IE search is redirecting to ad sites

View previous topic View next topic Go down

Solved IE search is redirecting to ad sites

Post by sunriz64 on Sun 04 Jul 2010, 1:42 am

I was infected with security alert virus. Thought I got rid of it but was still getting popups for ad sites and contests. Now when I search with bing or other search engines and try to go to found sites I get redirected to ad sites. I have run OTL and am trying to post the logs. Was unable to do so from my computer as IE said it was unable to display site when I hit send. I am trying now from a different computer. I am very new to this so would appreciate any help I can get. OTL logfile created on: 7/3/2010 1:19:23 AM - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 590.00 Mb Available Physical Memory | 58.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 52.39 Gb Free Space | 70.31% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DELL-4370F36556
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/03 01:17:30 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/05/06 15:59:42 | 002,815,192 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/05/06 15:59:38 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/02/03 08:15:18 | 000,111,856 | ---- | M] (Yahoo! Inc) -- C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/05/26 22:19:14 | 000,123,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Desktop Search\WindowsSearch.exe
PRC - [2008/05/10 07:15:28 | 000,282,624 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/18 14:36:24 | 001,629,480 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
PRC - [2008/02/18 14:36:14 | 001,553,704 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
PRC - [2008/02/18 14:36:04 | 001,057,064 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\InCD\InCD.exe
PRC - [2004/10/14 17:42:54 | 001,404,928 | R--- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2003/04/09 18:11:12 | 000,028,672 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
PRC - [2003/04/09 17:59:24 | 000,311,296 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
PRC - [2003/04/09 17:49:36 | 000,286,720 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
PRC - [2003/04/09 17:41:38 | 000,323,646 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
PRC - [2003/03/09 21:31:02 | 000,065,795 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe


========== Modules (SafeList) ==========

MOD - [2010/07/03 01:17:30 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (NeroRegInCDSrv)
SRV - [2010/05/06 15:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/05/06 15:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/05/06 15:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/02/18 14:36:14 | 001,553,704 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe -- (InCDsrv)
SRV - [2003/03/09 21:31:02 | 000,065,795 | ---- | M] (HP) [On_Demand | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2010/05/06 15:39:23 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/05/06 15:39:00 | 000,164,048 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/05/06 15:34:27 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/05/06 15:33:59 | 000,100,432 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/05/06 15:33:47 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/05/06 15:33:29 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2008/02/18 14:36:14 | 000,038,312 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDRm.sys -- (incdrm)
DRV - [2008/02/18 14:36:14 | 000,036,648 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDPass.sys -- (InCDPass)
DRV - [2008/02/18 14:36:04 | 000,118,952 | ---- | M] (Nero AG) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\InCDfs.sys -- (InCDfs)
DRV - [2004/09/17 12:02:54 | 000,732,928 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555



O1 HOSTS File: ([2010/07/02 10:49:19 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C17590D2-ECB4-4B15-8820-F58798DCC118} - No CLSID value found.
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe (Nero AG)
O4 - HKLM..\Run: [Microsoft Default Manager] C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe (Microsoft Corp.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [QuickFinder Scheduler] C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE (Novell, Inc., c/o Corel Corporation Limited)
O4 - HKLM..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe (Nero AG)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKCU..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} [You must be registered and logged in to see this link.] (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} [You must be registered and logged in to see this link.] (WUWebControl Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} [You must be registered and logged in to see this link.] (HP Download Manager)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} [You must be registered and logged in to see this link.] (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_20)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} [You must be registered and logged in to see this link.] (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 97.64.183.164 97.64.179.250
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/09/21 11:25:57 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{2dc0a449-88d1-11dd-8247-0019b9390a15}\Shell - "" = AutoRun
O33 - MountPoints2\{2dc0a449-88d1-11dd-8247-0019b9390a15}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{69c77d84-0a79-11df-8278-0019b9390a15}\Shell\AutoRun\command - "" = E:\PPTVIEW.EXE -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/09/21 11:25:25 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {0291E591-EA41-4c82-8106-3DC6CE7F7664} - Reg Error: Value error.
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - Reg Error: Value error.
ActiveX: {347B0667-C7ED-429B-BDE3-CC8D3BACAA31} - Reg Error: Value error.
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows script 5.6
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297)
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: Microsoft Base Smart Card Crypto Provider Package -

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (69537929998893056)

========== Files/Folders - Created Within 30 Days ==========

[2010/07/03 01:18:55 | 000,574,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/07/03 01:03:56 | 000,000,000 | ---D | C] -- C:\Program Files\Sun
[2010/07/03 01:03:44 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/07/03 01:03:44 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/07/03 01:03:44 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/07/03 01:03:44 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/07/03 01:03:44 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/07/02 09:50:24 | 000,000,000 | ---D | C] -- C:\Program Files\Webroot
[2010/07/02 09:22:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Trivia Night stick
[2010/06/29 23:42:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\xbuisshra
[2010/06/29 07:01:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2010/06/29 06:29:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/06/29 06:29:52 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/06/21 00:55:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/06/19 03:03:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities
[2010/06/09 06:52:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Threat Expert
[2010/06/09 06:41:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/06/08 19:30:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer
[2010/06/06 00:13:20 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/06/06 00:13:18 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/06/06 00:13:17 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/06/04 18:18:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/06/04 18:18:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/06/04 17:55:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\jbcxiynob
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/07/03 01:17:30 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/07/03 01:03:23 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/07/03 01:03:23 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/07/03 01:03:22 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/07/03 01:03:22 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/07/03 01:03:22 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/07/02 10:53:31 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/02 10:51:26 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/02 10:51:14 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/02 10:49:47 | 003,145,728 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/07/02 10:49:47 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/07/02 10:49:46 | 004,840,782 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/07/02 10:49:19 | 000,000,734 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[2010/07/02 09:51:22 | 000,000,992 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/07/02 09:48:08 | 000,000,164 | ---- | M] () -- C:\WINDOWS\install.dat
[2010/06/29 13:16:01 | 000,000,452 | ---- | M] () -- C:\WINDOWS\tasks\EasyShare Registration Task.job
[2010/06/29 12:08:35 | 000,000,488 | ---- | M] () -- C:\hpfr5550.xml
[2010/06/29 12:07:23 | 001,107,968 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mb
[2010/06/29 12:05:00 | 002,113,536 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mbb
[2010/06/06 10:53:21 | 000,000,714 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/02 09:48:07 | 000,000,164 | ---- | C] () -- C:\WINDOWS\install.dat
[2010/06/06 00:13:23 | 000,000,714 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2009/10/09 14:57:31 | 000,000,158 | ---- | C] () -- C:\WINDOWS\pagesuit.ini
[2009/10/09 14:57:30 | 000,023,040 | ---- | C] () -- C:\WINDOWS\System32\irisco32.dll
[2009/08/09 15:27:14 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/07/12 09:31:23 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2002/05/29 08:50:02 | 000,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[1999/01/22 13:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== Custom Scans ==========


< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.exe /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/09/21 06:09:03 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/09/21 06:09:03 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/09/21 06:09:03 | 000,888,832 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\*.sys >
[2004/08/04 07:00:00 | 000,009,029 | ---- | M] () -- C:\WINDOWS\system32\ansi.sys
[2004/08/04 07:00:00 | 000,027,097 | ---- | M] () -- C:\WINDOWS\system32\country.sys
[2004/08/04 07:00:00 | 000,004,768 | ---- | M] () -- C:\WINDOWS\system32\himem.sys
[2004/08/04 07:00:00 | 000,042,809 | ---- | M] () -- C:\WINDOWS\system32\key01.sys
[2004/08/04 07:00:00 | 000,042,537 | ---- | M] () -- C:\WINDOWS\system32\keyboard.sys
[2004/08/04 07:00:00 | 000,027,866 | ---- | M] () -- C:\WINDOWS\system32\ntdos.sys
[2004/08/04 07:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos404.sys
[2004/08/04 07:00:00 | 000,029,370 | ---- | M] () -- C:\WINDOWS\system32\ntdos411.sys
[2004/08/04 07:00:00 | 000,029,274 | ---- | M] () -- C:\WINDOWS\system32\ntdos412.sys
[2004/08/04 07:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos804.sys
[2004/08/04 07:00:00 | 000,033,840 | ---- | M] () -- C:\WINDOWS\system32\ntio.sys
[2004/08/04 07:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio404.sys
[2004/08/04 07:00:00 | 000,035,648 | ---- | M] () -- C:\WINDOWS\system32\ntio411.sys
[2004/08/04 07:00:00 | 000,035,424 | ---- | M] () -- C:\WINDOWS\system32\ntio412.sys
[2004/08/04 07:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio804.sys
[2008/04/13 13:44:59 | 000,017,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\watchdog.sys
[2009/08/14 08:21:25 | 001,850,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\win32k.sys
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\drivers\*.dll >
[2008/04/13 19:11:48 | 000,004,255 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv01nt5.dll
[2008/04/13 19:11:48 | 000,003,967 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv02nt5.dll
[2008/04/13 19:11:48 | 000,003,615 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv05nt5.dll
[2008/04/13 19:11:48 | 000,003,647 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv07nt5.dll
[2008/04/13 19:11:48 | 000,003,135 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv08nt5.dll
[2008/04/13 19:11:48 | 000,003,711 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv09nt5.dll
[2008/04/13 19:11:48 | 000,003,775 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv11nt5.dll
[2008/04/13 19:11:50 | 000,021,183 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv01nt5.dll
[2008/04/13 19:11:50 | 000,011,359 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv02nt5.dll
[2008/04/13 19:11:50 | 000,025,471 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv04nt5.dll
[2008/04/13 19:11:50 | 000,014,143 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv06nt5.dll
[2008/04/13 19:11:50 | 000,017,279 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv10nt5.dll
[2008/04/13 19:11:50 | 000,015,423 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\ch7xxnt5.dll
[2008/04/13 19:12:05 | 000,003,901 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\siint5.dll
[2008/04/13 19:12:08 | 000,011,325 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\vchnt5.dll

< %systemroot%\system32\drivers\*.ini >

< %systemroot%\system32\drivers\*.exe >

< %SYSTEMDRIVE%\*.* >
[2008/09/21 11:25:57 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2008/09/21 11:20:57 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2008/09/21 11:25:57 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/06/29 12:08:35 | 000,000,488 | ---- | M] () -- C:\hpfr5550.xml
[2008/09/21 11:25:57 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/07/03 01:14:23 | 000,006,321 | ---- | M] () -- C:\JavaRa.log
[2010/06/06 10:53:23 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2008/09/21 11:25:57 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 07:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2009/06/19 11:24:34 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/07/02 10:51:08 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys

< %PROGRAMFILES%\*. >
[2009/10/28 10:13:34 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2010/02/13 21:36:24 | 000,000,000 | ---D | M] -- C:\Program Files\Alwil Software
[2010/03/11 12:35:32 | 000,000,000 | ---D | M] -- C:\Program Files\Amazon
[2008/09/21 11:45:48 | 000,000,000 | ---D | M] -- C:\Program Files\Analog Devices
[2010/06/18 04:49:50 | 000,000,000 | ---D | M] -- C:\Program Files\CA Yahoo! Anti-Spy
[2010/06/29 07:01:02 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2008/09/21 11:22:53 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2009/06/19 13:23:00 | 000,000,000 | ---D | M] -- C:\Program Files\Corel
[2009/10/09 15:23:10 | 000,000,000 | ---D | M] -- C:\Program Files\Hewlett-Packard
[2009/10/09 14:57:07 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2010/03/31 03:21:45 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2010/07/03 00:59:21 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2009/10/06 13:20:27 | 000,000,000 | ---D | M] -- C:\Program Files\Kodak
[2010/06/06 10:53:22 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/27 23:42:03 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2009/08/05 08:29:57 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft
[2009/07/12 09:28:24 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2010/03/02 19:36:49 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2010/06/04 18:06:15 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Silverlight
[2009/07/12 09:30:08 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Visual Studio
[2010/03/11 04:02:30 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2009/06/19 13:09:34 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2010/03/02 19:36:24 | 000,000,000 | ---D | M] -- C:\Program Files\MSECache
[2009/08/05 08:28:37 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2008/09/21 11:22:29 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2009/06/19 12:05:23 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2008/09/21 12:11:12 | 000,000,000 | ---D | M] -- C:\Program Files\Nero
[2009/06/19 11:26:26 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2009/08/13 04:23:32 | 000,000,000 | ---D | M] -- C:\Program Files\NOS
[2008/09/21 11:22:38 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2010/05/13 03:18:52 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2010/03/02 19:42:39 | 000,000,000 | ---D | M] -- C:\Program Files\Photo Story 3 for Windows
[2009/10/06 13:21:23 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2010/01/27 23:42:04 | 000,000,000 | ---D | M] -- C:\Program Files\ReadIris
[2009/06/19 13:09:27 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2010/07/03 01:03:56 | 000,000,000 | ---D | M] -- C:\Program Files\Sun
[2009/06/19 13:24:50 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2010/07/02 09:50:24 | 000,000,000 | ---D | M] -- C:\Program Files\Webroot
[2009/06/30 17:24:14 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Desktop Search
[2010/01/27 23:42:04 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2009/06/19 12:59:07 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2009/06/19 11:26:23 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2008/09/21 11:24:34 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2008/09/21 11:26:17 | 000,000,000 | ---D | M] -- C:\Program Files\xerox
[2009/07/08 12:21:37 | 000,000,000 | ---D | M] -- C:\Program Files\Yahoo!

< %appdata%\*.* >
[2008/09/21 06:10:42 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\desktop.ini
[2009/10/09 14:02:40 | 000,000,376 | -H-- | M] () -- C:\Documents and Settings\Administrator\Application Data\hpothb07.dat
[2009/10/09 14:02:40 | 000,000,507 | -H-- | M] () -- C:\Documents and Settings\Administrator\Application Data\hpothb07.tif
[2009/06/19 13:25:38 | 000,012,358 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\PFP100JCM.{PB
[2009/06/19 13:25:38 | 000,061,678 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\PFP100JPR.{PB


< MD5 for: AGP440.SYS >
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/06/19 11:21:02 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/06/19 11:21:02 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/06/19 11:21:02 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/06/19 11:21:02 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 07:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: DISK.SYS >
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:disk.sys
[2009/06/19 11:21:02 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2009/06/19 11:21:02 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:disk.sys
[2004/08/04 07:00:00 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=00CA44E4534865F8A3B64F7C0984BFF0 -- C:\WINDOWS\$NtServicePackUninstall$\disk.sys
[2008/04/13 13:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\ServicePackFiles\i386\disk.sys
[2008/04/13 13:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 07:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2005/04/25 10:28:14 | 000,871,040 | ---- | M] (Intel Corporation) MD5=D593517879E65167DF35F6015814AC59 -- C:\WINDOWS\dell\iastor\iastor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: NVATABUS.SYS >
[2005/03/21 20:49:00 | 000,088,960 | ---- | M] (NVIDIA Corporation) MD5=A1F88223528AADBB6374132BECBBDCC1 -- C:\WINDOWS\dell\nvraid\NvAtaBus.sys
[2005/03/21 20:49:00 | 000,088,960 | ---- | M] (NVIDIA Corporation) MD5=A1F88223528AADBB6374132BECBBDCC1 -- C:\WINDOWS\system32\drivers\NvAtaBus.sys

< MD5 for: SCECLI.DLL >
[2004/08/04 07:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: USBSTOR.SYS >
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:usbstor.sys
[2009/06/19 11:21:02 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:usbstor.sys
[2009/06/19 11:21:02 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:usbstor.sys
[2004/08/03 23:08:48 | 000,026,496 | ---- | M] (Microsoft Corporation) MD5=6CD7B22193718F1D17A47A1CD6D37E75 -- C:\WINDOWS\$NtServicePackUninstall$\usbstor.sys
[2008/04/13 13:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\ServicePackFiles\i386\usbstor.sys
[2008/04/13 13:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\system32\drivers\usbstor.sys

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-06-04 08:01:19

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >
OTL Extras logfile created on: 7/3/2010 1:19:23 AM - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 590.00 Mb Available Physical Memory | 58.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 52.39 Gb Free Space | 70.31% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DELL-4370F36556
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.exe [@ = exefile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"D:\CDS\Nero\Installation\SetupX.exe" = D:\CDS\Nero\Installation\SetupX.exe:*:Enabled:Nero ProductSetup -- File not found
"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe" = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare -- (Eastman Kodak Company)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{00BA866C-F2A2-4BB9-A308-3DFA695B6F7C}" = Java DB 10.5.3.0
"{03EDED24-8375-407D-A721-4643D9768BE1}" = kgchlwn
"{073F22CE-9A5B-4A40-A604-C7270AC6BF34}" = ESSSONIC
"{11F3F858-4131-4FFA-A560-3FE282933B6E}" = kgchday
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
"{29D88826-2AB9-11D5-8854-00902761A46D}" = WordPerfect Office 2002 OEM
"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
"{32A3A4F4-B792-11D6-A78A-00B0D0160200}" = Java(TM) SE Development Kit 6 Update 20
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{42938595-0D83-404D-9F73-F8177FDD531A}" = ESScore
"{4537EA4B-F603-4181-89FB-2953FC695AB1}" = netbrdg
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{4F41AD68-89F2-4262-A32C-2F70B01FCE9E}" = Photo Story 3 for Windows
"{5316DFC9-CE99-4458-9AB3-E8726EDE0210}" = skin0001
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{608D2A3C-6889-4C11-9B54-A42F45ACBFDB}" = fflink
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{693C08A7-9E76-43FF-B11E-9A58175474C4}" = kgckids
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}" = HP Photo and Imaging 2.0 - All-in-One Drivers
"{82DFB852-9594-4668-9C66-28BB6E94BCB2}" = hp psc 2100 series
"{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics 2 Driver
"{8A8664E1-84C8-4936-891C-BC1F07797549}" = kgcvday
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{98177940-C048-4831-A279-F3888B1E2C7F}" = InstallMgr
"{9867A917-5D17-40DE-83BA-BEA5293194B1}" = HP Photo and Imaging 2.0 - All-in-One
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BD54685-1496-46A5-AB62-357CD140ED8B}" = kgcinvt
"{9BFFB382-0B2C-11D6-AB3E-000102B0F79A}" = Readiris 7.5
"{A1588373-1D86-4D44-86C9-78ABD190F9CC}" = kgcmove
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A8AC89BA-D8CB-4372-9743-1C54D23286B0}" = MSN Toolbar
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
"{B19C841C-D60A-462F-AB86-4FDD51A77FA3}" = NILE THEME
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{B6EF6DCE-078E-4952-A7FA-352A9C349EB0}" = MSN Toolbar
"{B7148D71-0A8F-4501-96B4-4E1CC67F874E}" = Microsoft Default Manager
"{BFD96B89-B769-4CD6-B11E-E79FFD46F067}" = QuickTime
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{E18B549C-5D15-45DA-8D8F-8FD2BD946344}" = kgcbaby
"{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}" = tooltips
"{EF3E420F-2DCF-4C24-8E37-896801901033}" = Nero 7 Essentials
"{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}" = kgcbase
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.9
"avast5" = avast! Free Antivirus
"cayahooantispy" = CA Yahoo! Anti-Spy (remove only)
"HP PSC 2100 Series" = HP Photo and Imaging 2.0 - hp psc 2100 series
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PROSet" = Intel(R) PRO Network Connections Drivers
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Search Defender" = Yahoo! Search Protection
"Yahoo! Software Update" = Yahoo! Software Update
"YInstHelper" = Yahoo! Install Manager

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/4/2010 7:19:49 PM | Computer Name = DELL-4370F36556 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 6/4/2010 7:30:42 PM | Computer Name = DELL-4370F36556 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The connection with the server was terminated abnormally

Error - 6/4/2010 10:05:19 PM | Computer Name = DELL-4370F36556 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The connection with the server was terminated abnormally

Error - 6/4/2010 10:05:22 PM | Computer Name = DELL-4370F36556 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 6/5/2010 12:44:36 AM | Computer Name = DELL-4370F36556 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The connection with the server was terminated abnormally

Error - 6/5/2010 12:44:37 AM | Computer Name = DELL-4370F36556 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 6/5/2010 5:11:12 AM | Computer Name = DELL-4370F36556 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The connection with the server was terminated abnormally

Error - 6/5/2010 5:11:13 AM | Computer Name = DELL-4370F36556 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 6/5/2010 8:30:20 AM | Computer Name = DELL-4370F36556 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The connection with the server was terminated abnormally

Error - 6/5/2010 8:30:20 AM | Computer Name = DELL-4370F36556 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

[ System Events ]
Error - 4/7/2010 12:39:41 AM | Computer Name = DELL-4370F36556 | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.100.10
on the Network Card with network address 0019B9390A15.

Error - 4/10/2010 1:10:51 PM | Computer Name = DELL-4370F36556 | Source = Dhcp | ID = 1002
Description = The IP address lease 173.27.192.214 for the Network Card with network
address 0019B9390A15 has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 4/10/2010 1:11:39 PM | Computer Name = DELL-4370F36556 | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.100.10
on the Network Card with network address 0019B9390A15.

Error - 4/10/2010 1:47:00 PM | Computer Name = DELL-4370F36556 | Source = Dhcp | ID = 1002
Description = The IP address lease 173.27.192.214 for the Network Card with network
address 0019B9390A15 has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 4/10/2010 1:47:48 PM | Computer Name = DELL-4370F36556 | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.100.10
on the Network Card with network address 0019B9390A15.

Error - 4/10/2010 6:56:16 PM | Computer Name = DELL-4370F36556 | Source = Dhcp | ID = 1002
Description = The IP address lease 173.27.192.214 for the Network Card with network
address 0019B9390A15 has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 4/10/2010 6:57:20 PM | Computer Name = DELL-4370F36556 | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.100.10
on the Network Card with network address 0019B9390A15.

Error - 4/14/2010 4:18:16 AM | Computer Name = DELL-4370F36556 | Source = Service Control Manager | ID = 7000
Description = The Nero Registry InCD Service service failed to start due to the
following error: %%2

Error - 4/15/2010 4:20:14 AM | Computer Name = DELL-4370F36556 | Source = Service Control Manager | ID = 7000
Description = The Nero Registry InCD Service service failed to start due to the
following error: %%2

Error - 4/15/2010 9:31:48 AM | Computer Name = DELL-4370F36556 | Source = Service Control Manager | ID = 7000
Description = The Nero Registry InCD Service service failed to start due to the
following error: %%2


< End of report >

sunriz64

Newbie Surfer
Newbie Surfer

Posts : 8
Joined : 2010-07-03
Operating System : windows xp

View user profile

Back to top Go down

Solved Re: IE search is redirecting to ad sites

Post by Kenny94 on Sun 04 Jul 2010, 2:33 am

Hi sunriz64 And Welcome to GeekPolice!


DeFogger
Download DeFogger by jpshortstuff from here & save it to your desktop.

  • Right click DeFogger then choose Run as Administrator Or you can double-click to run the tool
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A Finished! message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK. If not reboot your PC
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
Do not re-enable these drivers until otherwise instructed.


Next


Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

  • Double click GMER.exe.

  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...

    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

      Click the image to enlarge it

  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Solved Re: IE search is redirecting to ad sites

Post by sunriz64 on Sun 04 Jul 2010, 3:02 am

Done. Here is the log. I'm leaving for work and will not be back until after midnight. I will check back in then. Thanks for your help so far!

GMER 1.0.15.15281 - [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-03 10:59:24
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fxtyypob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB16C2C7A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB16C2B36]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xB16C30EA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB16C3014]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB16C270C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB16C2C10]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB16C264C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB16C26B0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB16C2D30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xB16C31B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB16C2CF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB16C2E70]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xB16CFAC6]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xB16CF8EA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xB16CFA24]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 148 804E27B4 4 Bytes JMP 27B16C30
PAGE ntoskrnl.exe!ObInsertObject 8056503A 5 Bytes JMP B16CCEC2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!NtCreateSection 805652B3 7 Bytes JMP B16CF8EE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FE4C 7 Bytes JMP B16CFACA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 8059F8CA 5 Bytes JMP B16CB536 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwLoadDriver 805A3B73 7 Bytes JMP B16CFA28 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF69CFF80]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[544] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[1084] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1084] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[1084] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
.text C:\WINDOWS\System32\svchost.exe[1084] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00EB000A
.text C:\WINDOWS\System32\svchost.exe[1084] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00E0000A
.text C:\WINDOWS\Explorer.EXE[2444] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[2444] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[2444] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs InCDRec.sys (InCD File System Recognizer/Nero AG)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

sunriz64

Newbie Surfer
Newbie Surfer

Posts : 8
Joined : 2010-07-03
Operating System : windows xp

View user profile

Back to top Go down

Solved Re: IE search is redirecting to ad sites

Post by Kenny94 on Sun 04 Jul 2010, 3:11 am

"Done. Here is the log. I'm leaving for work and will not be back until after midnight. I will check back in then."
Sounds good.



  1. Download ComboFix from below:

    Combofix download


    * IMPORTANT !!! Place combofix.exe on your Desktop

  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs here

  3. Double click on combofix.exe & follow the prompts.

  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.



    Click on Yes, to continue scanning for malware.

  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

  6. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------

  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------





Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Solved Re: IE search is redirecting to ad sites

Post by sunriz64 on Sun 04 Jul 2010, 5:25 pm

Ran Combofix. Here is the log.

ComboFix 10-07-03.04 - Administrator 07/04/2010 1:12.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.739 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\data
c:\docume~1\ADMINI~1\LOCALS~1\Temp\install_flash_player.exe
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\3r8Q4j.jpg
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\5BRmGQ.jpg
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\gTPiR1c.jpg
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\iE028.jpg

Infected copy of c:\windows\system32\drivers\pci.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-06-04 to 2010-07-04 )))))))))))))))))))))))))))))))
.

2010-07-03 19:44 . 2010-07-03 19:44 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-20e23282-n\msvcp71.dll
2010-07-03 19:44 . 2010-07-03 19:44 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-20e23282-n\jmc.dll
2010-07-03 19:44 . 2010-07-03 19:44 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-20e23282-n\msvcr71.dll
2010-07-03 19:44 . 2010-07-03 19:44 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-49889e50-n\decora-sse.dll
2010-07-03 19:44 . 2010-07-03 19:44 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-49889e50-n\decora-d3d.dll
2010-07-03 15:07 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-03 15:07 . 2010-07-03 15:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-03 15:07 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-03 06:03 . 2010-07-03 06:03 -------- d-----w- c:\program files\Sun
2010-07-03 06:03 . 2010-07-03 06:03 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-02 14:50 . 2010-07-02 14:50 -------- d-----w- c:\program files\Webroot
2010-07-02 14:48 . 2010-07-02 14:48 164 ----a-w- c:\windows\install.dat
2010-06-30 04:42 . 2010-06-30 10:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\xbuisshra
2010-06-29 11:29 . 2010-06-29 11:29 -------- d-----w- c:\program files\Common Files\Java
2010-06-21 05:55 . 2010-06-21 05:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-09 11:52 . 2010-06-09 11:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Threat Expert
2010-06-09 11:41 . 2010-06-09 11:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-09 00:30 . 2010-06-09 00:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-06-04 23:20 . 2010-06-04 23:20 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-04 22:55 . 2010-06-06 13:51 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\jbcxiynob

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-03 05:59 . 2009-07-24 21:40 -------- d-----w- c:\program files\Java
2010-06-18 09:49 . 2010-03-19 15:08 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy
2010-06-04 23:06 . 2009-08-17 15:51 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-06 20:59 . 2010-02-14 02:36 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-06 20:39 . 2010-02-14 02:36 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-06 20:39 . 2010-02-14 02:36 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-06 20:34 . 2010-02-14 02:36 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-06 20:33 . 2010-02-14 02:36 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-06 20:33 . 2010-02-14 02:36 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-06 20:33 . 2010-02-14 02:36 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-06 20:33 . 2010-02-14 02:36 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-14 16:47 . 2010-02-14 02:36 38848 ----a-w- c:\windows\system32\avastSS.scr
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-02-27 570664]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2008-02-18 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2008-02-18 1057064]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE" [2001-10-02 77887]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-4-9 323646]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-5-10 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/13/2010 9:36 PM 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/13/2010 9:36 PM 19024]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe --> c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-01-10 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 2100 series272A572217594EBCF1CEE215E352B92AD073FDE4255120252.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-04 01:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-602162358-796845957-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,34,09,83,37,86,61,53,4c,87,0e,eb,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,77,e9,03,e6,35,d3,5c,4f,b4,23,a1,\
.
Completion time: 2010-07-04 01:22:39
ComboFix-quarantined-files.txt 2010-07-04 06:22

Pre-Run: 56,128,393,216 bytes free
Post-Run: 61,073,625,088 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - B5850F56F9364343295757CC304A9ED6

sunriz64

Newbie Surfer
Newbie Surfer

Posts : 8
Joined : 2010-07-03
Operating System : windows xp

View user profile

Back to top Go down

Solved Re: IE search is redirecting to ad sites

Post by Kenny94 on Mon 05 Jul 2010, 2:00 am

I know things are better now with your PC.....


  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

Code:
KILLALL::

RegLock::
[HKEY_USERS\S-1-5-21-602162358-796845957-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000


DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =

Save the file to your desktop and name it CFscript.txt

Then drag the CFscript.txt into the ComboFix.exe as shown in the screenshot below.







This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new OTL log.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.


Next

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C17590D2-ECB4-4B15-8820-F58798DCC118} - No CLSID value found.

    :commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [reboot]


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Solved Re: IE search is redirecting to ad sites

Post by sunriz64 on Mon 05 Jul 2010, 3:19 am

Dragged and dropped CFscript.txt to combofix. Combofix started. Got a message saying a newer version of combofix was available. Do you want to download? I clicked no because there was no mention of this in your last post and I was afraid it might be an attempt to hijack. Scan ran and made it to Stage 50. Started shutting down windows and then quit. After 20 minutes I shut it down manually. Upon restart combofix continued and prepared log report.

Ran OTL with code you sent me. Scan finished and log was created. Windows began to shut down on its own and then quit again. Shut it down manually again. Restarted and I am sending you the logs from both processes. Headed to work again until 5 pm CDT. Will check back for a response. Thanks so much for your help and even on a holiday. It is greatly appreciated!

ComboFix 10-07-03.04 - Administrator 07/04/2010 10:21:07.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.642 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFscript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-06-04 to 2010-07-04 )))))))))))))))))))))))))))))))
.

2010-07-03 15:07 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-03 15:07 . 2010-07-03 15:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-03 15:07 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-03 06:03 . 2010-07-03 06:03 -------- d-----w- c:\program files\Sun
2010-07-03 06:03 . 2010-07-03 06:03 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-02 14:50 . 2010-07-02 14:50 -------- d-----w- c:\program files\Webroot
2010-07-02 14:48 . 2010-07-02 14:48 164 ----a-w- c:\windows\install.dat
2010-06-30 04:42 . 2010-06-30 10:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\xbuisshra
2010-06-29 11:29 . 2010-06-29 11:29 -------- d-----w- c:\program files\Common Files\Java
2010-06-21 05:55 . 2010-06-21 05:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-09 11:52 . 2010-06-09 11:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Threat Expert
2010-06-09 11:41 . 2010-06-09 11:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-09 00:30 . 2010-06-09 00:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-06-04 23:20 . 2010-06-04 23:20 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-04 22:55 . 2010-06-06 13:51 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\jbcxiynob

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-03 19:44 . 2010-07-03 19:44 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-20e23282-n\msvcp71.dll
2010-07-03 19:44 . 2010-07-03 19:44 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-20e23282-n\jmc.dll
2010-07-03 19:44 . 2010-07-03 19:44 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-20e23282-n\msvcr71.dll
2010-07-03 19:44 . 2010-07-03 19:44 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-49889e50-n\decora-sse.dll
2010-07-03 19:44 . 2010-07-03 19:44 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-49889e50-n\decora-d3d.dll
2010-07-03 05:59 . 2009-07-24 21:40 -------- d-----w- c:\program files\Java
2010-06-18 09:49 . 2010-03-19 15:08 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy
2010-06-04 23:06 . 2009-08-17 15:51 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-06 20:59 . 2010-02-14 02:36 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-06 20:39 . 2010-02-14 02:36 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-06 20:39 . 2010-02-14 02:36 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-06 20:34 . 2010-02-14 02:36 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-06 20:33 . 2010-02-14 02:36 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-06 20:33 . 2010-02-14 02:36 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-06 20:33 . 2010-02-14 02:36 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-06 20:33 . 2010-02-14 02:36 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-14 16:47 . 2010-02-14 02:36 38848 ----a-w- c:\windows\system32\avastSS.scr
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-02-27 570664]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2008-02-18 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2008-02-18 1057064]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE" [2001-10-02 77887]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-4-9 323646]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-5-10 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/13/2010 9:36 PM 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/13/2010 9:36 PM 19024]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe --> c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-01-10 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 2100 series272A572217594EBCF1CEE215E352B92AD073FDE4255120252.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-04 10:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3708)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
.
**************************************************************************
.
Completion time: 2010-07-04 11:00:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-04 16:00
ComboFix2.txt 2010-07-04 06:22

Pre-Run: 60,890,083,328 bytes free
Post-Run: 60,897,603,584 bytes free

- - End Of File - - 385AA56E76AFFA4784DF362E51BC19B7


All processes killed
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 99840 bytes
->Temporary Internet Files folder emptied: 2733165 bytes
->Java cache emptied: 111989581 bytes
->Flash cache emptied: 254423 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 40211 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 46678 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 112.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.7.0 log created on 07042010_110316

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF3738.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF3789.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF3862.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF38D6.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF39DB.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF39F2.tmp not found!
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFA9D7.tmp moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PM86JCQV\ie-search-is-redirecting-to-ad-sites-t22481[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\139CGEX6\like[1].php moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
File\Folder C:\WINDOWS\temp\_avast5_\Webshlock.txt not found!

Registry entries deleted on Reboot...

sunriz64

Newbie Surfer
Newbie Surfer

Posts : 8
Joined : 2010-07-03
Operating System : windows xp

View user profile

Back to top Go down

Solved Re: IE search is redirecting to ad sites

Post by Kenny94 on Mon 05 Jul 2010, 3:24 am

How are things now?



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Solved Re: IE search is redirecting to ad sites

Post by sunriz64 on Mon 05 Jul 2010, 4:40 am

I had to leave for work and was not able to check anything. While the scans were running I was getting messages from the bottom right of the screen stating that "computer might be at risk, no firewalls turned on. Click balloon to fix the problem." Haven't done anything yet. Combofix did ask me to disable my Avast so it may be due to that. I shut the computer down before I left for work and noticed that there was a security shield (?) icon attached to the shutdown button similar to what pops up when I was infected with AV Security suite virus. Message said "Click shutdown to install important updates and turn off your computer, or Click here to turn off without installing updates." I did not install anything. Paranoia has taken hold of me! Should there be updates to install?

sunriz64

Newbie Surfer
Newbie Surfer

Posts : 8
Joined : 2010-07-03
Operating System : windows xp

View user profile

Back to top Go down

Solved Re: IE search is redirecting to ad sites

Post by Kenny94 on Mon 05 Jul 2010, 4:44 am

You should Click balloon to fix the problem.. Do not do any windows updates for now. If asked.

Update Run Malwarebytes



  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Solved Re: IE search is redirecting to ad sites

Post by sunriz64 on Mon 05 Jul 2010, 9:48 am

Windows firewall is back on and malware scan shows clean!!

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4275

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/4/2010 5:44:22 PM
mbam-log-2010-07-04 (17-44-22).txt

Scan type: Quick scan
Objects scanned: 122704
Time elapsed: 5 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

sunriz64

Newbie Surfer
Newbie Surfer

Posts : 8
Joined : 2010-07-03
Operating System : windows xp

View user profile

Back to top Go down

Solved Re: IE search is redirecting to ad sites

Post by Kenny94 on Mon 05 Jul 2010, 9:54 am

There are some older versions of Java on your computer. These can be a source of infection.

[
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says Java SE Runtime Environment (JRE) - JRE 6 Update 20 -
  • Click the Download button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement. Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u120 -windows-i586-p.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files


    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.



To test your Java Run-time, you may go to this page [You must be registered and logged in to see this link.]
When all is well, you should see Java Version: 1.6.0_20 from Sun Microsystems Inc.

Your Computer is Clean






Some final items:


Follow these steps to uninstall Combofix and tools used in the removal of malware


  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)

  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix and anything assoicated with it.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.


Additional Security Measures


Visit Microsoft's Windows Update Site Frequently - It is important that you visit [You must be registered and logged in to see this link.] regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Secunia software inspector & update checker

Visit My Blog for Malware and Spyware Tips

It was a pleasure working with you. And Thank You for your visit here.







Last edited by Kenny94 on Mon 05 Jul 2010, 10:22 am; edited 1 time in total



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Solved Re: IE search is redirecting to ad sites

Post by sunriz64 on Mon 05 Jul 2010, 10:18 am

Combofix uninstalled and searches are going where they are supposed to. Thanks so much for your help!! You guys are awesome!!

sunriz64

Newbie Surfer
Newbie Surfer

Posts : 8
Joined : 2010-07-03
Operating System : windows xp

View user profile

Back to top Go down

Solved Re: IE search is redirecting to ad sites

Post by Sponsored content Today at 11:03 am


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum