWSNT.EXE [7/14/2009 12:10 PM 1065480]
R2 NcpSec;NcpSec;c:\program files\WatchGuard\Mobile VPN\NCPSEC.EXE [7/14/2009 12:10 PM 32768]
R2 rwsrsu;RwsRsu;c:\program files\WatchGuard\Mobile VPN\rwsrsu.exe [7/14/2009 12:10 PM 850432]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [3/26/2009 9:58 PM 54960]
R3 athena;athena;c:\windows\system32\drivers\athena.sys [10/3/2008 4:29 PM 110336]
R3 NcpFiltMP;NcpFiltMP;c:\windows\system32\drivers\ncpvaxp.sys [7/14/2009 12:10 PM 79528]
S3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [5/29/2009 4:13 PM 234864]
S3 NcpFilt;Ncp Filter Service;c:\windows\system32\drivers\ncpvaxp.sys [7/14/2009 12:10 PM 79528]
S3 ncpvaxp;NCP Secure Client Virtual Adapter Driver;c:\windows\system32\drivers\ncpvaxp.sys [7/14/2009 12:10 PM 79528]
S4 gupdate1c938be3a800930;Google Update Service (gupdate1c938be3a800930);c:\program files\Google\Update\GoogleUpdate.exe [10/27/2008 9:30 PM 133104]
S4 xmasbus;xmasbus;c:\windows\system32\drivers\xmasbus.sys [9/16/2008 11:07 PM 140800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc
HPService	REG_MULTI_SZ   	HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2010-01-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-18 22:14]

2010-01-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-28 05:43]

2010-01-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-28 05:43]

2010-01-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-1214440339-839522115-1003Core.job
- c:\documents and settings\YO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-05 02:17]

2010-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-1214440339-839522115-1003UA.job
- c:\documents and settings\YO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-05 02:17]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
Trusted Zone: turbotax.com
TCP: {DD1394DA-0B8C-448E-A668-79D58D5E42EA} = 68.105.28.12,68.105.29.12
DPF: {8DD728F1-7A97-4606-968A-F3F27D05ED33} - hxxp://192.168.100.64:8080/Digia2.cab
FF - ProfilePath - c:\documents and settings\YO\Application Data\Mozilla\Firefox\Profiles\6ol6pflz.default\
FF - prefs.js: browser.search.selectedEngine - Startpage
FF - component: c:\documents and settings\YO\Application Data\Mozilla\Firefox\Profiles\6ol6pflz.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\YO\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\ma-config.com\nphardwaredetection.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-27 20:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A61B856]<< 
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba711852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xba5eebb0
 PacketIndicateHandler -> NDIS.sys @ 0xba5fba21
 SendHandler -> NDIS.sys @ 0xba5d987b
user & kernel MBR OK 

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1820)
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\vmnat.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\VMware\VMware Player\vmware-authd.exe
c:\windows\system32\vmnetdhcp.exe
c:\windows\system32\RTDCPL.EXE
c:\windows\system32\RunDLL32.exe
c:\windows\SYSTEM32\CTXFISPI.EXE
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\System32\SCardSvr.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2010-01-27  20:32:23 - machine was rebooted
ComboFix-quarantined-files.txt  2010-01-28 04:32

Pre-Run: 6,986,686,464 bytes free
Post-Run: 7,174,520,832 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 49636B94761F688F9BDA3E836BE7A39D

Open in new window

Top Expert 2007

Commented:
Your PC Protector <-- did you purposely install and know this program?


Run combofix again using this script.
 
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::c:\program files\alggui.exec:\program files\wp4.datc:\program files\wp3.datc:\program files\skynet.datc:\program files\nuar.oldFileLook::c:\program files\wpp.exeDirLook::c:\program files\schtmlc:\program files\Your PC Protector

------------------------------------------------------------------------
3. Save the above as CFScript.txt in the same location as Combofix.exe.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.


Author

Commented:
Your PC Protector <-- did you purposely install and know this program?
Nope! don't know what that is. What should I do? (I'll run combofix in a bit)
Top Expert 2007
Commented:
I googled it and found out it's a rogue program, so we can let ComboFix delete it.

Add these bolded lines into your CFScript:

Folder::c:\program files\Your PC Protector

Author

Commented:
looks like that "your pc protector" was it. I deleted it and all has been well.
thanks!
Top Expert 2007

Commented:
Glad to know that the problem has been resolved.
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /Uninstall
Thank you for using Experts-Exchange!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial