Google Redirect Virus

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Google Redirect Virus

Post by jay_b on Mon Jul 11, 2011 4:24 pm


Hi All

I am also having a Google link redirect problem. I've tried running Malwarebytes, it comes back clean but the problem persists

Any help would be very much appreciated.

jay_b

jay_b
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2011-06-23
OS OS : xp
Points Points : 20815
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Tue Jul 12, 2011 4:31 am

Hi jay_b and Welcome to GeekPolice!

We need to look at some information about what is going on in your computer:

Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool.
  • When done, DDS will open two (2) logs
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.
  • The instructions here ask you to attach the Attach.txt.


  • Instead of attaching, please copy/past both logs into your Thread

  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control [You must be registered and logged in to see this link.]Then post your DDS (DDS.txt and Attach.txt




Kenny94
Tech Officer
Tech Officer

Posts Posts : 2019
Joined Joined : 2010-04-22
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Avira/Router and Malwarebytes
Points Points : 33511
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Tue Jul 12, 2011 10:13 am

hi Kenny94

Thanks for this. Unfortunately when i run DDS it freezes my computer up after around 75% completetion and i then have to reboot

jay_b

jay_b
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2011-06-23
OS OS : xp
Points Points : 20815
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Tue Jul 12, 2011 10:45 am

You may have corrupted files on your disk. Please try running the following.
First close ALL Applications as this routine will automatically restart your computer.
Click on START - RUN and copy / paste the following entry into the box and click OK
Code:
CMD /C ECHO Y|CHKDSK C: /F | SHUTDOWN /R /T 30

Then run DDS and copy and paste the logs please.


Kenny94
Tech Officer
Tech Officer

Posts Posts : 2019
Joined Joined : 2010-04-22
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Avira/Router and Malwarebytes
Points Points : 33511
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Tue Jul 12, 2011 11:29 am

[You must be registered and logged in to see this link.] wrote:You may have corrupted files on your disk. Please try running the following.
First close ALL Applications as this routine will automatically restart your computer.
Click on START - RUN and copy / paste the following entry into the box and click OK
Code:
CMD /C ECHO Y|CHKDSK C: /F | SHUTDOWN /R /T 30

Then run DDS and copy and paste the logs please.


Completed as requested but still have the same problem when running DSS, it freezes and am unable to continue with any functions

jay_b
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2011-06-23
OS OS : xp
Points Points : 20815
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Tue Jul 12, 2011 12:58 pm

unable to continue with any functions
Other than search redirections and freezes. Can you post the other issues you are having for me?


Update Run Malwarebytes



  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Kenny94
Tech Officer
Tech Officer

Posts Posts : 2019
Joined Joined : 2010-04-22
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Avira/Router and Malwarebytes
Points Points : 33511
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Tue Jul 12, 2011 8:37 pm

indows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/07/2011 20:43:57
mbam-log-2011-07-12 (20-43-57).txt

Scan type: Quick scan
Objects scanned: 175818
Time elapsed: 23 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Value: load -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{DA0C93A9-EDC5-3DE4-8739-F3F176F54AAD} (Trojan.ZbotR.Gen) -> Value: {DA0C93A9-EDC5-3DE4-8739-F3F176F54AAD} -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Trojan.Agent) -> Value: conhost -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\abbeyfield\local settings\Temp\csrss.exe (Trojan.Agent) -> Delete on reboot.
c:\documents and settings\abbeyfield\local settings\temporary internet files\Content.IE5\0C141UMJ\windows-update-sp3-kb93153-setup[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\abbeyfield\application data\microsoft\conhost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\abbeyfield\local settings\Temp\0.15735610579295667.exe (Exploit.Drop.2) -> Delete on reboot.
c:\documents and settings\abbeyfield\local settings\Temp\0.7029722626396282.exe (Exploit.Drop.2) -> Delete on reboot.
c:\documents and settings\abbeyfield\application data\Adobe\shed\thr1.chm (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\abbeyfield\application data\Adobe\plugs\mmc50.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\abbeyfield\application data\Adobe\plugs\mmc583921.txt (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\abbeyfield\application data\Adobe\plugs\mmc600750.txt (Trojan.Agent.Gen) -> Delete on reboot.
c:\documents and settings\abbeyfield\application data\Arqiok\orsiu.exe (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.

jay_b
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2011-06-23
OS OS : xp
Points Points : 20815
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Tue Jul 12, 2011 8:55 pm

I don't like to go in blindly without looking at the DDS log. But we'll run it later. Be sure to reboot your computer before you run ComboFix

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.
---------------------------------------------------------------------------------------------



  1. Download ComboFix from below:

    [You must be registered and logged in to see this link.]


    * IMPORTANT !!! Place combofix.exe on your Desktop

  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs [You must be registered and logged in to see this link.]

  3. Double click on combofix.exe & follow the prompts.

  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.



    Click on Yes, to continue scanning for malware.

  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

  6. When finished, it shall produce a log for you. Post that log (C:\ComboFix.txt) in your next reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------

  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

Kenny94
Tech Officer
Tech Officer

Posts Posts : 2019
Joined Joined : 2010-04-22
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Avira/Router and Malwarebytes
Points Points : 33511
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Wed Jul 13, 2011 7:39 pm

I have run combofix but i receive the following message

[You are infected with Rootkit.ZeroAccess! It has inserted itself into the
tcp/ip stack. This is a particularly difficult infection.

if for any reason that you're unable to connect to the internet after running ComboFix,
reboot once and see if that fixes it

If its not fixed run ComboFix one more time]


It does not seem to complete the scan. I have run several times up to 1.5 hours with no results. I then have to reboot

Sorry i could not copy message box from screen

jay_b
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2011-06-23
OS OS : xp
Points Points : 20815
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Thu Jul 14, 2011 1:42 am

Please download the [You must be registered and logged in to see this link.] (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select [You must be registered and logged in to see this link.].
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to [You must be registered and logged in to see this link.].
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:
  • Copy and paste the contents of that file in your next reply.

Kenny94
Tech Officer
Tech Officer

Posts Posts : 2019
Joined Joined : 2010-04-22
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Avira/Router and Malwarebytes
Points Points : 33511
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Fri Jul 15, 2011 8:31 pm

011/07/15 21:17:05.0281 4048 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56
2011/07/15 21:17:05.0703 4048 ================================================================================
2011/07/15 21:17:05.0703 4048 SystemInfo:
2011/07/15 21:17:05.0703 4048
2011/07/15 21:17:05.0703 4048 OS Version: 5.1.2600 ServicePack: 3.0
2011/07/15 21:17:05.0703 4048 Product type: Workstation
2011/07/15 21:17:05.0703 4048 ComputerName: ABEXL0002
2011/07/15 21:17:05.0703 4048 UserName: abbeyfield
2011/07/15 21:17:05.0703 4048 Windows directory: C:\WINDOWS
2011/07/15 21:17:05.0703 4048 System windows directory: C:\WINDOWS
2011/07/15 21:17:05.0703 4048 Processor architecture: Intel x86
2011/07/15 21:17:05.0703 4048 Number of processors: 1
2011/07/15 21:17:05.0703 4048 Page size: 0x1000
2011/07/15 21:17:05.0703 4048 Boot type: Normal boot
2011/07/15 21:17:05.0703 4048 ================================================================================
2011/07/15 21:17:07.0656 4048 Initialize success
2011/07/15 21:17:11.0031 0128 ================================================================================
2011/07/15 21:17:11.0031 0128 Scan started
2011/07/15 21:17:11.0031 0128 Mode: Manual;
2011/07/15 21:17:11.0031 0128 ================================================================================
2011/07/15 21:17:13.0078 0128 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/15 21:17:13.0156 0128 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/07/15 21:17:13.0250 0128 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/07/15 21:17:13.0312 0128 AegisP (375eb0b97e3950adef3633c27a82438b) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/07/15 21:17:13.0390 0128 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/07/15 21:17:13.0718 0128 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/15 21:17:13.0781 0128 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/15 21:17:13.0921 0128 ati2mtag (8eb17cf829df300cc885651cfeaf931c) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/07/15 21:17:14.0125 0128 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/15 21:17:14.0203 0128 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/15 21:17:14.0265 0128 b57w2k (b9391a83f075351c923c3a37c53af396) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/07/15 21:17:14.0343 0128 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/15 21:17:14.0625 0128 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/15 21:17:14.0687 0128 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/07/15 21:17:14.0812 0128 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/15 21:17:14.0890 0128 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/15 21:17:14.0937 0128 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/15 21:17:15.0000 0128 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2011/07/15 21:17:15.0093 0128 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/07/15 21:17:15.0203 0128 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/07/15 21:17:15.0406 0128 DgiVecp (7f19dba1a467b838ccb23124a2c55568) C:\WINDOWS\system32\Drivers\DgiVecp.sys
2011/07/15 21:17:15.0437 0128 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/15 21:17:15.0531 0128 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/15 21:17:15.0765 0128 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/15 21:17:15.0812 0128 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/15 21:17:15.0875 0128 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/15 21:17:15.0968 0128 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/15 21:17:16.0046 0128 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/15 21:17:16.0109 0128 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/07/15 21:17:16.0171 0128 FilterService (20fe03294ac1429ae88a64c2f754b0d4) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
2011/07/15 21:17:16.0234 0128 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/15 21:17:16.0265 0128 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/07/15 21:17:16.0312 0128 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/07/15 21:17:16.0375 0128 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/15 21:17:16.0406 0128 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/15 21:17:16.0468 0128 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/15 21:17:16.0656 0128 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/07/15 21:17:16.0765 0128 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/07/15 21:17:16.0843 0128 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/07/15 21:17:16.0906 0128 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/07/15 21:17:17.0000 0128 HSFHWICH (a84bbbdd125d370593004f6429f8445c) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
2011/07/15 21:17:17.0109 0128 HSF_DPV (b678fa91cf4a1c19b462d8db04cd02ab) C:\WINDOWS\system32\DRIVERS\HSF_DPV.SYS
2011/07/15 21:17:17.0343 0128 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/15 21:17:17.0500 0128 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/15 21:17:17.0640 0128 ialm (5a8e05f1d5c36abd58cffa111eb325ea) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/07/15 21:17:17.0859 0128 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/07/15 21:17:17.0953 0128 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/07/15 21:17:18.0000 0128 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/07/15 21:17:18.0031 0128 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/07/15 21:17:18.0078 0128 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/07/15 21:17:18.0125 0128 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/15 21:17:18.0187 0128 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/15 21:17:18.0234 0128 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/15 21:17:18.0281 0128 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/15 21:17:18.0328 0128 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/15 21:17:18.0359 0128 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/15 21:17:18.0421 0128 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/07/15 21:17:18.0453 0128 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/15 21:17:18.0640 0128 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/15 21:17:18.0750 0128 ldblank (fc9bd3d862fa66c19826d05cb15c245b) C:\WINDOWS\system32\DRIVERS\ldblank.sys
2011/07/15 21:17:18.0781 0128 ldmirror (f4a55732a6996cb64a1b7080b5871de8) C:\WINDOWS\system32\DRIVERS\ldmirror.sys
2011/07/15 21:17:18.0859 0128 lvpopflt (af280405c10f0d20f37670b7432e5c2f) C:\WINDOWS\system32\DRIVERS\lvpopflt.sys
2011/07/15 21:17:18.0921 0128 LVPr2Mon (8be71d7edb8c7494913722059f760dd0) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
2011/07/15 21:17:19.0000 0128 LVRS (e52f5a2cadcf08d07f559962f807a0a2) C:\WINDOWS\system32\DRIVERS\lvrs.sys
2011/07/15 21:17:19.0390 0128 LVUVC (c3d02260beb2b48dea1efdfca91e4b69) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
2011/07/15 21:17:19.0812 0128 MBAMSwissArmy (b309912717c29fc67e1ba4730a82b6dd) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011/07/15 21:17:19.0890 0128 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/07/15 21:17:20.0000 0128 mirrorflt (5eea9d31e405c2a7716a596f068ecec8) C:\WINDOWS\system32\DRIVERS\mirrorflt.sys
2011/07/15 21:17:20.0062 0128 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/15 21:17:20.0125 0128 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/15 21:17:20.0156 0128 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/15 21:17:20.0218 0128 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/07/15 21:17:20.0265 0128 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/15 21:17:20.0406 0128 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
2011/07/15 21:17:20.0484 0128 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
2011/07/15 21:17:20.0546 0128 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/15 21:17:20.0812 0128 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/07/15 21:17:20.0906 0128 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/15 21:17:20.0953 0128 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/15 21:17:20.0984 0128 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/15 21:17:21.0046 0128 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/15 21:17:21.0093 0128 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/15 21:17:21.0171 0128 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/07/15 21:17:21.0203 0128 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/15 21:17:21.0281 0128 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/07/15 21:17:21.0328 0128 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/15 21:17:21.0375 0128 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/07/15 21:17:21.0421 0128 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/15 21:17:21.0578 0128 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/15 21:17:21.0609 0128 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/15 21:17:21.0687 0128 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/15 21:17:21.0734 0128 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/07/15 21:17:21.0812 0128 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/15 21:17:21.0890 0128 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/15 21:17:21.0953 0128 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/15 21:17:22.0062 0128 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/15 21:17:22.0140 0128 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/15 21:17:22.0281 0128 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/15 21:17:22.0343 0128 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/07/15 21:17:22.0375 0128 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/15 21:17:22.0421 0128 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/15 21:17:22.0453 0128 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/15 21:17:22.0562 0128 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2011/07/15 21:17:22.0609 0128 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/07/15 21:17:22.0843 0128 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/15 21:17:22.0890 0128 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/07/15 21:17:22.0906 0128 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/15 21:17:22.0953 0128 PxHelp20 (0457e25bb122b854e267cf552dcdc370) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/07/15 21:17:23.0078 0128 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/15 21:17:23.0140 0128 Rasl2tp (b89e278024fa3782f294f12c2b35d701) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/15 21:17:23.0140 0128 Rasl2tp - detected Rootkit.Win32.ZAccess.c (0)
2011/07/15 21:17:23.0250 0128 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/15 21:17:23.0421 0128 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/15 21:17:23.0671 0128 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/07/15 21:17:24.0015 0128 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/15 21:17:24.0500 0128 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/07/15 21:17:24.0562 0128 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/15 21:17:24.0656 0128 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/15 21:17:24.0781 0128 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2011/07/15 21:17:24.0843 0128 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/07/15 21:17:24.0921 0128 s24trans (e2c6abcbefb1d44f6aaeb1cd5d6062d4) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2011/07/15 21:17:25.0171 0128 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\DOCUME~1\ABBEYF~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS
2011/07/15 21:17:25.0234 0128 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\DOCUME~1\ABBEYF~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS
2011/07/15 21:17:25.0421 0128 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/15 21:17:25.0500 0128 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/07/15 21:17:25.0546 0128 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/07/15 21:17:25.0609 0128 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/07/15 21:17:25.0718 0128 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/07/15 21:17:25.0812 0128 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/15 21:17:25.0859 0128 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/15 21:17:25.0937 0128 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/07/15 21:17:26.0062 0128 STAC97 (305cc42945a713347f978d78566113f3) C:\WINDOWS\system32\drivers\STAC97.sys
2011/07/15 21:17:26.0234 0128 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/07/15 21:17:26.0265 0128 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/15 21:17:26.0312 0128 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/15 21:17:26.0468 0128 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/15 21:17:26.0578 0128 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/15 21:17:26.0640 0128 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/15 21:17:26.0687 0128 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/15 21:17:26.0734 0128 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/15 21:17:26.0859 0128 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/15 21:17:27.0015 0128 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/15 21:17:27.0421 0128 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/07/15 21:17:27.0468 0128 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/07/15 21:17:27.0531 0128 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/15 21:17:27.0593 0128 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/15 21:17:27.0656 0128 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/07/15 21:17:27.0718 0128 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/07/15 21:17:27.0750 0128 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/15 21:17:27.0781 0128 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/07/15 21:17:27.0828 0128 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/07/15 21:17:27.0875 0128 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/07/15 21:17:28.0062 0128 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/15 21:17:28.0281 0128 w29n51 (d6006de6a6ed423d8016a03bc50cbe6b) C:\WINDOWS\system32\DRIVERS\w29n51.sys
2011/07/15 21:17:28.0406 0128 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/15 21:17:28.0484 0128 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/15 21:17:28.0609 0128 winachsf (0c5b9cf1bdf998750d9c5eeb5f8c55ac) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/07/15 21:17:28.0906 0128 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/07/15 21:17:28.0953 0128 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/07/15 21:17:29.0000 0128 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/07/15 21:17:29.0078 0128 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/07/15 21:17:29.0328 0128 Boot (0x1200) (6edebab9095679f7f76a7e48f57af3a8) \Device\Harddisk0\DR0\Partition0
2011/07/15 21:17:29.0343 0128 ================================================================================
2011/07/15 21:17:29.0343 0128 Scan finished
2011/07/15 21:17:29.0343 0128 ================================================================================
2011/07/15 21:17:29.0359 1416 Detected object count: 1
2011/07/15 21:17:29.0359 1416 Actual detected object count: 1
2011/07/15 21:17:39.0562 1416 Rasl2tp (b89e278024fa3782f294f12c2b35d701) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/15 21:17:42.0109 1416 Backup copy found, using it..
2011/07/15 21:17:42.0125 1416 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys - will be cured after reboot
2011/07/15 21:17:42.0125 1416 Rootkit.Win32.ZAccess.c(Rasl2tp) - User select action: Cure
2011/07/15 21:17:59.0203 0864 Deinitialize success

jay_b
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2011-06-23
OS OS : xp
Points Points : 20815
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Fri Jul 15, 2011 8:51 pm

Rerun Combofix and post the log please.

Kenny94
Tech Officer
Tech Officer

Posts Posts : 2019
Joined Joined : 2010-04-22
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Avira/Router and Malwarebytes
Points Points : 33511
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Sat Jul 16, 2011 11:32 am

Hi Kenny94

unfortumately i am still experiencing problems with ComboFix, where it does not complete (2 hours i have let it run for).

Message from autoscan


'Scanning for infected files...
This typically doesn't take more than 10 minutes
However scan times for badly infected machines may easily double'

This does not change

I am now away for a week i hope i can try and rectifiy with your response on my return.
Many thanks for the help so far.

jay_b
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2011-06-23
OS OS : xp
Points Points : 20815
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Sat Jul 16, 2011 1:40 pm

When you get back. Remove ComboFix off of your desktop. Download a fresh copy of Combofix. This time run Combofix in safe mode.

Please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Login as the same user you were previously logged in at.


ComboFix should run. When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply.

Kenny94
Tech Officer
Tech Officer

Posts Posts : 2019
Joined Joined : 2010-04-22
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Avira/Router and Malwarebytes
Points Points : 33511
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Mon Jul 25, 2011 6:15 pm

[You must be registered and logged in to see this link.] wrote:When you get back. Remove ComboFix off of your desktop. Download a fresh copy of Combofix. This time run Combofix in safe mode.

Please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Login as the same user you were previously logged in at.


ComboFix should run. When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply.

have done so as instructed in safe mode but still encounter the same problems with not completing as previously

Message from autoscan


'Scanning for infected files...
This typically doesn't take more than 10 minutes
However scan times for badly infected machines may easily double'


jay_b
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2011-06-23
OS OS : xp
Points Points : 20815
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Mon Jul 25, 2011 6:19 pm

Let's hold off on ComboFix.

Update Run Malwarebytes



  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Kenny94
Tech Officer
Tech Officer

Posts Posts : 2019
Joined Joined : 2010-04-22
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Avira/Router and Malwarebytes
Points Points : 33511
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Mon Jul 25, 2011 6:54 pm

Ran in safe mode

Malwarebytes' Anti-Malware 1.51.1.1800
[You must be registered and logged in to see this link.]

Database version: 7276

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

25/07/2011 19:47:56
mbam-log-2011-07-25 (19-47-56).txt

Scan type: Quick scan
Objects scanned: 175032
Time elapsed: 18 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

jay_b
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2011-06-23
OS OS : xp
Points Points : 20815
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Mon Jul 25, 2011 7:37 pm

No need to run Malwarebytes in safe mode.. Please run it again, but in normal mode. Post the log please.

Kenny94
Tech Officer
Tech Officer

Posts Posts : 2019
Joined Joined : 2010-04-22
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Avira/Router and Malwarebytes
Points Points : 33511
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Wed Jul 27, 2011 10:00 am

Malwarebytes' Anti-Malware 1.51.1.1800
[You must be registered and logged in to see this link.]

Database version: 7294

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

27/07/2011 09:48:58
mbam-log-2011-07-27 (09-48-58).txt

Scan type: Quick scan
Objects scanned: 179723
Time elapsed: 23 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

jay_b
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2011-06-23
OS OS : xp
Points Points : 20815
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Wed Jul 27, 2011 12:02 pm


  • Download [You must be registered and logged in to see this link.] to your desktop.
  • Double-Click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Standard Output.
  • Under the Standard Registry box change it to All.
  • Under the Extra Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold



netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90



  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.

  • When the scan completes, it will open two notepad windows. OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.


Kenny94
Tech Officer
Tech Officer

Posts Posts : 2019
Joined Joined : 2010-04-22
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Avira/Router and Malwarebytes
Points Points : 33511
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Wed Jul 27, 2011 1:02 pm

OTL logfile created on: 27/07/2011 13:56:21 - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\abbeyfield\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1015.36 Mb Total Physical Memory | 474.64 Mb Available Physical Memory | 46.75% Memory free
2.40 Gb Paging File | 1.95 Gb Available in Paging File | 81.21% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.79 Gb Total Space | 28.85 Gb Free Space | 51.71% Space Free | Partition Type: NTFS

Computer Name: ABEXL0002 | User Name: abbeyfield | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/07/27 13:54:07 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\abbeyfield\Desktop\OTL.exe
PRC - [2010/05/19 17:00:26 | 001,584,640 | ---- | M] (Alcatel-Lucent) -- C:\Program Files\BT Business Broadband Desktop Help\btbb\BTHelpNotifier.exe
PRC - [2010/05/11 16:11:30 | 001,188,176 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\LWS\LU\LogitechUpdate.exe
PRC - [2010/05/11 16:11:20 | 000,341,328 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\LWS\LU\LULnchr.exe
PRC - [2010/05/07 19:47:32 | 000,162,648 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
PRC - [2010/05/07 19:43:52 | 000,651,096 | ---- | M] () -- C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
PRC - [2010/05/07 19:35:22 | 000,165,208 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
PRC - [2010/05/07 19:34:58 | 000,168,792 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
PRC - [2009/10/13 11:41:27 | 000,606,208 | ---- | M] () -- C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
PRC - [2009/06/11 07:10:17 | 000,503,808 | ---- | M] () -- C:\WINDOWS\twain_32\Samsung\CLX3170\Scan2Pc.exe
PRC - [2008/08/16 18:44:56 | 000,308,536 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\wfcrun32.exe
PRC - [2008/08/16 18:44:50 | 001,127,736 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\wfica32.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/21 12:19:58 | 000,819,200 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2007/02/21 12:19:40 | 000,294,912 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
PRC - [2007/02/21 12:17:42 | 000,970,752 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
PRC - [2007/02/21 12:13:26 | 000,495,616 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
PRC - [2006/09/20 15:52:10 | 000,253,952 | ---- | M] (LANDesk Software, Ltd.) -- C:\Program Files\LANDesk\LDClient\SoftMon.exe
PRC - [2006/09/18 08:27:38 | 000,817,152 | ---- | M] (LANDesk Software, Ltd.) -- C:\Program Files\LANDesk\LDClient\issuser.exe
PRC - [2006/05/12 14:07:26 | 000,086,016 | ---- | M] (LANDesk Software, Ltd.) -- C:\Program Files\LANDesk\LDClient\LocalSch.EXE
PRC - [2006/02/19 04:21:22 | 000,288,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
PRC - [2006/02/19 02:41:10 | 000,049,152 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
PRC - [2006/02/10 07:56:12 | 000,479,232 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
PRC - [2006/01/11 10:32:28 | 000,126,976 | ---- | M] (LANDesk Software, Ltd.) -- C:\Program Files\LANDesk\Shared Files\residentAgent.exe
PRC - [2005/12/09 03:58:22 | 000,118,784 | ---- | M] (LANDesk Software, Ltd.) -- C:\Program Files\LANDesk\LDClient\tmcsvc.exe
PRC - [2005/12/09 03:47:42 | 000,258,048 | ---- | M] (LANDesk Software, Ltd.) -- C:\Program Files\LANDesk\LDClient\WebPortal\SDClientMonitor.exe
PRC - [2005/11/17 11:31:52 | 000,032,819 | ---- | M] (LANDesk Software Ltd.) -- C:\WINDOWS\system32\cba\pds.exe
PRC - [2004/12/15 08:07:44 | 000,176,128 | ---- | M] (HP) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe


========== Modules (SafeList) ==========

MOD - [2011/07/27 13:54:07 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\abbeyfield\Desktop\OTL.exe
MOD - [2010/08/23 17:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2010/05/19 17:00:22 | 000,198,656 | ---- | M] (Alcatel-Lucent) -- C:\Program Files\Common Files\Motive\McciContextHook_DSR.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Unknown | Stopped] -- -- (Pml Driver HPZ12)
SRV - File not found [Auto | Stopped] -- -- (PEVSystemStart)
SRV - [2011/02/08 09:46:54 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe -- (GoToAssist)
SRV - [2010/05/07 19:47:32 | 000,162,648 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2007/02/21 12:19:40 | 000,294,912 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER) Intel(R)
SRV - [2006/09/20 15:52:10 | 000,253,952 | ---- | M] (LANDesk Software, Ltd.) [Auto | Running] -- C:\Program Files\LANDesk\LDClient\softmon.exe -- (Softmon) LANDesk(R)
SRV - [2006/09/18 08:27:38 | 000,817,152 | ---- | M] (LANDesk Software, Ltd.) [Auto | Running] -- C:\Program Files\LANDesk\LDClient\issuser.exe -- (ISSUSER)
SRV - [2006/05/12 14:07:26 | 000,086,016 | ---- | M] (LANDesk Software, Ltd.) [Auto | Running] -- C:\Program Files\LANDesk\LDClient\LocalSch.EXE -- (Intel Local Scheduler Service)
SRV - [2006/01/11 10:32:28 | 000,126,976 | ---- | M] (LANDesk Software, Ltd.) [Auto | Running] -- C:\Program Files\LANDesk\Shared Files\residentagent.exe -- (CBA8) LANDesk(R)
SRV - [2005/12/09 03:58:22 | 000,118,784 | ---- | M] (LANDesk Software, Ltd.) [Auto | Running] -- C:\Program Files\LANDesk\LDClient\tmcsvc.exe -- (Intel Targeted Multicast)
SRV - [2005/11/17 11:31:52 | 000,032,819 | ---- | M] (LANDesk Software Ltd.) [Auto | Running] -- C:\WINDOWS\system32\cba\pds.exe -- (Intel PDS)


========== Driver Services (SafeList) ==========

DRV - [2010/05/19 17:00:24 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2010/05/19 17:00:22 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2010/05/14 23:04:20 | 000,023,904 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvcflt.sys -- (FilterService)
DRV - [2010/05/14 23:04:02 | 006,842,592 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC) Logitech Webcam C210(UVC)
DRV - [2010/05/14 23:02:26 | 000,276,448 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS)
DRV - [2010/05/14 23:02:14 | 000,114,784 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvpopflt.sys -- (lvpopflt)
DRV - [2010/05/10 19:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Documents and Settings\abbeyfield\Local Settings\Temp\SAS_SelfExtract\saskutil.sys -- (SASKUTIL)
DRV - [2010/05/07 19:43:30 | 000,025,824 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2010/02/17 19:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Documents and Settings\abbeyfield\Local Settings\Temp\SAS_SelfExtract\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/03/25 12:44:40 | 000,038,400 | ---- | M] (Samsung Electronics Co., Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\DgivEcp.sys -- (DgiVecp)
DRV - [2007/02/21 12:16:12 | 000,012,416 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2007/02/08 14:51:16 | 002,209,408 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel(R)
DRV - [2005/07/01 16:48:34 | 000,011,904 | ---- | M] (LANDesk Software, Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ldblank.sys -- (ldblank)
DRV - [2005/07/01 16:48:34 | 000,003,712 | ---- | M] (LANDesk Software, Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mirrorflt.sys -- (mirrorflt)
DRV - [2005/07/01 16:48:34 | 000,003,328 | ---- | M] (LANDesk Software, Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ldmirror.sys -- (ldmirror)
DRV - [2005/05/03 16:09:28 | 001,033,728 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.SYS -- (HSF_DPV)
DRV - [2005/05/03 16:08:50 | 000,208,384 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2005/05/03 16:08:44 | 000,705,408 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/03/10 17:56:06 | 000,273,168 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)
DRV - [2005/01/11 14:18:22 | 000,800,768 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2001/08/17 13:11:30 | 000,096,640 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = [You must be registered and logged in to see this link.]
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Motive, Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/06/25 20:58:16 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2010/07/19 12:18:31 | 000,000,000 | ---D | M]

[2011/03/07 15:45:20 | 000,002,423 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml

O1 HOSTS File: ([2004/08/04 11:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Shareaza Web Download Hook) - {0EEDB912-C5FA-486F-8334-57288578C627} - C:\Program Files\Shareaza\RazaWebHook32.dll (Shareaza Development Team)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O4 - HKLM..\Run: [3170 Scan2PC] C:\WINDOWS\Twain_32\Samsung\CLX3170\Scan2pc.exe ()
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [btbb_McciTrayApp] C:\Program Files\BT Business Broadband Desktop Help\btbb\BTHelpNotifier.exe (Alcatel-Lucent)
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe (HP)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelAPMClient] File not found
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [LANDeskInventoryClient] C:\Program Files\LANDesk\LDClient\LDIScn32.exe (LANDesk Software, Ltd.)
O4 - HKLM..\Run: [LWS] C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe (Logitech Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe ()
O4 - HKLM..\Run: [SDClientMonitor] C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe (LANDesk Software, Ltd.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\abbeyfield\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Development Company, L.P.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Development Company, L.P.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disableregistrytools = 0
O8 - Extra context menu item: Download with &Shareaza - C:\Program Files\Shareaza\RazaWebHook32.dll (Shareaza Development Team)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: SmarThru4 Capture Selection - C:\Program Files\SmarThru 4\WEBCapture.dll2.htm ()
O8 - Extra context menu item: SmarThru4 Save as HTML - C:\Program Files\SmarThru 4\WEBCapture.dll1.htm ()
O8 - Extra context menu item: SmarThru4 Save Selected Text - C:\Program Files\SmarThru 4\WEBCapture.dll.htm ()
O8 - Extra context menu item: SmarThru4 Web Capture - C:\Program Files\SmarThru 4\WebCapture.dll ()
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
O15 - HKCU\..Trusted Domains: abbeyfield.com ([csg] https in Trusted sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} [You must be registered and logged in to see this link.] (QuickTime Object)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} [You must be registered and logged in to see this link.] (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [You must be registered and logged in to see this link.] (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\570\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\abbeyfield\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\abbeyfield\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/11/24 16:38:50 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2011/01/12 10:50:52 | 000,208,705 | ---- | M] () - C:\Automated Summary Timesheet Template.xlsx -- [ NTFS ]
O33 - MountPoints2\{8608772e-f315-11df-9454-00166f634dee}\Shell\AutoRun\command - "" = E:\setupSNK.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/07/27 13:54:05 | 000,579,584 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\abbeyfield\Desktop\OTL.exe
[2011/07/27 09:24:26 | 009,466,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\abbeyfield\Desktop\mbam-setup-1.51.1.1800.exe
[2011/07/25 18:32:02 | 000,000,000 | --SD | C] -- C:\Fixyou18967F
[2011/07/25 17:14:13 | 000,000,000 | --SD | C] -- C:\Fixyou
[2011/07/25 17:13:56 | 004,152,159 | R--- | C] (Swearware) -- C:\Documents and Settings\abbeyfield\Desktop\Fixyou.exe
[2011/07/25 12:59:43 | 007,375,010 | ---- | C] (Shareaza Development Team ) -- C:\Documents and Settings\abbeyfield\My Documents\Shareaza_2.5.5.0_Win32.exe
[2011/07/15 21:51:00 | 000,000,000 | ---D | C] -- C:\WIP
[2011/07/15 21:15:04 | 001,436,976 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\abbeyfield\Desktop\TDSSKiller.exe
[2011/07/13 10:22:36 | 000,051,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\rasl2tp.svs
[2011/07/13 10:18:55 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/07/13 10:15:08 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/07/13 10:15:08 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/07/13 10:15:08 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/07/13 10:15:08 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/07/13 10:14:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/07/12 20:20:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\abbeyfield\Local Settings\Application Data\Identities
[2011/07/12 20:20:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\abbeyfield\Application Data\Ilyfe
[2011/07/12 20:20:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\abbeyfield\Application Data\Arqiok
[2011/07/12 11:06:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\abbeyfield\Application Data\AVG9
[2011/07/12 09:22:23 | 000,000,000 | R--D | C] -- C:\Documents and Settings\abbeyfield\Start Menu\Programs\Administrative Tools
[2011/07/12 09:22:12 | 000,607,017 | R--- | C] (Swearware) -- C:\Documents and Settings\abbeyfield\Desktop\dds.scr
[2011/06/29 20:06:33 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/07/27 13:54:07 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\abbeyfield\Desktop\OTL.exe
[2011/07/27 09:25:09 | 000,000,794 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/07/27 09:24:49 | 009,466,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\abbeyfield\Desktop\mbam-setup-1.51.1.1800.exe
[2011/07/27 09:20:35 | 000,002,048 | -HS- | M] () -- C:\WINDOWS\System32\c_90114.nl_
[2011/07/27 09:20:21 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/07/27 09:20:19 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2011/07/27 09:20:10 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/07/25 17:14:00 | 004,152,159 | R--- | M] (Swearware) -- C:\Documents and Settings\abbeyfield\Desktop\Fixyou.exe
[2011/07/25 13:27:51 | 000,117,248 | ---- | M] () -- C:\Documents and Settings\abbeyfield\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/07/25 12:59:56 | 007,375,010 | ---- | M] (Shareaza Development Team ) -- C:\Documents and Settings\abbeyfield\My Documents\Shareaza_2.5.5.0_Win32.exe
[2011/07/15 21:16:43 | 001,436,976 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\abbeyfield\Desktop\TDSSKiller.exe
[2011/07/15 21:14:51 | 001,383,430 | ---- | M] () -- C:\Documents and Settings\abbeyfield\Desktop\tdsskiller.zip
[2011/07/13 20:46:42 | 000,097,812 | ---- | M] () -- C:\Documents and Settings\abbeyfield\My Documents\2011-07-13_204501.GIF
[2011/07/13 20:45:09 | 000,878,896 | ---- | M] () -- C:\Documents and Settings\abbeyfield\My Documents\2011-07-13_204501.png
[2011/07/13 13:09:31 | 000,277,352 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/07/13 11:49:50 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\xucneurc.sys
[2011/07/13 10:19:01 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/07/12 20:44:24 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\irnfrnvp.sys
[2011/07/12 20:25:11 | 000,004,407 | ---- | M] () -- C:\Documents and Settings\abbeyfield\Application Data\CB6A.565
[2011/07/12 09:22:21 | 000,607,017 | R--- | M] (Swearware) -- C:\Documents and Settings\abbeyfield\Desktop\dds.scr
[2011/07/06 19:52:42 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/07/06 19:52:42 | 000,022,712 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/07/06 14:51:59 | 000,867,245 | ---- | M] () -- C:\Ponteland 2.JPG
[2011/07/06 14:51:05 | 000,860,550 | ---- | M] () -- C:\Ponteland 1.JPG
[2011/07/06 13:50:07 | 001,491,089 | ---- | M] () -- C:\mileage Claim - A Armstrong june 11.JPG
[2011/07/01 13:18:39 | 000,866,923 | ---- | M] () -- C:\Kendal Valuation Visit 5.7.11.JPG
[2011/07/01 12:04:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/07/01 10:27:28 | 000,816,343 | ---- | M] () -- C:\Stannah P040143662.JPG
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/07/15 21:24:59 | 000,002,048 | -HS- | C] () -- C:\WINDOWS\System32\c_90114.nl_
[2011/07/15 21:14:46 | 001,383,430 | ---- | C] () -- C:\Documents and Settings\abbeyfield\Desktop\tdsskiller.zip
[2011/07/13 20:46:42 | 000,097,812 | ---- | C] () -- C:\Documents and Settings\abbeyfield\My Documents\2011-07-13_204501.GIF
[2011/07/13 20:45:09 | 000,878,896 | ---- | C] () -- C:\Documents and Settings\abbeyfield\My Documents\2011-07-13_204501.png
[2011/07/13 11:49:50 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\xucneurc.sys
[2011/07/13 10:19:01 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/07/13 10:18:58 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/07/13 10:15:08 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/07/13 10:15:08 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/07/13 10:15:08 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/07/13 10:15:08 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/07/13 10:15:08 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/07/12 20:44:24 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\irnfrnvp.sys
[2011/07/12 20:20:53 | 000,004,407 | ---- | C] () -- C:\Documents and Settings\abbeyfield\Application Data\CB6A.565
[2011/07/06 14:51:58 | 000,867,245 | ---- | C] () -- C:\Ponteland 2.JPG
[2011/07/06 14:51:04 | 000,860,550 | ---- | C] () -- C:\Ponteland 1.JPG
[2011/07/06 13:50:06 | 001,491,089 | ---- | C] () -- C:\mileage Claim - A Armstrong june 11.JPG
[2011/07/01 13:18:39 | 000,866,923 | ---- | C] () -- C:\Kendal Valuation Visit 5.7.11.JPG
[2011/07/01 10:27:27 | 000,816,343 | ---- | C] () -- C:\Stannah P040143662.JPG
[2011/06/26 17:56:14 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\cssfx.sys
[2011/06/23 16:45:27 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/06/23 13:34:19 | 000,005,932 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\punvj0rj43t4v6
[2011/06/23 13:34:19 | 000,005,932 | -HS- | C] () -- C:\Documents and Settings\abbeyfield\Local Settings\Application Data\punvj0rj43t4v6
[2011/03/07 15:45:23 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\redmonnt.dll
[2010/10/04 11:02:41 | 000,482,408 | ---- | C] () -- C:\WINDOWS\ssndii.exe
[2010/10/04 11:02:14 | 000,011,650 | -H-- | C] () -- C:\Documents and Settings\abbeyfield\Application Data\SmarThruOptions.xml
[2010/10/04 11:01:47 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\SecSNMP.dll
[2010/10/04 11:01:33 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\SamFaxPort.dll
[2010/10/04 10:59:20 | 000,113,768 | R--- | C] () -- C:\WINDOWS\Wiainst.exe
[2010/10/04 10:54:05 | 000,022,723 | ---- | C] () -- C:\WINDOWS\System32\sst1cl3.dll
[2010/10/04 10:53:25 | 000,138,240 | ---- | C] () -- C:\WINDOWS\System32\SaXPUIEx.dll
[2010/10/04 10:53:25 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\SaXPSTI.dll
[2010/10/04 10:53:24 | 000,143,872 | ---- | C] () -- C:\WINDOWS\System32\SaXPWIA.dll
[2010/10/04 10:53:24 | 000,139,776 | ---- | C] () -- C:\WINDOWS\System32\SaXPEH.dll
[2010/10/04 10:53:24 | 000,116,736 | ---- | C] () -- C:\WINDOWS\System32\SaXPIPH.dll
[2010/05/18 12:52:23 | 000,117,248 | ---- | C] () -- C:\Documents and Settings\abbeyfield\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/14 22:56:06 | 010,830,680 | ---- | C] () -- C:\WINDOWS\System32\LogiDPP.dll
[2010/05/14 22:56:06 | 000,102,744 | ---- | C] () -- C:\WINDOWS\System32\LogiDPPApp.exe
[2010/05/14 22:55:58 | 000,290,648 | ---- | C] () -- C:\WINDOWS\System32\DevManagerCore.dll
[2010/05/14 22:47:00 | 000,090,071 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2010/05/10 12:14:25 | 000,117,469 | ---- | C] () -- C:\WINDOWS\hpoins11.dat
[2010/05/07 19:46:36 | 000,014,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\iKeyLFT2.dll
[2010/05/07 19:43:30 | 000,025,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2010/04/30 16:16:38 | 000,069,063 | ---- | C] () -- C:\WINDOWS\hpoins05.dat
[2010/04/30 16:16:37 | 000,019,696 | ---- | C] () -- C:\WINDOWS\hpomdl05.dat
[2010/04/09 12:26:07 | 001,821,566 | ---- | C] () -- C:\Program Files\FSCaptureSetup65.exe
[2010/03/17 16:11:48 | 000,000,133 | ---- | C] () -- C:\Documents and Settings\abbeyfield\Local Settings\Application Data\fusioncache.dat
[2010/03/17 15:25:08 | 000,110,436 | ---- | C] () -- C:\WINDOWS\hpoins11.dat.temp
[2010/03/17 15:25:07 | 000,006,947 | ---- | C] () -- C:\WINDOWS\hpomdl11.dat.temp
[2010/03/09 12:45:50 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2010/02/23 13:38:13 | 000,000,414 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 16:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2008/11/26 13:51:32 | 000,000,025 | ---- | C] () -- C:\WINDOWS\ENABLING.INI
[2008/11/24 17:34:40 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\stac97co.dll
[2008/11/24 16:42:03 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/11/24 16:35:34 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/11/24 16:05:29 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/11/24 16:04:16 | 000,277,352 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/04/20 01:28:30 | 000,011,634 | ---- | C] () -- C:\WINDOWS\hpomdl11.dat
[2005/03/22 00:48:05 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/03/22 00:48:05 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 11:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 11:00:00 | 000,444,784 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 11:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 11:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 11:00:00 | 000,072,660 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 11:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 11:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 11:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 11:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 11:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2001/07/07 04:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2011/07/12 20:43:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\abbeyfield\Application Data\Arqiok
[2011/07/12 11:06:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\abbeyfield\Application Data\AVG9
[2011/03/07 15:46:08 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\abbeyfield\Application Data\BabylonToolbar
[2009/02/23 17:44:55 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\abbeyfield\Application Data\ICAClient
[2011/07/12 20:25:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\abbeyfield\Application Data\Ilyfe
[2010/11/09 12:41:57 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\abbeyfield\Application Data\Leadertech
[2010/03/09 13:24:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\abbeyfield\Application Data\MSNInstaller
[2011/04/18 12:05:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\abbeyfield\Application Data\Omem
[2010/09/02 13:45:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\abbeyfield\Application Data\Participatory Culture Foundation
[2011/03/24 14:41:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\abbeyfield\Application Data\PCF-VLC
[2011/07/25 16:43:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\abbeyfield\Application Data\Shareaza
[2010/10/04 11:02:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\abbeyfield\Application Data\SmarThru4
[2011/07/25 15:37:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\abbeyfield\Application Data\Spotify
[2011/04/18 12:05:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\abbeyfield\Application Data\Xuezus
[2011/07/13 10:09:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2011/05/04 12:17:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\bIi06511gCdCp06511
[2011/03/15 12:07:59 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/06/23 22:19:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2011/07/27 09:20:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\vulScan
[2011/07/27 09:20:19 | 000,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2008/11/24 16:38:50 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2011/01/12 10:50:52 | 000,208,705 | ---- | M] () -- C:\Automated Summary Timesheet Template.xlsx
[2011/07/13 11:29:11 | 000,012,518 | ---- | M] () -- C:\AVG.docx
[2008/11/24 16:32:56 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2011/07/13 10:19:01 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2008/11/24 16:38:50 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2008/11/24 16:38:50 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2011/07/01 13:18:39 | 000,866,923 | ---- | M] () -- C:\Kendal Valuation Visit 5.7.11.JPG
[2011/07/06 13:50:07 | 001,491,089 | ---- | M] () -- C:\mileage Claim - A Armstrong june 11.JPG
[2008/11/24 16:38:50 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2011/03/07 15:50:54 | 000,002,113 | ---- | M] () -- C:\northern map.pdf
[2010/11/02 17:49:10 | 001,462,870 | ---- | M] () -- C:\Northern September 2010.2011.xlsx
[2004/08/04 11:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/11/24 18:14:22 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2011/07/27 09:20:06 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys
[2011/03/18 12:45:29 | 000,366,046 | ---- | M] () -- C:\Penrith CT 2001_12 1.jpg
[2011/03/18 12:46:06 | 000,362,641 | ---- | M] () -- C:\Penrith CT 2011_12 2.jpg
[2011/07/06 14:51:05 | 000,860,550 | ---- | M] () -- C:\Ponteland 1.JPG
[2011/07/06 14:51:59 | 000,867,245 | ---- | M] () -- C:\Ponteland 2.JPG
[2011/06/29 20:09:01 | 000,000,310 | ---- | M] () -- C:\rkill.log
[2011/03/21 16:28:44 | 000,035,171 | ---- | M] () -- C:\Staffing Hours.xlsx
[2011/07/01 10:27:28 | 000,816,343 | ---- | M] () -- C:\Stannah P040143662.JPG
[2011/04/18 13:03:21 | 000,042,156 | ---- | M] () -- C:\TDSSKiller.2.4.21.0_18.04.2011_12.55.44_log.txt
[2011/04/18 16:08:38 | 000,042,718 | ---- | M] () -- C:\TDSSKiller.2.4.21.0_18.04.2011_16.07.12_log.txt
[2011/06/23 13:50:03 | 000,042,718 | ---- | M] () -- C:\TDSSKiller.2.4.21.0_23.06.2011_13.47.47_log.txt
[2011/06/23 16:19:01 | 000,086,298 | ---- | M] () -- C:\TDSSKiller.2.4.21.0_23.06.2011_16.17.36_log.txt
[2011/06/23 22:16:25 | 000,042,718 | ---- | M] () -- C:\TDSSKiller.2.4.21.0_23.06.2011_22.15.38_log.txt
[2011/07/15 21:16:23 | 000,002,150 | ---- | M] () -- C:\TDSSKiller.2.5.11.0_15.07.2011_21.15.30_log.txt
[2011/07/15 21:17:59 | 000,043,574 | ---- | M] () -- C:\TDSSKiller.2.5.11.0_15.07.2011_21.17.05_log.txt
[2011/07/15 21:48:33 | 000,002,150 | ---- | M] () -- C:\TDSSKiller.2.5.11.0_15.07.2011_21.29.22_log.txt
[2011/07/16 09:13:37 | 000,042,424 | ---- | M] () -- C:\TDSSKiller.2.5.11.0_16.07.2011_09.11.57_log.txt
[2011/07/25 17:03:39 | 000,042,424 | ---- | M] () -- C:\TDSSKiller.2.5.11.0_25.07.2011_17.01.58_log.txt
[2011/01/10 10:41:50 | 000,025,333 | ---- | M] () -- C:\Timesheet.xlsx
[2011/04/20 16:09:04 | 000,273,551 | ---- | M] () -- C:\Wray Bros.jpg
[2011/04/20 16:11:33 | 000,273,552 | ---- | M] () -- C:\_20110420_16110707.jpg
[2011/05/09 11:02:34 | 000,233,840 | ---- | M] () -- C:\_20110509_11020801.jpg
[2011/05/20 15:44:28 | 000,300,673 | ---- | M] () -- C:\_20110520_15435901.jpg
[2011/05/20 15:52:23 | 000,308,516 | ---- | M] () -- C:\_20110520_15515707.jpg

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/11/24 16:03:28 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2008/11/24 16:03:28 | 000,659,456 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2008/11/24 16:03:28 | 000,897,024 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2011/06/26 17:56:14 | 000,054,016 | ---- | M] () -- C:\WINDOWS\system32\drivers\cssfx.sys
[2011/07/12 20:44:24 | 000,054,016 | ---- | M] () -- C:\WINDOWS\system32\drivers\irnfrnvp.sys
[2011/07/06 19:52:42 | 000,022,712 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2011/07/06 19:52:42 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
[2011/04/29 17:19:43 | 000,456,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys
[2011/07/15 21:18:48 | 000,051,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\rasl2tp.sys
[2011/07/13 11:49:50 | 000,054,016 | ---- | M] () -- C:\WINDOWS\system32\drivers\xucneurc.sys

< >

========== Alternate Data Streams ==========

@Alternate Data Stream - 16 bytes -> C:\Documents and Settings\abbeyfield\My Documents\Shareaza Downloads:Shareaza.GUID
@Alternate Data Stream - 16 bytes -> C:\Documents and Settings\abbeyfield\My Documents\My Pictures:Shareaza.GUID
@Alternate Data Stream - 16 bytes -> C:\Documents and Settings\abbeyfield\My Documents\My Music:Shareaza.GUID
@Alternate Data Stream - 16 bytes -> C:\Documents and Settings\abbeyfield\My Documents\My Albums:Shareaza.GUID
@Alternate Data Stream - 16 bytes -> C:\Adele 21:Shareaza.GUID

< End of report >

jay_b
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2011-06-23
OS OS : xp
Points Points : 20815
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Wed Jul 27, 2011 1:03 pm

OTL Extras logfile created on: 27/07/2011 13:56:21 - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\abbeyfield\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1015.36 Mb Total Physical Memory | 474.64 Mb Available Physical Memory | 46.75% Memory free
2.40 Gb Paging File | 1.95 Gb Available in Paging File | 81.21% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.79 Gb Total Space | 28.85 Gb Free Space | 51.71% Space Free | Partition Type: NTFS

Computer Name: ABEXL0002 | User Name: abbeyfield | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (All) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\WINDOWS\System32\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\WINDOWS\System32\mshta.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.inf [@ = inffile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- C:\WINDOWS\System32\rundll32.exe (Microsoft Corporation)
.js [@ = JSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.reg [@ = regfile] -- C:\WINDOWS\regedit.exe (Microsoft Corporation)
.txt [@ = txtfile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- winhlp32.exe %1 (Microsoft Corporation)
hlpfile [open] -- %SystemRoot%\System32\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wshfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~4\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\WINDOWS\system32\cba\pds.exe" = C:\WINDOWS\system32\cba\pds.exe:*:Enabled:LANDesk Ping Discovery Service -- (LANDesk Software Ltd.)
"C:\WINDOWS\system32\msgsys.exe" = C:\WINDOWS\system32\msgsys.exe:*:Enabled:LANDesk Message Service -- (LANDesk Software Ltd.)
"C:\Program Files\LANDesk\LDClient\issuser.exe" = C:\Program Files\LANDesk\LDClient\issuser.exe:*:Enabled:LANDesk Remote Control Agent -- (LANDesk Software, Ltd.)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Spotify\spotify.exe" = C:\Program Files\Spotify\spotify.exe:*:Enabled:Spotify -- (Spotify Ltd)
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe
"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposid01.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqscnvw.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe -- ()
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqkygrp.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe -- (Hewlett-Packard)
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- (Hewlett-Packard)
"C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqnrs08.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\WINDOWS\twain_32\Samsung\ScanMgr.exe" = C:\WINDOWS\twain_32\Samsung\ScanMgr.exe:*:Enabled:Scan Manger -- (Samsung Electronics)
"C:\WINDOWS\twain_32\Samsung\CLX3170\Scan2Pc.exe" = C:\WINDOWS\twain_32\Samsung\CLX3170\Scan2Pc.exe:*:Enabled:ScanToPC -- ()
"C:\WINDOWS\twain_32\Samsung\CLX3170\Sscan2io.exe" = C:\WINDOWS\twain_32\Samsung\CLX3170\Sscan2io.exe:*:Enabled:SScanToIO -- ()
"C:\Program Files\Internet Explorer\iexplore.exe" = C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer -- (Microsoft Corporation)
"C:\Program Files\VideoLAN\VLC\vlc.exe" = C:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player -- ()
"C:\Documents and Settings\abbeyfield\Local Settings\Temporary Internet Files\Content.IE5\9IU4HVG9\PDFConverterSetup[1].exe" = C:\Documents and Settings\abbeyfield\Local Settings\Temporary Internet Files\Content.IE5\9IU4HVG9\PDFConverterSetup[1].exe:*:Enabled:InstallCore™
"C:\Program Files\SamsungPrinterLiveUpdate\SP_Connector.exe" = C:\Program Files\SamsungPrinterLiveUpdate\SP_Connector.exe:*:Disabled:Samsung Printer Connector -- (Samsung Printer)
"C:\Program Files\Hewlett-Packard\Digital Imaging\Product Assistant\bin\hprbUpdate.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\Product Assistant\bin\hprbUpdate.exe:*:Disabled:Hewlett-Packard Product Assistant -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWUCli.exe" = C:\Program Files\Hewlett-Packard\HP Software Update\HPWUCli.exe:*:Disabled:HP Software Update Client -- (Hewlett-Packard)
"C:\Program Files\Logitech\LWS\LU\LogitechUpdate.exe" = C:\Program Files\Logitech\LWS\LU\LogitechUpdate.exe:*:Disabled:Logitech Updater -- (Logitech, Inc.)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Disabled:Windows Explorer -- (Microsoft Corporation)
"C:\Program Files\Citrix\ICA Client\wfica32.exe" = C:\Program Files\Citrix\ICA Client\wfica32.exe:*:Enabled:Citrix Client Engine -- (Citrix Systems, Inc.)
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" = C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware -- (Malwarebytes Corporation)
"C:\Program Files\BT Business Broadband Desktop Help\btbb\BTHelpBrowser.exe" = C:\Program Files\BT Business Broadband Desktop Help\btbb\BTHelpBrowser.exe:*:Disabled:mcci+McciBrowser -- (Alcatel-Lucent)
"C:\Program Files\Common Files\Java\Java Update\jaucheck.exe" = C:\Program Files\Common Files\Java\Java Update\jaucheck.exe:*:Enabled:Java(TM) Update Client Checker -- (Sun Microsystems, Inc.)
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Windows Media Player\wmplayer.exe" = C:\Program Files\Windows Media Player\wmplayer.exe:*:Enabled:Windows Media Player -- (Microsoft Corporation)
"C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" = C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe:*:Enabled:Adobe Reader and Acrobat Manager -- (Adobe Systems Incorporated)
"C:\Program Files\BT Business Broadband Desktop Help\btbb\BTHelpNotifier.exe" = C:\Program Files\BT Business Broadband Desktop Help\btbb\BTHelpNotifier.exe:*:Disabled:mcci+McciTrayApp -- (Alcatel-Lucent)
"C:\Program Files\Apple Software Update\SoftwareUpdate.exe" = C:\Program Files\Apple Software Update\SoftwareUpdate.exe:*:Disabled:Apple Software Update -- (Apple Inc.)
"C:\WINDOWS\system32\WgaTray.exe" = C:\WINDOWS\system32\WgaTray.exe:*:Disabled:Windows Genuine Advantage Notifications -- (Microsoft Corporation)
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Disabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Common Files\Java\Java Update\jusched.exe" = C:\Program Files\Common Files\Java\Java Update\jusched.exe:*:Enabled:Java(TM) Update Scheduler -- (Sun Microsystems, Inc.)
"C:\Program Files\Common Files\Java\Java Update\jucheck.exe" = C:\Program Files\Common Files\Java\Java Update\jucheck.exe:*:Enabled:Java(TM) Update Checker -- (Sun Microsystems, Inc.)
"C:\Program Files\LANDesk\LDClient\LDISCN32.EXE" = C:\Program Files\LANDesk\LDClient\LDISCN32.EXE:*:Enabled:Inventory Scanner for Windows -- (LANDesk Software, Ltd.)
"C:\Documents and Settings\abbeyfield\Local Settings\Temp\0.7029722626396282.exe" = C:\Documents and Settings\abbeyfield\Local Settings\Temp\0.7029722626396282.exe:*:Enabled:0.7029722626396282
"C:\Documents and Settings\abbeyfield\Local Settings\Temp\0.15735610579295667.exe" = C:\Documents and Settings\abbeyfield\Local Settings\Temp\0.15735610579295667.exe:*:Enabled:0.15735610579295667
"C:\Documents and Settings\abbeyfield\Application Data\Adobe\plugs\mmc102.exe" = C:\Documents and Settings\abbeyfield\Application Data\Adobe\plugs\mmc102.exe:*:Disabled:mmc102.exe
"C:\Documents and Settings\abbeyfield\Application Data\dwm.exe" = C:\Documents and Settings\abbeyfield\Application Data\dwm.exe:*:Disabled:dwm
"C:\Documents and Settings\abbeyfield\Local Settings\Temp\csrss.exe" = C:\Documents and Settings\abbeyfield\Local Settings\Temp\csrss.exe:*:Disabled:csrss
"C:\ComboFix\ComboFix-Download.cfxxe" = C:\ComboFix\ComboFix-Download.cfxxe:*:Enabled:ComboFix-Download
"C:\Documents and Settings\abbeyfield\Desktop\TDSSKiller.exe" = C:\Documents and Settings\abbeyfield\Desktop\TDSSKiller.exe:*:Enabled:TDSS rootkit removing tool -- (Kaspersky Lab ZAO)
"C:\Program Files\LANDesk\Shared Files\residentagent.exe" = C:\Program Files\LANDesk\Shared Files\residentagent.exe:*:Enabled:LANDesk(R) Management Agent -- (LANDesk Software, Ltd.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}" = mSSO
"{08610298-29AE-445B-B37D-EFBE05802967}" = LWS Pictures And Video
"{0A65A3BD-54B5-4d0d-B084-7688507813F5}" = SlideShow
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{138A4072-9E64-46BD-B5F9-DB2BB395391F}" = LWS VideoEffects
"{15634701-BACE-4449-8B25-1567DA8C9FD3}" = CameraHelperMsi
"{15C0AF59-4877-49B6-B8C6-A61CE54515F5}" = cp_OnlineProjectsConfig
"{1651216E-E7AD-4250-92A1-FB8ED61391C9}" = LWS Help_main
"{181821B7-82AA-44DA-9DAF-EF254CCB670A}" = Fax
"{1AD5F465-8282-4DAD-B957-E09C0B783D18}" = InstantShare
"{1B680FBA-E317-4E93-AF43-3B59798A4BE0}" = Copy
"{21DF0294-6B9D-4741-AB6F-B2ABFBD2387E}" = LWS YouTube Plugin
"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java(TM) 6 Update 22
"{272EC8BA-5A08-4ea1-A189-684466A06B02}" = cp_dwShrek2Albums1
"{2F58D60D-2BFD-4467-9B4D-64E7355C329D}" = Sonic_PrimoSDK
"{33BF0960-DBA3-4187-B6CC-C969FCFA2D25}" = SkinsHP1
"{342C7C88-D335-4bc2-8CF1-281857629CE2}" = HP PSC & OfficeJet 4.7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{363790D2-DA98-41DD-9C9F-69FA36B169DE}" = PanoStandAlone
"{391E18CE-7D3B-45E9-A8F0-34E77F14F47A}" = ProductContext
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = erLT
"{41E776A5-9B12-416D-9A12-B4F7B044EBED}" = CP_Package_Basic1
"{4462265B-3DC7-44AD-B56D-D09BA67BA422}" = 6300
"{45734758-4041-4EA8-8E62-DE661FC3879C}" = LANDesk(R) Common Base Agent 8
"{45B8A76B-57EC-4242-B019-066400CD8428}" = BufferChm
"{461073BF-9642-4A73-B58E-157358D412AB}" = 6200
"{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}" = mHlpDell
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4EA684E9-5C81-4033-A696-3019EC57AC3A}" = HPProductAssistant
"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{63DB9CCD-2B56-4217-9A3D-507AC78320CA}" = mWMI
"{644D04A2-C682-4FD5-977D-03B804C4B9C5}" = CreativeProjects
"{64FC0C98-B035-4530-B15D-3D30610B6DF1}" = HP Software Update
"{6518675B-CC8D-4AB3-A3F6-CC02FF6548D7}" = 6200_Help
"{655CB07D-C944-40BE-B93F-55957CAC7625}" = AiO_Scan
"{66910000-8B30-4973-A159-6371345AFFA5}" = WebReg
"{6696D9A4-28A8-4F5A-8E9A-2E8974C8C39C}" = RandMap
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{68763C27-235D-4165-A961-FDEA228CE504}" = AiOSoftwareNPI
"{6909F917-5499-482e-9AA1-FAD06A99F231}" = Toolbox
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{6F76EC3C-34B1-436E-97FB-48C58D7BEDCD}" = LWS Gallery
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{71E66D3F-A009-44AB-8784-75E2819BA4BA}" = LWS Motion Detection
"{724517BD-1DE1-4986-BFCA-C1DFD379E3BC}" = cp_dwShrek2Cards1
"{736C803C-DD3B-4015-BC51-AFB9E67B9076}" = Readme
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7AD25C9F-9957-4D1C-95EF-9BCD09F6D31B}" = HPSystemDiagnostics
"{7C03270C-4FAB-4F5C-B10D-52FEDA190790}" = DocumentViewerQFolder
"{7E369B27-13E2-41A5-9879-358EE1C8B5AD}" = Broadcom Gigabit Integrated Controller
"{7E7B7865-6C80-4373-8BC1-C2EB9431F9DE}" = ProductContextNPI
"{7E8833A1-AF24-4CAE-82DF-CFE14C14B94D}" = LANDesk Advance Agent
"{829CD169-E692-48E8-9BDE-A3E8D8B65538}" = mSCfg
"{8331C3EA-0C91-43AA-A4D4-27221C631139}" = Status
"{83C8FA3C-F4EA-46C4-8392-D3CE353738D6}" = LWS Launcher
"{85CFD253-38AE-4DB1-ACB7-F0F4C791990D}" = AiOSoftware
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{8937D274-C281-42E4-8CDB-A0B2DF979189}" = LWS Webcam Software
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver for Mobile
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8BC3B99B-A6BE-4A0B-8535-B1B94BA4B1B1}" = DocProc
"{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{90F1943D-EA4A-4460-B59F-30023F3BA69A}" = SmarThru 4
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{996512CF-F35B-48DE-9291-557FA5316967}" = ScannerCopy
"{9DAEA76B-E50F-4272-A595-0124E826553D}" = LWS WLM Plugin
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
"{A29800BA-0BF1-4E63-9F31-DF05A87F4104}" = InstantShareDevices
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = C-Major Audio
"{A5B9D22C-755A-4AC6-9904-875E80838BB6}" = CP_AtenaShokunin1Config
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AB706D91-2242-4E1D-B4D0-1ED35387F5A7}" = Microsoft Office Excel 2007 Get Started Tab
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{AEB9948B-4FF2-47C9-990E-47014492A0FE}" = MSXML 6.0 Parser
"{B2157760-AA3C-4E2E-BFE6-D20BC52495D9}" = cp_PosterPrintConfig
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B6286A44-7505-471A-A72B-04EC2DB2F442}" = CueTour
"{B69CFE29-FD03-4E0A-87A7-6ED97F98E5B3}" = CP_Panorama1Config
"{BB7DEA41-298E-450B-9C3A-E7B48D9D021B}" = 6300_Help
"{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}" = HP Software Update
"{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}" = HP Photosmart, Officejet and Deskjet 7.0.A
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1C6767D-B395-43CB-BF99-051B58B86DA6}" = PhotoGallery
"{C3F81504-72F3-4262-9449-487404DA75BB}" = 6200Trb
"{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}" = SolutionCenter
"{C8753E28-2680-49BF-BD48-DD38FD086EFE}" = AiO_Scan_CDA
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D40EB009-0499-459c-A8AF-C9C110766215}" = Logitech Webcam Software
"{DAB5C521-80B2-48C3-B0DA-326A1B331F55}" = GoToAssist Corporate
"{DBC20735-34E6-4E97-A9E5-2066B66B243D}" = TrayApp
"{E1B80DEE-A795-4258-8445-074C06AE3AB8}" = MarketResearch
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{EBFEEB3F-3E3B-4725-A4E0-376144CE4F76}" = Citrix XenApp Web Plugin
"{ED2C557E-9C18-41FF-B58E-A05EEF0B3B5F}" = CP_CalendarTemplates1
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{EED027B7-0DB6-404B-8F45-6DFEE34A0441}" = LWS Video Mask Maker
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F157460F-720E-482f-8625-AD7843891E5F}" = InstantShareDevicesMFC
"{F2AB49F2-D632-446C-9A6E-5B4A98DFF13B}" = 6300Trb
"{F3760724-B29D-465B-BC53-E5D72095BCC4}" = Scan
"{F6076EF9-08E1-442F-B6A2-BFB61B295A14}" = Fax_CDA
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{FB15E224-67C3-491F-9F5C-F257BC418412}" = Destinations
"{FBB980B0-63F8-4B48-8D65-90F1D9F81D9F}" = NewCopy_CDA
"{FC22D020-3005-4715-8DF9-F3EDE81DEB3D}" = CreativeProjectsTemplates
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"{FE7E1DD7-EBCE-4696-ADE2-22BDBF2372DA}" = DocumentViewer
"{FF167195-9EE4-46C0-8CD7-FBA3457E88AB}" = LWS Facebook
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"BT Business Broadband Desktop Help" = BT Business Broadband Desktop Help
"BTBusinessHub" = BTBusinessHub
"CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1" = Conexant D110 MDC V.92 Modem
"ENTERPRISE" = Microsoft Office Enterprise 2007
"FastStone Capture" = FastStone Capture 6.6
"GoToAssist" = GoToAssist Corporate
"HP Document Viewer" = HP Document Viewer 7.0
"HP Imaging Device Functions" = HP Imaging Device Functions 7.0
"HP Photo & Imaging" = HP Photosmart Premier Software 6.5
"HP Solution Center & Imaging Support Tools" = HP Solution Center 7.0
"HPExtendedCapabilities" = HP Customer Participation Program 7.0
"HPOCR" = OCR Software by I.R.I.S 7.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.1.1800
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"ProInst" = Intel(R) PROSet/Wireless Software
"Samsung CLX-3170 Series" = Samsung CLX-3170 Series
"SmarThru PC Fax" = SmarThru PC Fax
"Spotify" = Spotify
"VLC media player" = VLC media player 1.0.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 16/07/2011 05:05:42 | Computer Name = ABEXL0002 | Source = Inventory Scanner | ID = 25
Description = LDIScn32: Failed to resolve the Host Nam

Error - 16/07/2011 07:14:08 | Computer Name = ABEXL0002 | Source = Application Error | ID = 1000
Description = Faulting application hpqste08.exe, version 70.0.170.0, faulting module
unknown, version 0.0.0.0, fault address 0x00a8fd32.

Error - 16/07/2011 07:24:41 | Computer Name = ABEXL0002 | Source = Inventory Scanner | ID = 25
Description = LDIScn32: Failed to resolve the Host Nam

Error - 25/07/2011 05:32:03 | Computer Name = ABEXL0002 | Source = Application Error | ID = 1000
Description = Faulting application hpqste08.exe, version 70.0.170.0, faulting module
unknown, version 0.0.0.0, fault address 0x00a920bb.

Error - 25/07/2011 05:37:53 | Computer Name = ABEXL0002 | Source = Inventory Scanner | ID = 25
Description = LDIScn32: Failed to resolve the Host Nam

Error - 25/07/2011 12:04:34 | Computer Name = ABEXL0002 | Source = Inventory Scanner | ID = 25
Description = LDIScn32: Failed to resolve the Host Nam

Error - 25/07/2011 12:15:11 | Computer Name = ABEXL0002 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module unknown, version 0.0.0.0, fault address 0x715b9e59.

Error - 25/07/2011 15:16:17 | Computer Name = ABEXL0002 | Source = Inventory Scanner | ID = 25
Description = LDIScn32: Failed to resolve the Host Nam

Error - 27/07/2011 04:21:27 | Computer Name = ABEXL0002 | Source = Application Error | ID = 1000
Description = Faulting application hpqste08.exe, version 70.0.170.0, faulting module
unknown, version 0.0.0.0, fault address 0x00a90ae8.

Error - 27/07/2011 05:12:09 | Computer Name = ABEXL0002 | Source = Inventory Scanner | ID = 25
Description = LDIScn32: Failed to resolve the Host Nam

[ OSession Events ]
Error - 16/08/2010 11:53:19 | Computer Name = ABEXL0002 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6535.5005, Microsoft Office Version: 12.0.6425.1000. This session lasted 36
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 25/07/2011 06:16:13 | Computer Name = ABEXL0002 | Source = Service Control Manager | ID = 7000
Description = The Pml Driver HPZ12 service failed to start due to the following
error: %%2

Error - 25/07/2011 06:16:13 | Computer Name = ABEXL0002 | Source = Service Control Manager | ID = 7000
Description = The Pml Driver HPZ12 service failed to start due to the following
error: %%2

Error - 25/07/2011 06:16:13 | Computer Name = ABEXL0002 | Source = Service Control Manager | ID = 7000
Description = The Pml Driver HPZ12 service failed to start due to the following
error: %%2

Error - 25/07/2011 06:16:13 | Computer Name = ABEXL0002 | Source = Service Control Manager | ID = 7000
Description = The Pml Driver HPZ12 service failed to start due to the following
error: %%2

Error - 25/07/2011 06:16:18 | Computer Name = ABEXL0002 | Source = Service Control Manager | ID = 7000
Description = The Pml Driver HPZ12 service failed to start due to the following
error: %%2

Error - 25/07/2011 06:16:18 | Computer Name = ABEXL0002 | Source = Service Control Manager | ID = 7000
Description = The Pml Driver HPZ12 service failed to start due to the following
error: %%2

Error - 25/07/2011 06:16:18 | Computer Name = ABEXL0002 | Source = Service Control Manager | ID = 7000
Description = The Pml Driver HPZ12 service failed to start due to the following
error: %%2

Error - 25/07/2011 06:16:18 | Computer Name = ABEXL0002 | Source = Service Control Manager | ID = 7000
Description = The Pml Driver HPZ12 service failed to start due to the following
error: %%2

Error - 25/07/2011 06:16:23 | Computer Name = ABEXL0002 | Source = Service Control Manager | ID = 7000
Description = The Pml Driver HPZ12 service failed to start due to the following
error: %%2

Error - 25/07/2011 06:16:23 | Computer Name = ABEXL0002 | Source = Service Control Manager | ID = 7000
Description = The Pml Driver HPZ12 service failed to start due to the following
error: %%2


< End of report >

jay_b
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2011-06-23
OS OS : xp
Points Points : 20815
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Wed Jul 27, 2011 8:04 pm

I'm reviewing your log and will have some more instructions for you in a short while.... Smile

Kenny94
Tech Officer
Tech Officer

Posts Posts : 2019
Joined Joined : 2010-04-22
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Avira/Router and Malwarebytes
Points Points : 33511
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Thu Jul 28, 2011 6:16 pm

Please run OTL.exe.

  • Copy the commands with file paths below (Do Not copy the word CODE:) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    Code:
    :OTL

    O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
    O15 - HKCU\..Trusted Domains: abbeyfield.com ([csg] https in Trusted sites)
    O33 - MountPoints2\{8608772e-f315-11df-9454-00166f634dee}\Shell\AutoRun\command - "" = E:\setupSNK.exe

    :Commands
    [RESETHOSTS]
    [purity]
    [Reboot]

  • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Next


Please run the MGA Diagnostic Tool and post back the report it creates:

  • Download [You must be registered and logged in to see this link.] to your desktop.
  • Double-click on MGADiag.exe to launch the program
  • Click "Continue"
  • Ensure that the "Windows" tab is selected (it should be by default).
  • Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
  • Paste the MGA Diagnostic Report back here in your next reply.



Kenny94
Tech Officer
Tech Officer

Posts Posts : 2019
Joined Joined : 2010-04-22
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Avira/Router and Malwarebytes
Points Points : 33511
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Thu Jul 28, 2011 7:46 pm

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-T6DFB-Y934T-YD4YT
Windows Product Key Hash: 3g4CZGFEDgbKmn/oB4pa2FZsssU=
Windows Product ID: 76487-OEM-2211906-00102
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010100.3.0.pro
ID: {2CF1EA82-ED1D-47EE-A155-4180D51129E5}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.40.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: 0
File Exists: Yes
Version: 1.9.40.0
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: 2.0.48.0
OGAExec.exe Signed By: Microsoft
OGAAddin.dll Signed By: Microsoft

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Enterprise 2007 - 100 Genuine
OGA Version: Registered, 2.0.48.0
Signed By: Microsoft
Office Diagnostics: 025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: ~[Filtered]~

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 17B86:Dell Inc|17B86:Microsoft Corporation
Marker string from OEMBIOS.DAT: Dell System,Dell Computer,Dell System,Dell System

OEM Activation 2.0 Data-->
N/A


jay_b
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2011-06-23
OS OS : xp
Points Points : 20815
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Thu Jul 28, 2011 9:30 pm

Can you post the OTL log?

Kenny94
Tech Officer
Tech Officer

Posts Posts : 2019
Joined Joined : 2010-04-22
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Avira/Router and Malwarebytes
Points Points : 33511
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Fri Jul 29, 2011 7:55 am

[You must be registered and logged in to see this link.] wrote:

  • Download [You must be registered and logged in to see this link.] to your desktop.
  • Double-Click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Standard Output.
  • Under the Standard Registry box change it to All.
  • Under the Extra Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold



netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90



  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.

  • When the scan completes, it will open two notepad windows. OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.


Do I run OTL again using the same instructions as when i ran just by opening OTL no log appears

thanks

jay_b
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2011-06-23
OS OS : xp
Points Points : 20815
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Fri Jul 29, 2011 1:51 pm

Are you still experiencing the redirects at this point? ComboFix should run even with AVG installed as it has been updated. Delete the copy of ComboFix you have & download it again from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

**IMPORTANT !!! RENAME ComboFix.exe to Commy.exe BEFORE you save it to your Desktop**

And following the intructions in the ComboFix post. And post the log please.

Kenny94
Tech Officer
Tech Officer

Posts Posts : 2019
Joined Joined : 2010-04-22
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Avira/Router and Malwarebytes
Points Points : 33511
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Fri Jul 29, 2011 2:19 pm

I only have once my desktop loads up, a blank windows insert showing 'hello2' and 'hello4' , it is not letting me access internet etc. The system runs very slowly then freezes up.

this message sent from alternative computer

Tried safe mode and although desktop appears, am unable to open anything that i double click or run.
i.e internet, malware,TDSSkiller

jay_b
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2011-06-23
OS OS : xp
Points Points : 20815
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Fri Jul 29, 2011 5:00 pm

Since you cannot access your infected computer, you will have to download the required tools from your clean computer and move them to the infected computer with some removable media, for example burn it to a CD or write it to an USB flash disk.

If you use an USB flash disk, I highly recommend you to immunize it first, to prevent malware using the usb flash drive for spreading itself.

Please download Flash_Disinfector by sUBs from [You must be registered and logged in to see this link.] and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run the tool
  • When requested, insert the USB flash disk(s) you want to to immunize/disinfect
  • Hold down the Shift key when inserting the drive(s) until Windows detects the drive
  • Click OK to start the disinfection process
  • Reboot your computer when done.

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that you choose to disinfect. Do not delete that folder!

====================



Also, print out or save these instructions into note pad on a flash drive. (so you can see how to run the tools). If you can't save it to the desktop of the infected computer, you can run it right off of the flash drive.

Please download exeHelper from one of the two links.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click on exeHelper.com or exeHelper.scr to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Next

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are two different versions. If one of them won't run then download and try to run the other one.
Vista and Windows 7 users need to right-click and choose Run as Administrator
You only need to get one of them to run, not both of them.
Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are two different versions. If one of them won't run then download and try to run the other one.
Vista and Windows 7 users need to right-click and choose Run as Administrator
You only need to get one of them to run, not both of them.

  1. [You must be registered and logged in to see this link.] -
  2. [You must be registered and logged in to see this link.]


Please post the log in your next reply. (To see what was terminate).

Note: If your security software warns about Rkill, please ignore and allow the download to continue.

Once you've gotten one of them to run then try to immediately run the following:

Download and run ComboFix. ComboFix should run again. When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply.

Kenny94
Tech Officer
Tech Officer

Posts Posts : 2019
Joined Joined : 2010-04-22
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Avira/Router and Malwarebytes
Points Points : 33511
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Fri Jul 29, 2011 8:52 pm


Copied to disc transferred . Attemped to run from disc on infected computer.
Black screen pops up but them immediately receive problem message ecountered a problem and unable to continue. Do i want to send details to Microsoft or not. This is the same type of message i would normally receive when a programme crashes.

Tried both exeHelper files but same message with both.


jay_b
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2011-06-23
OS OS : xp
Points Points : 20815
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Fri Jul 29, 2011 9:57 pm

Okay, well first off you need to separate all of the computers from each other. They cannot be on the same network at the same time. I've used Avira AntiVir Rescue System with success to move on to the next stage.

Avira AntiVir Rescue System Requires access to a working computer with a CD/DVD burner to create a bootable CD.

  • [You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.].
    If you encounter problems running the Rescue Disk, you can get further assistance at the [You must be registered and logged in to see this link.].
  • Place a blank CD in your burner and double-click on the downloaded file named rescue_system-common-en.exe
  • The program will automatically burn the CD for you.
  • Place the burned CD into the affected computer and start the computer from this CD.
  • On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
  • Click on the Configuration button.

    • Select Scan all files
    • Select Try to repair infected files and Rename files, if they cannot be removed
    • Select Scan for dialers
    • Select Scan for joke programs (Jokes)
    • Select Scan for games
    • Select Scan for spyware (SPR)

  • Click on Virus scanner
  • Click on Start scanner at the bottom of the screen
  • When the scan is finished, you can save the scan report by clicking on Save and then by choosing where to save it So be sure to save the report and post it. For further review.



Note:

If you need a ISO burner? Download [You must be registered and logged in to see this link.] , a standalone (ISO burner) You need to download the Avira Rescue disk and save it to your desktop. Open BurnCDCC > Click the browse button and select the Avira package.Place an empty disk in your burner. Slide the speed bar down to 2x. Place a check mark in the boxes. Read Verify, Finalize and Auto Eject. Click the start button. When complete the burner tray will slide open. You now have a bootable disk to move on.

Kenny94
Tech Officer
Tech Officer

Posts Posts : 2019
Joined Joined : 2010-04-22
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Avira/Router and Malwarebytes
Points Points : 33511
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Sun Jul 31, 2011 8:27 pm

Now running

jay_b
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2011-06-23
OS OS : xp
Points Points : 20815
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Sun Jul 31, 2011 9:56 pm

Okay. be sure to save the scan report and post it please.

Kenny94
Tech Officer
Tech Officer

Posts Posts : 2019
Joined Joined : 2010-04-22
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Avira/Router and Malwarebytes
Points Points : 33511
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Mon Aug 01, 2011 7:23 am

Avira / Linux Version 1.9.152.0
Copyright (c) 2010 by Avira GmbH
All rights reserved.
engine set: 8.2.6.22
VDF Version: 7.11.12.171
Scan start time: Sun Jul 31 23:54:44 2011
configuration file: /etc/avira/scancl.conf
ALERT: [JAVA/Stutter.J.2] /media/Devices/sda2/Documents and Settings/abbeyfield/Application Data/Sun/Java/Deployment/cache/6.0/24/53f48ad8-7ad6bce2 <<< Contains signature of the Java virus JAVA/Stutter.J.2 [renamed]


ALERT: [Java/Exdoer.G] /media/Devices/sda2/Documents and Settings/abbeyfield/Application Data/Sun/Java/Deployment/cache/6.0/35/7523cea3-56a9e8d3 --> powerColor/c1.class <<< Contains signature of the Java virus JAVA/Exdoer.G [archive scan abort]


ALERT: [TR/Dldr.Karagany.A.287] /media/Devices/sda2/Documents and Settings/abbeyfield/Application Data/Sun/Java/Deployment/cache/6.0/37/25dfa8e5-6e01e5db <<< Is the Trojan horse TR/Dldr.Karagany.A.287 [renamed]


ALERT: [EXP/CVE-2010-0840.BG] /media/Devices/sda2/Documents and Settings/abbeyfield/Application Data/Sun/Java/Deployment/cache/6.0/37/29212065-2d90d690 --> folder/Glocker.class <<< Contains signature of the exploits EXP/CVE-2010-0840.BG [archive scan abort]


ALERT: [Java/Agent.AO] /media/Devices/sda2/Documents and Settings/abbeyfield/Application Data/Sun/Java/Deployment/cache/6.0/54/36fe39b6-65d6c7cc --> google/stomp.class <<< Contains signature of the Java virus JAVA/Agent.AO [archive scan abort]


ALERT: [EXP/Java.BN] /media/Devices/sda2/Documents and Settings/abbeyfield/Application Data/Sun/Java/Deployment/cache/6.0/54/680b9df6-47a63d6a --> bingo/haskalu.class <<< Contains signature of the exploits EXP/Java.BN [archive scan abort]


ALERT: [JAVA/Tharra.A] /media/Devices/sda2/Documents and Settings/abbeyfield/Application Data/Sun/Java/Deployment/cache/6.0/54/6b310336-211dd4cd <<< Contains signature of the Java virus JAVA/Tharra.A [renamed]


ALERT: [JAVA/Tharra.A] /media/Devices/sda2/Documents and Settings/abbeyfield/Application Data/Sun/Java/Deployment/cache/6.0/54/6b310336-479594a2 <<< Contains signature of the Java virus JAVA/Tharra.A [renamed]


ALERT: [JAVA/Tharra.A] /media/Devices/sda2/Documents and Settings/abbeyfield/Application Data/Sun/Java/Deployment/cache/6.0/54/6b310336-530781c9 <<< Contains signature of the Java virus JAVA/Tharra.A [renamed]


ALERT: [JAVA/Tharra.A] /media/Devices/sda2/Documents and Settings/abbeyfield/Application Data/Sun/Java/Deployment/cache/6.0/54/6b310336-68c4baad <<< Contains signature of the Java virus JAVA/Tharra.A [renamed]


ALERT: [JAVA/Tharra.A] /media/Devices/sda2/Documents and Settings/abbeyfield/Application Data/Sun/Java/Deployment/cache/6.0/54/6b310336-765da3a9 <<< Contains signature of the Java virus JAVA/Tharra.A [renamed]


ALERT: [JAVA/Tharra.A] /media/Devices/sda2/Documents and Settings/abbeyfield/Application Data/Sun/Java/Deployment/cache/6.0/54/6b310336-7e8fae05 <<< Contains signature of the Java virus JAVA/Tharra.A [renamed]


WARNING: [Unsupported archive type] /media/Devices/sda2/Documents and Settings/abbeyfield/My Documents/My Videos/Miro/Incomplete Downloads/RACE 07 ot Akella/Race'07-Image/RACE07.iso


WARNING: [Error writing file] /media/Devices/sda2/Documents and Settings/abbeyfield/My Documents/My Videos/Miro/Incomplete Downloads/RACE07.iso


WARNING: [Bad compressed data] /media/Devices/sda2/Documents and Settings/abbeyfield/My Documents/My Videos/Miro/Incomplete Downloads/The Cardigans - Live performance collection/2001-10-29 A Camp - Live at KB, Malmo/artwork.zip


WARNING: [Unexpected end of file] /media/Devices/sda2/Documents and Settings/abbeyfield/My Documents/My Videos/Miro/Incomplete Downloads/The Cardigans - Live performance collection/2003-06-28 Live at Roskilde/artwork.zip


WARNING: [A malformed archive header was detected] /media/Devices/sda2/Documents and Settings/abbeyfield/My Documents/My Videos/Miro/Incomplete Downloads/The Cardigans - Live performance collection/2004-02-14 Live at Popstad/artwork_and_info.zip


WARNING: [A malformed archive header was detected] /media/Devices/sda2/Documents and Settings/abbeyfield/My Documents/My Videos/Miro/Incomplete Downloads/The Cardigans - Live performance collection/2004-02-14 Live at Popstad/artwork_and_info.zip


WARNING: [Unsupported archive type] /media/Devices/sda2/Documents and Settings/abbeyfield/My Documents/My Videos/Miro/[PC] Race The WTCC Game [RIP] [dopeman]/WTCC.7z


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Documents and Settings/NetworkService/Local Settings/Application Data/gnp.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Program Files/LANDesk/LDClient/amclient.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Program Files/LANDesk/LDClient/LDIScn32.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [W32/PatchLoad.A] /media/Devices/sda2/Program Files/LANDesk/LDClient/issuser.exe <<< Contains signature of the Windows virus W32/PatchLoad.A [renamed]


ALERT: [W32/PatchLoad.A] /media/Devices/sda2/Program Files/LANDesk/LDClient/SoftMon.exe <<< Contains signature of the Windows virus W32/PatchLoad.A [renamed]


ALERT: [W32/PatchLoad.A] /media/Devices/sda2/Program Files/LANDesk/LDClient/tmcsvc.exe <<< Contains signature of the Windows virus W32/PatchLoad.A [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Program Files/LANDesk/LDClient/WebPortal/sdclientmonitor.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Spy.ZBot.86016.3] /media/Devices/sda2/Program Files/LANDesk/LDClient/LocalSch.EXE <<< Is the Trojan horse TR/Spy.ZBot.86016.3 [renamed]


ALERT: [W32/PatchLoad.A] /media/Devices/sda2/Program Files/LANDesk/Shared Files/residentAgent.exe <<< Contains signature of the Windows virus W32/PatchLoad.A [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Program Files/Adobe/Reader 9.0/Reader/Reader_sl.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Program Files/ATI Technologies/ATI Control Panel/atiptaxx.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Program Files/BT Business Broadband Desktop Help/btbb/BTHelpNotifier.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Program Files/Common Files/Adobe/ARM/1.0/AdobeARM.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Program Files/Common Files/Java/Java Update/jusched.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Gendal.6181686] /media/Devices/sda2/Program Files/Common Files/LogiShrd/LVMVFM/LVPrcSrv.exe <<< Is the Trojan horse TR/Gendal.6181686 [renamed]


ALERT: [W32/PatchLoad.A] /media/Devices/sda2/Program Files/Common Files/Motive/McciCMService.exe <<< Contains signature of the Windows virus W32/PatchLoad.A [renamed]


WARNING: [Unexpected end of file] /media/Devices/sda2/Program Files/FastStone Capture/uninst.exe


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Program Files/Hewlett-Packard/HP Software Update/HPWuSchd2.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [W32/PatchLoad.A] /media/Devices/sda2/Program Files/Intel/Wireless/Bin/Dot1XCfg.exe <<< Contains signature of the Windows virus W32/PatchLoad.A [renamed]


ALERT: [TR/Gendal.6113986] /media/Devices/sda2/Program Files/Intel/Wireless/Bin/EvtEng.exe <<< Is the Trojan horse TR/Gendal.6113986 [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Program Files/Intel/Wireless/Bin/ifrmewrk.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [W32/PatchLoad.A] /media/Devices/sda2/Program Files/Intel/Wireless/Bin/RegSrvc.exe <<< Contains signature of the Windows virus W32/PatchLoad.A [renamed]


ALERT: [TR/Gendal.6133535] /media/Devices/sda2/Program Files/Intel/Wireless/Bin/S24EvMon.exe <<< Is the Trojan horse TR/Gendal.6133535 [renamed]


ALERT: [W32/PatchLoad.A] /media/Devices/sda2/Program Files/Intel/Wireless/Bin/WLKEEPER.exe <<< Contains signature of the Windows virus W32/PatchLoad.A [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Program Files/Intel/Wireless/Bin/ZCfgSvc.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Kazy.25211.21] /media/Devices/sda2/Program Files/Java/jre6/bin/jqs.exe <<< Is the Trojan horse TR/Kazy.25211.21 [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Program Files/QuickTime/qttask .exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Program Files/QuickTime/qttask.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Program Files/Microsoft Office/Office12/GrooveMonitor.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


WARNING: [Archive is invalid or corrupt] /media/Devices/sda2/Program Files/WinRAR/rarnew.dat


ALERT: [BDS/ZAccess.dg] /media/Devices/sda2/Qoobox/Quarantine/C/WINDOWS/assembly/GAC_MSIL/desktop.ini.vir <<< Contains a signature of the (dangerous) backdoor program BDS/ZAccess.dg Backdoor server programs [renamed]


ALERT: [TR/Rootkit.Gen] /media/Devices/sda2/Qoobox/Quarantine/C/WINDOWS/system32/Drivers/rasl2tp.sys.vir <<< Is the Trojan horse TR/Rootkit.Gen [renamed]


ALERT: [W32/PatchLoad.A] /media/Devices/sda2/WINDOWS/system32/wuauclt.exe <<< Contains signature of the Windows virus W32/PatchLoad.A [renamed]


WARNING: [Unexpected end of file] /media/Devices/sda2/WINDOWS/Temp/5047e27c-9de0-4fcb-b2de-659dba8a5439.tmp


WARNING: [Bad compressed data] /media/Devices/sda2/WINDOWS/Temp/36942b83-95bc-4f9c-a8af-05eee793baf0.tmp


WARNING: [Bad compressed data] /media/Devices/sda2/WINDOWS/Temp/bdb4a872-8f78-4d2f-bb95-baa15d81f819.tmp


WARNING: [Error reading file] /media/Devices/sda2/WINDOWS/Temp/4ad3185e-3ac9-4896-97e3-86bbaf498956.tmp


ALERT: [TR/Dropper.Gen] /media/Devices/sda2/WINDOWS/Temp/hki377.exe <<< Is the Trojan horse TR/Dropper.Gen [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/WINDOWS/Temp/tjnvac/setup.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


WARNING: [File is encrypted] /media/Devices/sda2/WINDOWS/Temp/SAS_SelfExtract/Quarantine/Quarantine - 06-26-2011 - 17-55-19.SBU


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/WINDOWS/Temp/Jdr.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/WINDOWS/twain_32/Samsung/CLX3170/Scan2pc .exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/WINDOWS/twain_32/Samsung/CLX3170/Scan2pc.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Dropper.Gen] /media/Devices/sda2/WINDOWS/Fonts/J0uR2JE.com_ <<< Is the Trojan horse TR/Dropper.Gen [renamed]


ALERT: [BDS/ZAccess.bc] /media/Devices/sda2/WINDOWS/assembly/GAC_MSIL/Desktop(2).ini <<< Contains a signature of the (dangerous) backdoor program BDS/ZAccess.bc Backdoor server programs [renamed]


ALERT: [BDS/ZAccess.dg] /media/Devices/sda2/WINDOWS/assembly/GAC_MSIL/Desktop.ini <<< Contains a signature of the (dangerous) backdoor program BDS/ZAccess.dg Backdoor server programs [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/System Volume Information/_restore{7BEF35F8-68AE-427C-A324-766C932918CC}/RP0/A0001011.com <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Dropper.Gen] /media/Devices/sda2/System Volume Information/_restore{7BEF35F8-68AE-427C-A324-766C932918CC}/RP0/A0008015.exe <<< Is the Trojan horse TR/Dropper.Gen [renamed]


ALERT: [TR/Dropper.Gen] /media/Devices/sda2/System Volume Information/_restore{7BEF35F8-68AE-427C-A324-766C932918CC}/RP0/A0008016.exe <<< Is the Trojan horse TR/Dropper.Gen [renamed]


ALERT: [TR/Dropper.Gen] /media/Devices/sda2/System Volume Information/_restore{7BEF35F8-68AE-427C-A324-766C932918CC}/RP0/A0008017.exe <<< Is the Trojan horse TR/Dropper.Gen [renamed]


ALERT: [TR/VB.Downloader.Gen] /media/Devices/sda2/System Volume Information/_restore{7BEF35F8-68AE-427C-A324-766C932918CC}/RP0/A0008020.exe <<< Is the Trojan horse TR/VB.Downloader.Gen [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/System Volume Information/_restore{7BEF35F8-68AE-427C-A324-766C932918CC}/RP0/A0008021.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


Statistics :
Directories............... : 8041
Archives.................. : 1388
Files..................... : 303226
Infected.............. : 57
Renamed........... : 57
Warnings.............. : 14
Suspicious............ : 0
Infections................ : 57

jay_b
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2011-06-23
OS OS : xp
Points Points : 20815
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Tue Aug 02, 2011 3:36 pm

You must first verify that you can logon to the Windows Recovery Console. ComboFix should have installed one for you.

To do so, you must have the Recovery Console installed or use the Windows XP installation cd.

[You must be registered and logged in to see this link.]

Please download [You must be registered and logged in to see this link.] to your desktop

  • Double click and run the application
  • An active internet connection is required so that maxhandle.exe may download a tool from SysInternals (every time it is run).
  • Log is saved to c:\maxhandle.txt
  • If Max++ is not found Nothing found! is echoed to the screen - no log is produced.
Please post this log.

Kenny94
Tech Officer
Tech Officer

Posts Posts : 2019
Joined Joined : 2010-04-22
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Avira/Router and Malwarebytes
Points Points : 33511
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Tue Aug 02, 2011 4:34 pm

I now have Windows recovery console installed. Am i to boot up recovery console mode and run?

I have downloaded maxhandle.exe onto a usb and added to my desktop but each time i attempt to run it brings a request for which program to download/open file with - Adobe, media player, windows picture viewer etc etc

jay_b
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2011-06-23
OS OS : xp
Points Points : 20815
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Wed Aug 03, 2011 12:41 am

run it brings a request for which program to download/open file with - Adobe, media player, windows picture viewer etc etc
Does this happen with other applications? Example Malwarebytes?

Kenny94
Tech Officer
Tech Officer

Posts Posts : 2019
Joined Joined : 2010-04-22
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Avira/Router and Malwarebytes
Points Points : 33511
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Wed Aug 03, 2011 9:39 am

It happens with all current applications on my desktop, including internet explorer and malewarebytes. Asking which program i would like to open with.

jay_b
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2011-06-23
OS OS : xp
Points Points : 20815
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Wed Aug 03, 2011 12:05 pm

We need to do a extension fix:

Open notepad and copy and paste next present in the Codebox below in it:
(don't forget to copy and paste REGEDIT4)


Code:
REGEDIT4

[-HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command]

[-HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command]

[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[-HKEY_CLASSES_ROOT\secfile]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this:

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok

Please Reboot your computer.

Then run maxhandle.exe

Kenny94
Tech Officer
Tech Officer

Posts Posts : 2019
Joined Joined : 2010-04-22
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Avira/Router and Malwarebytes
Points Points : 33511
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Wed Aug 03, 2011 12:45 pm

just to confrim i extracted the files from Maxhandle.exe and ran 'hand.bat' as it would not allow me to run by double clicking the maxhandle icon saved onto my desktop

Maxhandle.txt:


Run from on 03/08/2011 at 13:43:03.10

found C:\WINDOWS\system32\config\rkdannio


jay_b
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2011-06-23
OS OS : xp
Points Points : 20815
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Wed Aug 03, 2011 2:34 pm

Run TDSSKiller as you did in post 10. Post this log please.

Kenny94
Tech Officer
Tech Officer

Posts Posts : 2019
Joined Joined : 2010-04-22
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Avira/Router and Malwarebytes
Points Points : 33511
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Wed Aug 03, 2011 2:56 pm

Downloaded to desktop new TDSSkiller
Unbale to run , same message each time i attempt to run it brings a request for which program to download/open file with - Adobe, media player, windows picture viewer etc etc

I Have saved to C:Drive and right clicked and tried 'run as'

Warning appears- Can't initialize log'
followed by
'Can't load driver'

I have tried renaming the application and carried out both the above, desktop and C:Drive withe the same results

jay_b
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2011-06-23
OS OS : xp
Points Points : 20815
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Wed Aug 03, 2011 4:13 pm

TDSSkiller needs to be on your destop. Then, make sure extensions are shown, see [You must be registered and logged in to see this link.] how to do this.

Then run TDSSkiller.

Kenny94
Tech Officer
Tech Officer

Posts Posts : 2019
Joined Joined : 2010-04-22
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Avira/Router and Malwarebytes
Points Points : 33511
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Wed Aug 03, 2011 5:05 pm

TDSSkiller on desktop, file extensions shown but same errors

Warning appears- Can't initialize log'
followed by
'Can't load driver'

When i boot up the pc it get the following error messagae

'UScroL setup has encountered a problem and needs to close'

Not sure if this causes and issues.


jay_b
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2011-06-23
OS OS : xp
Points Points : 20815
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Wed Aug 03, 2011 5:20 pm

Please download aswMBR from [You must be registered and logged in to see this link.]


  • Save aswMBR.exe to your Desktop
  • Double click aswMBR.exe to run it
  • Click the Scan button to start the scan as illustrated below



Note: Do not take action against any **Rootkit** entries until I have reviewed the log.

  • Once the scan finishes click Save log to save the log to your Desktop

  • Copy and paste the contents of aswMBR.txt back here for review

Kenny94
Tech Officer
Tech Officer

Posts Posts : 2019
Joined Joined : 2010-04-22
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Avira/Router and Malwarebytes
Points Points : 33511
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Wed Aug 03, 2011 6:20 pm

aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-08-03 19:05:39
-----------------------------
19:05:39.000 OS Version: Windows 5.1.2600 Service Pack 3
19:05:39.000 Number of processors: 1 586 0xD08
19:05:39.000 ComputerName: ABEXL0002 UserName:
19:05:39.609 Initialize success
19:06:53.312 AVAST engine defs: 11080301
19:07:41.156 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
19:07:41.156 Disk 0 Vendor: Hitachi_HTS541060G9AT00 MB3OA61A Size: 57231MB BusType: 3
19:07:43.515 Disk 0 MBR read successfully
19:07:43.515 Disk 0 MBR scan
19:07:43.546 Disk 0 Windows XP default MBR code
19:07:43.546 Disk 0 scanning sectors +117210240
19:07:43.750 Disk 0 scanning C:\WINDOWS\system32\drivers
19:07:57.375 Service scanning
19:07:58.859 Modules scanning
19:08:03.390 Disk 0 trace - called modules:
19:08:03.406 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
19:08:03.421 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86fc75e0]
19:08:03.421 3 CLASSPNP.SYS[f7587fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86f5c940]
19:08:03.843 AVAST engine scan C:\WINDOWS
19:08:20.343 AVAST engine scan C:\WINDOWS\system32
19:10:18.281 File: C:\WINDOWS\system32\wuauclt.exe.vir **INFECTED** Win32:Patched-WQ [Trj]
19:10:22.453 AVAST engine scan C:\WINDOWS\system32\drivers
19:10:38.921 AVAST engine scan C:\Documents and Settings\abbeyfield
19:10:40.500 File: C:\Documents and Settings\abbeyfield\Application Data\Adobe\plugs\mmc2409671.txt **INFECTED** Win32:MalOb-DT [Cryp]
19:11:34.562 File: C:\Documents and Settings\abbeyfield\Application Data\Sun\Java\Deployment\cache\6.0\63\5f91807f-5e90eac4 **INFECTED** Win32:Trojan-gen
19:17:14.937 AVAST engine scan C:\Documents and Settings\All Users
19:18:51.968 Scan finished successfully
19:19:26.328 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
19:19:26.375 The log file has been saved successfully to "E:\aswMBR.txt"



jay_b
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2011-06-23
OS OS : xp
Points Points : 20815
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Thu Aug 04, 2011 2:47 pm

ComboFix should run and finish but, let's remove AVG:

Use the uninstaller below:

Please download [You must be registered and logged in to see this link.] to your Desktop. Double-click AppRemover.exe.
Untick Enable anonymous usage statistic.
Click Next>>. Select AVG and click Next>>.
By clicking Next>> again, AppRemover will start the uninstall process. This may take a few minutes.
Once completed you may be prompted to restart your system. Please do so.


Note

If AVG is not listed. Rerun AppRemover and select to "Clean Up a Failed Uninstall" Select AVG follow the promts.

Delete the copy of ComboFix you have & download it again from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

**IMPORTANT !!! RENAME ComboFix.exe to Commy.exe BEFORE you save it to your Desktop**

And following the intructions in the ComboFix post. And post the log please.

Kenny94
Tech Officer
Tech Officer

Posts Posts : 2019
Joined Joined : 2010-04-22
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Avira/Router and Malwarebytes
Points Points : 33511
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Thu Aug 04, 2011 5:07 pm

installed Appremover, ran as instructed but nothing found.

Downloaded and ran ComboFix as Commyfix, does not compete, has run for 2 hours.

Shall i rerun and leave until complete?

jay_b
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2011-06-23
OS OS : xp
Points Points : 20815
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Thu Aug 04, 2011 6:00 pm

ComboFix takes at least 20-30 minutes to finish if needed. So two hours is to long.

On your keyboard press Ctrl-Alt-Delete to bring up Task Manager. Open Task Manager and click the “New Task” button. Then and copy/paste following bolded text into the Create New Task box and click OK:

"%userprofile%\Desktop\Commy.exe"

ComboFix should run again. When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply.

Kenny94
Tech Officer
Tech Officer

Posts Posts : 2019
Joined Joined : 2010-04-22
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Avira/Router and Malwarebytes
Points Points : 33511
# Likes # Likes : 0

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum