Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

IE and Google redirects and slowness

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

IE and Google redirects and slowness

Unread postby booboo » July 2nd, 2009, 3:06 pm

When I do a search on Google I get directed to advertisment sites. I am getting pop up advertisments. The compture has slow moments and even pauses for as few seconds periodically.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:32 PM, on 7/2/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Search Settings\SearchSettings.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe
C:\Program Files\Weather Watcher\ww.exe
C:\HeavyWeather\HeavyWeatherPublisher.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\GE Security Supra\SyncInfoApp.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\HeavyWeather\heavy weather.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PayPal\PayPal Plug-In\RBroker.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb127\Dealio.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Windows\Downloaded Program Files\tbcore3.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb127\Dealio.dll
O3 - Toolbar: FaceFun - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Windows\Downloaded Program Files\tbcore3.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [eFax 4.4] "C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe" /R
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [HeavyWeatherPublisher] C:\HeavyWeather\HeavyWeatherPublisher.exe -minimized
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [agent.exe] C:\Program Files\PC\agent.exe
O4 - Startup: heavy weather.lnk = C:\HeavyWeather\heavy weather.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: DisplayKEY eSYNC Info.lnk = C:\Program Files\GE Security Supra\SyncInfoApp.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Users\Mike\AppData\LocalLow\Dealio\kb127\res\DealioSearch.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb127\Dealio.dll
O9 - Extra 'Tools' menuitem: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb127\Dealio.dll
O13 - DefaultPrefix:
O15 - Trusted Zone: *.doccentral.com
O15 - Trusted Zone: *.fnismls.com
O15 - Trusted Zone: *.getmedianow.com
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: *.rdesk.com
O15 - Trusted Zone: *.rexplorer.net
O15 - Trusted Zone: *.showingtime.com
O15 - Trusted Zone: *.sitexdata.com
O15 - Trusted Zone: *.spellchecker.net
O15 - Trusted Zone: *.transactionpoint.com
O15 - Trusted Zone: *.trpoint.com
O15 - Trusted Zone: *.virtualearth.net
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net ... plugin.cab
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://samls.fnismls.com/Paragon/Codeba ... ontrol.cab
O16 - DPF: {0CE0F418-1010-442D-871C-3454827DD539} - http://facefun.com/FaceFun_webinstall/FaceFun.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resourc ... den-us.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {97770E5B-2028-48AC-B4DA-1F991376D2B6} - http://download.copysafe.net/plugins5/i ... pysafe.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crl ... crlocx.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://orhp.webex.com/client/T26L/webex/ieatgpc1.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://www.pyramidreo.com/ImageUploader4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{30BBADAE-3AF0-48DB-BFFA-9AD645AF925A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\Windows\system32\CSHelper.exe
O23 - Service: DkeySync - GE Security Supra - c:\program files\ge security supra\syncservice.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9bca6f4ea33cd) (gupdate1c9bca6f4ea33cd) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SolidPDFPlusCreatorReadSpool (SPDFCreatorPlusReadSpool) - Solid Documents, LLC - C:\Windows\Installer\MSIF8BC.tmp
O23 - Service: SolidPDFToolsCreatorReadSpool (SPDFToolsReadSpool) - Solid Documents, LLC - C:\Windows\Installer\MSIEE5E.tmp

--
End of file - 11066 bytes
booboo
Active Member
 
Posts: 10
Joined: July 2nd, 2009, 2:54 pm
Advertisement
Register to Remove

Re: IE and Google redirects and slowness

Unread postby Jack&Jill » July 5th, 2009, 10:54 am

Hello booboo,

Welcome to Malware Removal. I am Jack&Jill, and I will be helping you out.

Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.
  • Please observe and follow these Forum Rules.
  • As I am currently training at Malware Removal, it will take some time for me to go through your logs, please be patient with me.
  • Be assured that any recommendations to you will be done as soon as possible and will be approved by an expert.
  • Reply and keep only to this thread. If you have the same topic elsewhere, please inform me or the other forum so that either can be closed.
  • Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
  • If you have any doubts or problems during the fix, please stop and ask.
  • Do not use or run any tools without supervision as they may cause more harm if improperly used.
  • If you do not reply within 3 days, this topic will be closed.

If you are agreeable to the above, then everything should go smoothly :) . We may begin.
I am working on your log now and will be back the soonest.

At the mean time, please post an Uninstall list
  • Open HijackThis.
  • Go to Open the Misc Tools section by clicking on the box.
  • Under the Systems tools, look for Open Uninstall Manager and click on it.
  • Click Save list... and save the text file in a convenient location.
  • Post the Uninstall list contents in your reply.
Last edited by Jack&Jill on July 9th, 2009, 11:13 am, edited 1 time in total.
User avatar
Jack&Jill
MRU Emeritus
MRU Emeritus
 
Posts: 2284
Joined: August 19th, 2008, 5:37 am
Location: South East Asia

Re: IE and Google redirects and slowness

Unread postby booboo » July 5th, 2009, 11:00 am

Here is the uninstall list.

7-Zip 4.58 beta
Ad-Aware
Ad-Aware
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Color Common Settings
Adobe Color Common Settings
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe InDesign CS3
Adobe Reader 8.1.6
Adobe Setup
Adobe Setup
Adobe Setup
APC PowerChute Personal Edition
Apple Mobile Device Support
Apple Software Update
Bonjour
Brother BRAdmin Professional 2.81
Brother Internet Print 1.65
Brother MFL-Pro Suite
CAM UnZip 4.42
Compatibility Pack for the 2007 Office system
Core FTP LE 2.0
CP210x USB to UART Bridge Controller
DisplayKEY USB Cradle version 0.7.2
eChef
ExpressPCB
FormViewer
Genie Backup Manager Home 8.0
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
GSiteCrawler
Heavy Weather History File Editor
HeavyWeatherPublisher 1.0
HeavyWeatherReview 1.0
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Graphics Media Accelerator Driver
iTunes
Jasc Paint Shop Photo Album
Java(TM) 6 Update 13
Label Magic
LightScribe Applications
LightScribe System Software 1.14.17.1
Logitech Desktop Messenger
Logitech Harmony Remote Software 7
magicolor 2300 DL
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2000 Professional
Microsoft Office Live Meeting 2005
Microsoft Publisher 98
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Works 6-9 Converter
Microsoft WSE 3.0 Runtime
MPLAB Tools v7.60
MS Works Spreadsheet to XLS Converter
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
NetObjects Fusion 10.0
NetObjects Fusion 11.0
ODF Add-in for Microsoft Word
OpenSSL 0.9.7f
PayPal Plug-In
PIC16F690 Lessons
PICkit2 v2.11
Professional Real Estate 2001
ProMash
PTGui 8.0.2
QuickTime
Remote Control USB Driver
Shared Add-in Extensibility Update for Microsoft .NET Framework 2.0 (KB908002)
Shared Add-in Support Update for Microsoft .NET Framework 2.0 (KB908002)
Solid PDF Creator Plus
Solid PDF Tools
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
The MultiForm Solution
TourBuilder V3
UIWeather
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Weather Watcher
WidgetServ 1.0
booboo
Active Member
 
Posts: 10
Joined: July 2nd, 2009, 2:54 pm

Re: IE and Google redirects and slowness

Unread postby Jack&Jill » July 6th, 2009, 7:34 pm

Hello booboo,

Is this your personal computer?

Validate Windows
  • Please download MGADiag.exe from Microsoft and save it to a convenient location. Click here.
  • Double click on MGADiag.exe to run it.
  • Click Continue.
  • The program will run. It takes a while to finish the diagnosis, please be patient.
  • Once done, click on Copy.
  • Open Notepad and paste the contents in. Save this file and post it in your next reply.
User avatar
Jack&Jill
MRU Emeritus
MRU Emeritus
 
Posts: 2284
Joined: August 19th, 2008, 5:37 am
Location: South East Asia

Re: IE and Google redirects and slowness

Unread postby booboo » July 6th, 2009, 10:22 pm

Yes it is my personal computer, why?



Diagnostic Report (1.9.0006.1):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0
Online Validation Code: 0x0
Cached Validation Code: 0x0
Windows Product Key: *****-*****-D46Y2-X8TYJ-HKDVP
Windows Product Key Hash: DNDdNpIbgFud+LI7vxBtvXl8lUE=
Windows Product ID: 89578-015-5164246-71050
Windows Product ID Type: 5
Windows License Type: Retail
Windows OS version: 6.0.6001.2.00010300.1.0.003
ID: {A697910A-3A59-48DB-ADCF-B0812BFC79BF}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.9.9.1
Signed By: Microsoft
Product Name: Windows Vista (TM) Home Premium
Architecture: 0x00000000
Build lab: 6001.vistasp1_gdr.090302-1506
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: 6.0.6002.16398

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 7E90FEE8-169-80004005_B4D0AA8B-587-80004005_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{A697910A-3A59-48DB-ADCF-B0812BFC79BF}</UGUID><Version>1.9.0006.1</Version><OS>6.0.6001.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-HKDVP</PKey><PID>89578-015-5164246-71050</PID><PIDType>5</PIDType><SID>S-1-5-21-1304129043-3560768821-2314269622</SID><SYSTEM><Manufacturer>ECS</Manufacturer><Model>945GCT-M</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>080012 </Version><SMBIOSVersion major="2" minor="5"/><Date>20070426000000.000000+000</Date></BIOS><HWID>8A303D07018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>US Mountain Standard Time(GMT-07:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.0.6001.18000
Name: Windows(TM) Vista, HomePremium edition
Description: Windows Operating System - Vista, RETAIL channel
Activation ID: 9e042223-03bf-49ae-808f-ff37f128d40d
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 89578-00142-015-516424-01-1033-6000.0000-2812007
Installation ID: 012971150004331842824943888293558830046263359771174341
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=43473
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=43474
Use License URL: http://go.microsoft.com/fwlink/?LinkID=43476
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=43475
Partial Product Key: HKDVP
License Status: Licensed

HWID Data-->
HWID Hash Current: NgAAAAIABAABAAEAAQABAAAAAgABAAEAJJRgGbqVLOayy+BgSOSqdmZdSNvy9KxPoNOsViqF

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes, but no SLIC table
Windows marker version: N/A
OEMID and OEMTableID Consistent: N/A
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC A M I OEMAPIC
FACP A M I OEMFACP
MCFG A M I OEMMCFG
OEMB A M I AMI_OEM
booboo
Active Member
 
Posts: 10
Joined: July 2nd, 2009, 2:54 pm

Re: IE and Google redirects and slowness

Unread postby Jack&Jill » July 7th, 2009, 7:59 pm

Hello booboo,

Yes it is my personal computer, why?
Well, Malware Removal have some policy regarding business computers as stated in the Forum Rules in my first post.

Please describe what sites and what type of advertisement pop ups did you get.

For Windows Vista, please use right click and select Run as administrator instead of double click to run all the tools I ask you to, or they may not work properly.

I do not see any Antivirus (AV) installed on your machine. AV is a very critical part of your system to keep the it safe and clean. Without it, a computer can easily get infected. Please download and install an AV from one of the links below:

Avast
Avira
AVG

Please note that only one AV should be installed at a time.

Please download Malwarebytes' Anti-Malware (MBAM)© from Malwarebytes and save it to your desktop. Click here.

Run MBAM
  • Double click on mbam-setup.exe and follow the prompts to install the program.
  • At the end of installation, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • MBAM will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update mirror, select one of the websites and click on Check for Updates.
  • Upon completion of update and loading, select the Scanner tab. Click on Perform full scan, then click on Scan.
  • Leave the default options as it is and click on Start Scan.
  • When done, you will be prompted. Click OK, then click on Show Results.
  • Check (tick) all items except items in the C:\System Volume Information folder and click on Remove Selected.
  • After it has removed the items, a log in Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

Please post back:
1. Detail description of problems
2. the MBAM result
3. new HijackThis log
User avatar
Jack&Jill
MRU Emeritus
MRU Emeritus
 
Posts: 2284
Joined: August 19th, 2008, 5:37 am
Location: South East Asia

Re: IE and Google redirects and slowness

Unread postby booboo » July 7th, 2009, 11:20 pm

That did not work. No offence but it is impossible to use any search engine on my computer making it very unusalble, I am going to look for solutions myself as well.


Here is the logs.


Malwarebytes' Anti-Malware 1.38
Database version: 2389
Windows 6.0.6001 Service Pack 1

7/7/2009 8:07:33 PM
mbam-log-2009-07-07 (20-07-33).txt

Scan type: Full Scan (C:\|)
Objects scanned: 384592
Time elapsed: 1 hour(s), 34 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a3ed5288-f558-4f6e-8d5c-740cb6f89029} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\DivxFree (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook.1 (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Agent.exe (Trojan.Fraudtool) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (C:\Program Files\PC\pc.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\flashplayer.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\$Recycle.Bin\s-1-5-21-1304129043-3560768821-2314269622-1001\$RDP0VAX\uninstall.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Windows\regsv32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Guest\Desktop\PCenter.lnk (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
c:\Users\The McNabs\Desktop\PCenter.lnk (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
C:\Windows\System32\MSIVXcount (Trojan.Agent) -> Delete on reboot.
c:\Windows\System32\senekapop.dll (Trojan.Agent) -> Quarantined and deleted successfully.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:40 PM, on 7/7/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe
C:\Program Files\Weather Watcher\ww.exe
C:\HeavyWeather\HeavyWeatherPublisher.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\GE Security Supra\SyncInfoApp.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\HeavyWeather\heavy weather.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PayPal\PayPal Plug-In\RBroker.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Weather Watcher\dl.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [eFax 4.4] "C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe" /R
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [HeavyWeatherPublisher] C:\HeavyWeather\HeavyWeatherPublisher.exe -minimized
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: heavy weather.lnk = C:\HeavyWeather\heavy weather.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: DisplayKEY eSYNC Info.lnk = C:\Program Files\GE Security Supra\SyncInfoApp.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - DefaultPrefix:
O15 - Trusted Zone: *.doccentral.com
O15 - Trusted Zone: *.fnismls.com
O15 - Trusted Zone: *.getmedianow.com
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: *.rdesk.com
O15 - Trusted Zone: *.rexplorer.net
O15 - Trusted Zone: *.showingtime.com
O15 - Trusted Zone: *.sitexdata.com
O15 - Trusted Zone: *.spellchecker.net
O15 - Trusted Zone: *.transactionpoint.com
O15 - Trusted Zone: *.trpoint.com
O15 - Trusted Zone: *.virtualearth.net
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net ... plugin.cab
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://samls.fnismls.com/Paragon/Codeba ... ontrol.cab
O16 - DPF: {0CE0F418-1010-442D-871C-3454827DD539} - http://facefun.com/FaceFun_webinstall/FaceFun.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resourc ... den-us.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {97770E5B-2028-48AC-B4DA-1F991376D2B6} - http://download.copysafe.net/plugins5/i ... pysafe.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crl ... crlocx.ocx
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://www.pyramidreo.com/ImageUploader4.cab
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://pro.realquest.com/mapviewer/mapviewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{30BBADAE-3AF0-48DB-BFFA-9AD645AF925A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\Windows\system32\CSHelper.exe
O23 - Service: DkeySync - GE Security Supra - c:\program files\ge security supra\syncservice.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9bca6f4ea33cd) (gupdate1c9bca6f4ea33cd) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SolidPDFPlusCreatorReadSpool (SPDFCreatorPlusReadSpool) - Solid Documents, LLC - C:\Windows\Installer\MSIF8BC.tmp
O23 - Service: SolidPDFToolsCreatorReadSpool (SPDFToolsReadSpool) - Solid Documents, LLC - C:\Windows\Installer\MSIEE5E.tmp

--
End of file - 9469 bytes
booboo
Active Member
 
Posts: 10
Joined: July 2nd, 2009, 2:54 pm

Re: IE and Google redirects and slowness

Unread postby booboo » July 7th, 2009, 11:20 pm

That did not work. No offence but it is impossible to use any search engine on my computer making it very unusalble, I am going to look for solutions myself as well.


Here is the logs.


Malwarebytes' Anti-Malware 1.38
Database version: 2389
Windows 6.0.6001 Service Pack 1

7/7/2009 8:07:33 PM
mbam-log-2009-07-07 (20-07-33).txt

Scan type: Full Scan (C:\|)
Objects scanned: 384592
Time elapsed: 1 hour(s), 34 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a3ed5288-f558-4f6e-8d5c-740cb6f89029} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\DivxFree (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook.1 (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Agent.exe (Trojan.Fraudtool) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (C:\Program Files\PC\pc.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\flashplayer.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\$Recycle.Bin\s-1-5-21-1304129043-3560768821-2314269622-1001\$RDP0VAX\uninstall.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Windows\regsv32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Guest\Desktop\PCenter.lnk (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
c:\Users\The McNabs\Desktop\PCenter.lnk (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
C:\Windows\System32\MSIVXcount (Trojan.Agent) -> Delete on reboot.
c:\Windows\System32\senekapop.dll (Trojan.Agent) -> Quarantined and deleted successfully.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:40 PM, on 7/7/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe
C:\Program Files\Weather Watcher\ww.exe
C:\HeavyWeather\HeavyWeatherPublisher.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\GE Security Supra\SyncInfoApp.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\HeavyWeather\heavy weather.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PayPal\PayPal Plug-In\RBroker.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Weather Watcher\dl.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [eFax 4.4] "C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe" /R
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [HeavyWeatherPublisher] C:\HeavyWeather\HeavyWeatherPublisher.exe -minimized
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: heavy weather.lnk = C:\HeavyWeather\heavy weather.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: DisplayKEY eSYNC Info.lnk = C:\Program Files\GE Security Supra\SyncInfoApp.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - DefaultPrefix:
O15 - Trusted Zone: *.doccentral.com
O15 - Trusted Zone: *.fnismls.com
O15 - Trusted Zone: *.getmedianow.com
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: *.rdesk.com
O15 - Trusted Zone: *.rexplorer.net
O15 - Trusted Zone: *.showingtime.com
O15 - Trusted Zone: *.sitexdata.com
O15 - Trusted Zone: *.spellchecker.net
O15 - Trusted Zone: *.transactionpoint.com
O15 - Trusted Zone: *.trpoint.com
O15 - Trusted Zone: *.virtualearth.net
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net ... plugin.cab
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://samls.fnismls.com/Paragon/Codeba ... ontrol.cab
O16 - DPF: {0CE0F418-1010-442D-871C-3454827DD539} - http://facefun.com/FaceFun_webinstall/FaceFun.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resourc ... den-us.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {97770E5B-2028-48AC-B4DA-1F991376D2B6} - http://download.copysafe.net/plugins5/i ... pysafe.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crl ... crlocx.ocx
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://www.pyramidreo.com/ImageUploader4.cab
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://pro.realquest.com/mapviewer/mapviewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{30BBADAE-3AF0-48DB-BFFA-9AD645AF925A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\Windows\system32\CSHelper.exe
O23 - Service: DkeySync - GE Security Supra - c:\program files\ge security supra\syncservice.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9bca6f4ea33cd) (gupdate1c9bca6f4ea33cd) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SolidPDFPlusCreatorReadSpool (SPDFCreatorPlusReadSpool) - Solid Documents, LLC - C:\Windows\Installer\MSIF8BC.tmp
O23 - Service: SolidPDFToolsCreatorReadSpool (SPDFToolsReadSpool) - Solid Documents, LLC - C:\Windows\Installer\MSIEE5E.tmp

--
End of file - 9469 bytes
booboo
Active Member
 
Posts: 10
Joined: July 2nd, 2009, 2:54 pm

Re: IE and Google redirects and slowness

Unread postby Jack&Jill » July 8th, 2009, 7:29 pm

Hello booboo,

That did not work. No offence but it is impossible to use any search engine on my computer making it very unusalble, I am going to look for solutions myself as well.
You got a rootkit and quite some nasty infections. These are the cause of your problem and require some complicated removal methods to overcome them. A little patience goes a long way, so I suggest you stick to this thread and follow my instructions. Any self-help or help from other sources will interfere with what I plan for you and might do more harm than good.

For Windows Vista, please use right click and select Run as administrator instead of double click to run all the tools I ask you to, or they may not work properly.

Please download ComboFix© by sUBs from one of the links below and save it as boobooCF.exe to your desktop.

Link 1
Link 2
Link 3

Install Recovery Console and run ComboFix
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here.
  • Double click on boobooCF.exe and follow the prompts.
  • As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. You will be asked to install it if it is not present in your computer. Click Yes to proceed.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, click on Yes to continue scanning for malware.
  • When finished, a log will be produced as C:\ComboFix.txt. Please post this log in your next reply.

Do not mouse click on ComboFix while it is running. That may cause it to stall. ComboFix is a powerful tool and must not be used without supervision.

A detailed step by step tutorial to run ComboFix can be found here if you need help.
User avatar
Jack&Jill
MRU Emeritus
MRU Emeritus
 
Posts: 2284
Joined: August 19th, 2008, 5:37 am
Location: South East Asia

Re: IE and Google reComboFix 09-07-08.04 - Mdirects and slowness

Unread postby booboo » July 8th, 2009, 9:09 pm

ComboFix 09-07-08.04 - Mike 07/08/2009 17:30.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2039.1319 [GMT -7:00]
Running from: c:\users\Mike\Desktop\boobooCF.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\windows\Installer\5fd27d0.msi
c:\windows\system32\drivers\MSIVXifwrjntcvtyormxmmurerbqpahwkpiww.sys
c:\windows\system32\Ijl11.dll
c:\windows\system32\MSIVXcount
c:\windows\system32\MSIVXvuchpbbghnqprgdoapxxpikchbxfytpv.dll
c:\windows\system32\MSIVXxneyeaxxtdcpieqvibmnyvfeoxmrcyvg.dll
c:\windows\system32\oledb32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSIVXserv.sys


((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.

2009-07-09 00:46 . 2009-07-09 00:46 -------- d-----w- c:\users\The McNabs\AppData\Local\temp
2009-07-08 04:46 . 2009-07-09 00:04 -------- d-----w- c:\programdata\SITEguard
2009-07-08 04:45 . 2009-07-09 00:05 -------- d-----w- c:\programdata\STOPzilla!
2009-07-08 04:45 . 2009-07-08 04:45 -------- d-----w- c:\program files\Common Files\iS3
2009-07-08 01:27 . 2009-07-08 01:27 -------- d-----w- c:\users\Mike\AppData\Roaming\Malwarebytes
2009-07-08 01:27 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-08 01:27 . 2009-07-08 01:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-08 01:27 . 2009-07-08 01:27 -------- d-----w- c:\programdata\Malwarebytes
2009-07-08 01:27 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-07 02:20 . 2009-07-07 02:20 -------- d-----w- C:\MGADiagToolOutput
2009-07-07 02:18 . 2009-07-07 02:18 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-07-05 10:42 . 2009-07-05 08:09 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000360\maindata.sys
2009-07-03 11:07 . 2009-07-03 08:11 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000359\maindata.sys
2009-07-02 20:37 . 2009-07-02 20:37 -------- d-----w- c:\windows\Intuit
2009-07-01 10:06 . 2009-07-01 08:10 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000358\maindata.sys
2009-06-30 10:22 . 2009-06-30 08:09 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000357\maindata.sys
2009-06-28 10:01 . 2009-06-28 08:02 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000356\maindata.sys
2009-06-27 06:34 . 2009-06-27 06:34 746744 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-06-26 09:55 . 2009-06-26 08:03 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000355\maindata.sys
2009-06-25 10:20 . 2009-06-25 08:05 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000354\maindata.sys
2009-06-23 10:06 . 2009-06-23 08:02 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000353\maindata.sys
2009-06-22 10:12 . 2009-06-22 08:01 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000352\maindata.sys
2009-06-19 10:08 . 2009-06-19 08:03 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000351\maindata.sys
2009-06-18 10:49 . 2009-06-18 08:09 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000350\maindata.sys
2009-06-16 10:22 . 2009-06-16 08:07 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000349\maindata.sys
2009-06-15 10:18 . 2009-06-15 08:07 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000348\maindata.sys
2009-06-13 04:27 . 2009-04-30 12:37 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-06-13 04:27 . 2009-04-30 12:37 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-06-11 21:18 . 2009-04-21 11:55 2033152 ----a-w- c:\windows\system32\win32k.sys
2009-06-11 11:02 . 2009-06-11 08:04 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000347\maindata.sys
2009-06-09 10:59 . 2009-06-09 08:09 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000346\maindata.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-09 00:28 . 2009-05-21 19:54 -------- d-----w- c:\program files\GE Security Supra
2009-07-09 00:26 . 2007-12-11 02:23 -------- d-----w- c:\program files\Weather Watcher
2009-07-08 23:11 . 2009-02-26 15:01 -------- d-----w- c:\users\Mike\AppData\Roaming\SolidDocuments
2009-07-08 16:08 . 2007-10-10 14:53 -------- d-----w- c:\programdata\Google Updater
2009-07-06 17:52 . 2009-06-20 17:50 25440 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-07-06 17:52 . 2009-06-20 17:50 1630560 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Resources.dll
2009-07-06 17:52 . 2009-06-20 17:50 2352968 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-07-06 03:28 . 2008-02-15 21:00 -------- d-----w- c:\users\Mike\AppData\Roaming\CoreFTP
2009-07-04 15:33 . 2007-10-08 21:09 75280 ----a-w- c:\users\Mike\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-04 15:30 . 2009-02-26 18:28 -------- d-----w- c:\programdata\WebEx
2009-07-03 01:20 . 2009-04-11 20:43 -------- d-----w- c:\program files\Softomate
2009-07-03 01:19 . 2008-08-02 01:10 -------- d-----w- c:\programdata\Droppix
2009-07-03 01:08 . 2007-10-08 22:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-02 23:26 . 2009-05-08 15:51 34 ----a-w- c:\users\Mike\jagex_runescape_preferences.dat
2009-07-02 20:43 . 2007-10-16 00:41 -------- d-----w- c:\program files\Quark
2009-07-02 20:36 . 2008-02-04 20:33 -------- d-----w- c:\program files\Common Files\Intuit
2009-07-02 20:30 . 2008-03-18 23:35 -------- d-----w- c:\program files\Transaction Viewer
2009-07-02 20:29 . 2009-02-06 04:28 -------- d-----w- c:\program files\Scan2Email
2009-07-02 20:24 . 2007-11-07 15:32 -------- d-----w- c:\program files\phelios
2009-07-02 20:15 . 2008-06-08 16:02 -------- d-----w- c:\users\Mike\AppData\Roaming\uTorrent
2009-07-02 20:05 . 2007-10-11 00:13 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-17 00:22 . 2009-06-17 00:22 2678 ----a-w- c:\windows\Java\Packages\Data\GJ53RNFF.DAT
2009-06-17 00:21 . 2009-06-17 00:21 2678 ----a-w- c:\windows\Java\Packages\Data\8OGIG5N9.DAT
2009-06-17 00:21 . 2009-06-17 00:21 2678 ----a-w- c:\windows\Java\Packages\Data\13RFTV5V.DAT
2009-06-17 00:21 . 2009-06-17 00:21 2678 ----a-w- c:\windows\Java\Packages\Data\0QQ2X31Z.DAT
2009-06-17 00:21 . 2009-06-17 00:21 2678 ----a-w- c:\windows\Java\Packages\Data\XFNB571R.DAT
2009-06-08 08:04 . 2009-06-08 10:49 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000345\maindata.sys
2009-06-07 08:04 . 2009-06-07 10:53 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000344\maindata.sys
2009-06-06 08:08 . 2009-06-06 10:41 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000343\maindata.sys
2009-06-04 08:02 . 2009-06-04 10:07 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000342\maindata.sys
2009-06-03 08:07 . 2009-06-03 10:56 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000341\maindata.sys
2009-06-01 17:51 . 2009-06-01 17:51 15688 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-01 17:51 . 2009-02-07 18:00 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-01 08:05 . 2009-06-01 10:19 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000340\maindata.sys
2009-05-31 08:01 . 2009-05-31 10:05 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000339\maindata.sys
2009-05-29 08:01 . 2009-05-29 09:59 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000338\maindata.sys
2009-05-28 08:01 . 2009-05-28 10:02 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000337\maindata.sys
2009-05-26 08:03 . 2009-05-26 10:56 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000336\maindata.sys
2009-05-25 08:06 . 2009-05-25 10:32 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000335\maindata.sys
2009-05-23 08:01 . 2009-05-23 10:02 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000334\maindata.sys
2009-05-22 08:01 . 2009-05-22 10:06 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000333\maindata.sys
2009-05-21 20:00 . 2009-05-21 20:00 159744 ----a-w- c:\windows\system32\libssl32.dll
2009-05-21 19:58 . 2009-05-21 19:58 -------- d-----w- c:\program files\SiLabs
2009-05-20 08:02 . 2009-05-20 10:09 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000332\maindata.sys
2009-05-19 08:04 . 2009-05-19 10:08 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000331\maindata.sys
2009-05-17 08:03 . 2009-05-17 10:11 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000330\maindata.sys
2009-05-16 11:17 . 2009-05-16 11:17 416128 ----a-w- c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll
2009-05-16 08:06 . 2009-05-16 10:12 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000329\maindata.sys
2009-05-15 15:07 . 2009-05-15 15:07 -------- d-----w- c:\users\Mike\AppData\Roaming\j2 Global
2009-05-15 15:06 . 2009-05-15 15:04 -------- d-----w- c:\program files\eFax Messenger 4.4
2009-05-15 15:06 . 2009-05-15 15:06 -------- d-----w- c:\users\Mike\AppData\Roaming\eFax Messenger
2009-05-15 15:06 . 2009-05-15 15:06 -------- d-----w- c:\programdata\eFax Messenger 4.4 Output
2009-05-15 15:06 . 2009-05-15 15:06 -------- d-----w- c:\programdata\eFax Messenger 4.4 Setup
2009-05-13 10:03 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-13 08:01 . 2009-05-13 09:45 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000328\maindata.sys
2009-05-12 08:03 . 2009-05-12 10:33 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000327\maindata.sys
2009-05-10 08:01 . 2009-05-10 09:47 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000326\maindata.sys
2009-05-09 08:07 . 2009-05-09 10:01 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000325\maindata.sys
2009-05-09 05:50 . 2009-06-11 21:18 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-09 05:34 . 2009-06-11 21:18 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-05-08 08:05 . 2009-05-08 09:51 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000324\maindata.sys
2009-05-06 08:03 . 2009-05-06 09:45 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000323\maindata.sys
2009-05-05 08:05 . 2009-05-05 09:53 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000322\maindata.sys
2009-04-28 08:02 . 2009-04-28 10:03 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000321\maindata.sys
2009-04-27 08:03 . 2009-04-27 10:06 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000320\maindata.sys
2009-04-25 17:50 . 2009-04-25 17:51 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-04-25 17:50 . 2009-04-25 17:50 64160 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-04-25 08:05 . 2009-04-25 10:09 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000319\maindata.sys
2009-04-24 08:06 . 2009-04-24 10:21 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000318\maindata.sys
2009-04-23 12:43 . 2009-06-11 21:18 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-23 12:42 . 2009-06-11 21:18 636928 ----a-w- c:\windows\system32\localspl.dll
2009-04-22 08:02 . 2009-04-22 10:08 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000317\maindata.sys
2009-04-21 08:03 . 2009-04-21 10:13 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000316\maindata.sys
2009-04-19 08:03 . 2009-04-19 09:59 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000315\maindata.sys
2009-04-18 08:01 . 2009-04-18 09:51 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000314\maindata.sys
2009-04-17 08:05 . 2009-04-17 10:24 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000313\maindata.sys
2009-04-16 08:04 . 2009-04-16 09:57 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000312\maindata.sys
2009-04-15 08:03 . 2009-04-15 10:00 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000311\maindata.sys
2009-04-14 08:02 . 2009-04-14 09:52 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000310\maindata.sys
2009-04-13 08:01 . 2009-04-13 09:54 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000309\maindata.sys
2009-04-12 08:01 . 2009-04-12 09:50 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000308\maindata.sys
2009-04-11 08:03 . 2009-04-11 10:09 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000307\maindata.sys
2009-04-11 04:34 . 2009-04-11 04:34 1915520 ----a-w- c:\users\Mike\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WeatherWatcher"="c:\program files\Weather Watcher\ww.exe" [2007-09-24 1024000]
"HeavyWeatherPublisher"="c:\heavyweather\HeavyWeatherPublisher.exe" [2004-02-23 1302528]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-10 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-12-18 622592]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-11 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-01 520024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-07-19 65536]
"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]

c:\users\Mike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
heavy weather.lnk - c:\heavyweather\heavy weather.exe [2008-5-29 781312]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-10-16 267520]
DisplayKEY eSYNC Info.lnk - c:\program files\GE Security Supra\SyncInfoApp.exe [2009-5-21 102400]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-12-25 66864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1304129043-3560768821-2314269622-1000]
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= c:\program files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{EF30177E-832C-4FDC-BC0B-BC600980AD93}"= UDP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{ACDE4EBC-2BFD-4F07-A787-4AD9F2DCD6ED}"= TCP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"TCP Query User{06382373-B64E-4273-9A70-EE238908FC7F}c:\\heavyweather\\heavyweatherpublisher.exe"= UDP:c:\heavyweather\heavyweatherpublisher.exe:HeavyWeatherPublisher
"UDP Query User{D36987B9-453F-42E3-8418-A0D958E4ADFA}c:\\heavyweather\\heavyweatherpublisher.exe"= TCP:c:\heavyweather\heavyweatherpublisher.exe:HeavyWeatherPublisher
"{95A2EB96-0EA2-41E6-9EEB-30B1B89CEFB9}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{B88C1CED-D3D3-4375-9ABA-8F788E7BFA85}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"TCP Query User{FCD8F623-A087-4669-A53B-F32FDF4FF627}c:\\windows\\system32\\ftp.exe"= UDP:c:\windows\system32\ftp.exe:File Transfer Program
"UDP Query User{169C5D8E-BCC9-4515-8FC0-A5404FF608F8}c:\\windows\\system32\\ftp.exe"= TCP:c:\windows\system32\ftp.exe:File Transfer Program
"{012F66A6-BA01-4529-81E4-DD53DDA8580D}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{A1908D85-57A5-4ECC-BC58-4AF0416FB4D6}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{6F15B34C-CE3D-486E-B0C3-5D6E98DC5521}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{16FBAFA9-5E2A-4FE6-95F8-7F705CF707F5}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{3664C764-F9A6-495E-A5EF-6608A8E160D3}"= UDP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{631700FC-4863-4986-B7D0-F0D980218F4E}"= TCP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{6BD418A9-B6D8-4998-82A0-1A4DFE10F393}"= UDP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{21F3024E-E12C-4EED-A0B1-68226AD0622E}"= TCP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{6DA64838-F3B8-4B49-9667-C93C051B8893}"= UDP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{3F3273D3-45E2-4A0F-8F44-4F3FE11289E3}"= TCP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= c:\program files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [4/25/2009 10:51 AM 64160]
R2 CSHelper;CopySafe Helper Service;c:\windows\System32\CSHelper.exe [3/15/2009 6:58 PM 192512]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 2:34 PM 1029456]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [11/4/2007 11:31 AM 1153368]
R2 SPDFCreatorPlusReadSpool;SolidPDFPlusCreatorReadSpool;c:\windows\Installer\MSIF8BC.tmp [2/26/2009 8:00 AM 189696]
R2 SPDFToolsReadSpool;SolidPDFToolsCreatorReadSpool;c:\windows\Installer\MSIEE5E.tmp [2/26/2009 8:18 AM 189696]
S2 gupdate1c9bca6f4ea33cd;Google Update Service (gupdate1c9bca6f4ea33cd);c:\program files\Google\Update\GoogleUpdate.exe [4/13/2009 7:16 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-07-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 05:47]

2009-07-08 c:\windows\Tasks\GBM - Backup Job-Full.job
- c:\program files\Genie-Soft\GBMHome8\GBM8.exe [2007-10-08 12:28]

2009-07-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-10 06:07]

2009-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-14 02:15]

2009-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-14 02:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: doccentral.com
Trusted Zone: fnismls.com
Trusted Zone: getmedianow.com
Trusted Zone: live.com
Trusted Zone: rdesk.com
Trusted Zone: rexplorer.net
Trusted Zone: showingtime.com
Trusted Zone: sitexdata.com
Trusted Zone: spellchecker.net
Trusted Zone: superior-host.com
Trusted Zone: transactionpoint.com
Trusted Zone: trpoint.com
Trusted Zone: virtualearth.net
TCP: {30BBADAE-3AF0-48DB-BFFA-9AD645AF925A} = 208.67.220.220,208.67.222.222
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
DPF: {0CE0F418-1010-442D-871C-3454827DD539} - hxxp://facefun.com/FaceFun_webinstall/FaceFun.cab
DPF: {97770E5B-2028-48AC-B4DA-1F991376D2B6} - hxxp://download.copysafe.net/plugins5/i ... pysafe.cab
DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://pro.realquest.com/mapviewer/mapviewer.cab
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SPDFCreatorPlusReadSpool]
"ImagePath"="c:\windows\Installer\MSIF8BC.tmp"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SPDFToolsReadSpool]
"ImagePath"="c:\windows\Installer\MSIEE5E.tmp"
.
Completion time: 2009-07-09 17:51
ComboFix-quarantined-files.txt 2009-07-09 00:50
ComboFix2.txt 2009-01-20 23:56

Pre-Run: 65,305,288,704 bytes free
Post-Run: 65,407,528,960 bytes free

273 --- E O F --- 2009-07-07 07:58
booboo
Active Member
 
Posts: 10
Joined: July 2nd, 2009, 2:54 pm

Re: IE and Google redirects and slowness

Unread postby Jack&Jill » July 9th, 2009, 11:10 am

Hello booboo,

Did you run ComboFix twice? The log you posted is from the second run. Please post the contents of C:\ComboFix2.txt from the first run.
User avatar
Jack&Jill
MRU Emeritus
MRU Emeritus
 
Posts: 2284
Joined: August 19th, 2008, 5:37 am
Location: South East Asia

Re: IE and Google redirects and slowness

Unread postby booboo » July 9th, 2009, 1:41 pm

I can't get the 1st run log.
booboo
Active Member
 
Posts: 10
Joined: July 2nd, 2009, 2:54 pm

Re: IE and Google redirects and slowness

Unread postby Jack&Jill » July 10th, 2009, 9:52 pm

Hello booboo,

For Windows Vista, please use right click and select Run as administrator instead of double click to run all the tools I ask you to, or they may not work properly.

There are a few entries in your HijackThis log that show some questionable behaviors and are open to debate whether they are good or bad. I would suggest you to remove them, but the decision would be yours. They are listed as below.

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
Link to article.

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
Link to article.

There are also quite a number of sites in the Trusted Zones of which you may have put them there. Trusted Zones allow the sites to run with reduced security settings. This will provide an opportunity for exploit from malware and you will never know when a good site will get hacked. It is advisable for you not to place any more websites in the Trusted Zones in the future, and I will remove the existing ones as below.

Remove bad HijackThis entries
  • Open HijackThis. Please disable your real time protection software.
  • Make sure you have close all programs, windows and browsers.
  • Click Do a system scan only and check (tick) the following entries (if still present) :
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
    O15 - Trusted Zone: *.doccentral.com
    O15 - Trusted Zone: *.fnismls.com
    O15 - Trusted Zone: *.getmedianow.com
    O15 - Trusted Zone: *.live.com
    O15 - Trusted Zone: *.rdesk.com
    O15 - Trusted Zone: *.rexplorer.net
    O15 - Trusted Zone: *.showingtime.com
    O15 - Trusted Zone: *.sitexdata.com
    O15 - Trusted Zone: *.spellchecker.net
    O15 - Trusted Zone: *.transactionpoint.com
    O15 - Trusted Zone: *.trpoint.com
    O15 - Trusted Zone: *.virtualearth.net


    You may check these too if you decide to remove them:
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll


  • Click Fix checked.
  • Exit HijackThis when completed.

Please download ATF (Atribune Temp File) Cleaner© by Atribune from one of the links below and save it to your desktop.

Link 1
Link 2
Link 3

Run ATF Cleaner
  • Double-click ATF Cleaner.exe to open it.
  • Click Run if prompted.
  • At the bottom of the list, check (tick) Select All.
  • Note: If you would like to keep your cookies, please uncheck this option as it will remove all cookies, including the useful ones you may want to keep.
  • Then click the Empty Selected button.
  • Firefox:
    • Click Firefox at the top and choose: Select All. Uncheck the cookies option if you want to keep them.
    • Click the Empty Selected button.
    • Note: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.

Please download Rooter© by Eric_71 and save it to your desktop. Click here.

Run Rooter
  • Double click on Rooter.exe to run the tool. Allow if prompted by your security softwares.
  • Click on Scan to start scanning.
  • When completed, a Notepad file containing the report will open, also found at %systemdrive%\Rooter$\Rooter_#.txt. %systemdrive% is usually C:\ and # is a number.
  • Please post the contents of that report here.

Do an online scan with ESET Online Scanner.
Please be patient as scanning will take quite some time. If you have problem running the scan, you might want to disable any real time protection that you have.
  • Click here to go to ESET Online Scanner page.
  • Click on ESET Online Scanner. A new window will open.
    For FireFox user, you will need to download and install esetsmartinstaller_enu.exe. Click on it and save the file to a convenient location. Double click on it to install and a new window will open.
  • After reading through the Terms of Use, check YES, I accept the Terms of Use and click Start to begin scan.
  • You will be prompted to install an ActiveX Control from ESET. Please install.
  • At the Computer scan settings section, uncheck (untick) Remove found threats and then check Scan archives.
  • Now, click on Advanced settings and make sure all these are checked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click on Scan to proceed.
  • Click Finish and close the window.
  • Navigate to C:\Program Files\ESET\ESET Online Scanner using Windows Explorer and look for log.txt.
  • Post the contents of log.txt in your reply.

Please post back:
1. Rooter result
2. ESET online scan report
3. new HijackThis log
4. how is your computer running now? Any more problems?
User avatar
Jack&Jill
MRU Emeritus
MRU Emeritus
 
Posts: 2284
Joined: August 19th, 2008, 5:37 am
Location: South East Asia

Re: IE and Google redirects and slowness

Unread postby booboo » July 11th, 2009, 11:20 am

The ESET scanner did not give me a report. I did clean 6 items though.


Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows Vista Home Edition (6.0.6001) Service Pack 1
[32_bits] - x86 Family 6 Model 15 Stepping 13, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[MpsSvc] RUNNING (state:4)
Windows Firewall -> Enabled
Windows Defender -> Enabled
User Account Control (UAC) -> Disabled !
.
Internet Explorer 8.0.6001.18783
.
A:\ [Removable]
C:\ [Fixed-NTFS] .. ( Total:149 Go - Free:59 Go )
D:\ [CD_Rom]
E:\ [CD_Rom]
F:\ [Removable]
G:\ [Removable]
H:\ [Removable]
I:\ [Removable]
J:\ [Removable]
K:\ [Removable]
P:\ [Network] .. ( Total:149 Go - Free:117 Go )
.
Scan : 19:54.57
Path : C:\Users\Mike\Desktop\Rooter.exe
User : Mike ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
______ \SystemRoot\System32\smss.exe (384)
______ C:\Windows\system32\csrss.exe (524)
______ C:\Windows\system32\wininit.exe (568)
______ C:\Windows\system32\csrss.exe (580)
______ C:\Windows\system32\services.exe (612)
______ C:\Windows\system32\lsass.exe (628)
______ C:\Windows\system32\lsm.exe (640)
______ C:\Windows\system32\winlogon.exe (672)
______ C:\Windows\system32\svchost.exe (848)
______ C:\Windows\system32\svchost.exe (904)
______ C:\Windows\System32\svchost.exe (940)
______ C:\Windows\System32\svchost.exe (1036)
______ C:\Windows\System32\svchost.exe (1120)
______ C:\Windows\system32\svchost.exe (1148)
Locked audiodg.exe (1208)
______ C:\Windows\system32\svchost.exe (1236)
______ C:\Windows\system32\SLsvc.exe (1252)
______ C:\Windows\system32\svchost.exe (1308)
______ C:\Windows\system32\svchost.exe (1488)
______ C:\Windows\System32\spoolsv.exe (1684)
______ C:\Windows\system32\svchost.exe (1708)
______ C:\Windows\system32\taskeng.exe (516)
______ C:\Windows\system32\Dwm.exe (632)
______ C:\Windows\system32\taskeng.exe (1244)
______ C:\Windows\Explorer.EXE (1504)
______ C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe (532)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (1200)
______ C:\Program Files\Bonjour\mDNSResponder.exe (1828)
______ C:\Windows\system32\CSHelper.exe (2000)
______ c:\program files\ge security supra\syncservice.exe (584)
______ C:\Program Files\Common Files\LightScribe\LSSrvc.exe (2184)
______ C:\Windows\system32\svchost.exe (2324)
______ C:\Windows\Installer\MSIF8BC.tmp (2360)
______ C:\Windows\Installer\MSIEE5E.tmp (2424)
______ C:\Windows\system32\svchost.exe (2468)
______ C:\Windows\System32\svchost.exe (2596)
______ C:\Windows\system32\SearchIndexer.exe (2676)
______ C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (2796)
______ C:\Windows\system32\WUDFHost.exe (3152)
______ C:\Program Files\GE Security Supra\ProxyDaemon.exe (3232)
______ C:\SSL\stunnel-4.10.exe (3264)
______ C:\Windows\System32\mobsync.exe (3576)
______ C:\Windows\System32\hkcmd.exe (3620)
______ C:\Windows\System32\igfxpers.exe (3676)
______ C:\Program Files\iTunes\iTunesHelper.exe (3712)
______ C:\Program Files\Java\jre6\bin\jusched.exe (3760)
______ C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe (3972)
______ C:\Program Files\Weather Watcher\ww.exe (3980)
______ C:\HeavyWeather\HeavyWeatherPublisher.exe (4080)
______ C:\Windows\system32\igfxsrvc.exe (2268)
______ C:\Windows\ehome\ehtray.exe (2264)
______ C:\Program Files\Windows Media Player\wmpnscfg.exe (408)
______ C:\Program Files\GE Security Supra\SyncInfoApp.exe (2640)
______ C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (1080)
______ C:\HeavyWeather\heavy weather.exe (1088)
______ C:\Windows\ehome\ehmsas.exe (2668)
______ C:\Program Files\Windows Media Player\wmpnetwk.exe (3560)
______ C:\Program Files\iPod\bin\iPodService.exe (2972)
______ C:\Program Files\Internet Explorer\iexplore.exe (2984)
______ C:\Program Files\PayPal\PayPal Plug-In\RBroker.exe (4460)
______ C:\Program Files\Internet Explorer\iexplore.exe (2016)
______ C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe (5992)
______ C:\Program Files\Internet Explorer\iexplore.exe (1604)
______ C:\Windows\system32\SearchProtocolHost.exe (2956)
______ C:\Program Files\Internet Explorer\iexplore.exe (4192)
______ C:\Windows\system32\SearchFilterHost.exe (5484)
______ C:\Windows\system32\SearchProtocolHost.exe (4208)
______ C:\Users\Mike\Desktop\Rooter.exe (4468)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:1048576 | Length:160038912000)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\Ad-Aware Update (Weekly).job
C:\Windows\Tasks\GBM - Backup Job-Full.job
C:\Windows\Tasks\Google Software Updater.job
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 19:55.18
.
C:\Rooter$\Rooter_1.txt - (10/07/2009 | 19:55.18)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:16:59 AM, on 7/11/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\mobsync.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe
C:\Program Files\Weather Watcher\ww.exe
C:\HeavyWeather\HeavyWeatherPublisher.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\GE Security Supra\SyncInfoApp.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\HeavyWeather\heavy weather.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PayPal\PayPal Plug-In\RBroker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [eFax 4.4] "C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe" /R
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [HeavyWeatherPublisher] C:\HeavyWeather\HeavyWeatherPublisher.exe -minimized
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: heavy weather.lnk = C:\HeavyWeather\heavy weather.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: DisplayKEY eSYNC Info.lnk = C:\Program Files\GE Security Supra\SyncInfoApp.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: *.fnismls.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net ... plugin.cab
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://samls.fnismls.com/Paragon/Codeba ... ontrol.cab
O16 - DPF: {0CE0F418-1010-442D-871C-3454827DD539} - http://facefun.com/FaceFun_webinstall/FaceFun.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resourc ... den-us.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {97770E5B-2028-48AC-B4DA-1F991376D2B6} - http://download.copysafe.net/plugins5/i ... pysafe.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crl ... crlocx.ocx
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://www.pyramidreo.com/ImageUploader4.cab
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://pro.realquest.com/mapviewer/mapviewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{30BBADAE-3AF0-48DB-BFFA-9AD645AF925A}: NameServer = 208.67.220.220,208.67.222.222
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\Windows\system32\CSHelper.exe
O23 - Service: DkeySync - GE Security Supra - c:\program files\ge security supra\syncservice.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9bca6f4ea33cd) (gupdate1c9bca6f4ea33cd) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SolidPDFPlusCreatorReadSpool (SPDFCreatorPlusReadSpool) - Solid Documents, LLC - C:\Windows\Installer\MSIF8BC.tmp
O23 - Service: SolidPDFToolsCreatorReadSpool (SPDFToolsReadSpool) - Solid Documents, LLC - C:\Windows\Installer\MSIEE5E.tmp

--
End of file - 8879 bytes
booboo
Active Member
 
Posts: 10
Joined: July 2nd, 2009, 2:54 pm

Re: IE and Google redirects and slowness

Unread postby Jack&Jill » July 11th, 2009, 11:16 pm

Hello booboo,

For Windows Vista, please use right click and select Run as administrator instead of double click to run all the tools I ask you to, or they may not work properly.

Remove bad HijackThis entries
  • Open HijackThis. Please disable your real time protection software.
  • Make sure you have close all programs, windows and browsers.
  • Click Do a system scan only and check (tick) the following entries (if still present) :
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
    O15 - Trusted Zone: *.fnismls.com

  • Click Fix checked.
  • Exit HijackThis when completed.

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

Run ComboFix script
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here.
  • Open Notepad. Copy and paste the following text into it:
    Code: Select all
    Folder::
    c:\users\Mike\AppData\Roaming\uTorrent
    c:\program files\uTorrent\

  • Save it as CFScript.txt at the desktop. Make sure the Save as type: is All Files (*.*).

    Image
  • Referring to the screenshot above, drag CFScript.txt into boobooCF.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, a log will be produced as C:\ComboFix.txt. Copy and paste the contents of the log in your next reply.

Do not mouse click on ComboFix while it is running. That may cause it to stall.

The ESET scan log is located at C:\Program Files\ESET\ESET Online Scanner\log.txt. You must have overlooked it. Please post the contents of this log as I need to know what was removed.

You also did not mentioned how your computer is behaving now. Any more problems?

Please post back:
1. ComboFix log
2. ESET online scan report
3. how is your computer running now? Any more problems?
User avatar
Jack&Jill
MRU Emeritus
MRU Emeritus
 
Posts: 2284
Joined: August 19th, 2008, 5:37 am
Location: South East Asia
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 31 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware