Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Firefox & IE 7 Search Redirects Plus other Odd Stuff

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Firefox & IE 7 Search Redirects Plus other Odd Stuff

Unread postby melboy » July 31st, 2010, 6:57 pm

Hi Steve

Give me an update on how things are running. Are you still being re-directed?



TFC

  • Please download TFC by Old Timer to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.



Malwarebytes' Anti-Malware (MBAM)

As you have Malwarebytes' Anti-Malware installed on your computer. Could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform Quick scan, then click on Scan
  • When done, you will be prompted. Click OK. If Items are found, then click on Show Results
  • Check all items then click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply.

    The log can also be found here:
    1. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    2. Or via the Logs tab when the application is started.

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
Failure to reboot will prevent MBAM from removing all the malware.



ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic.
  • Now click on: Image (Selecting Uninstall application on close if you so wish)
  • Re-enable your current installed Anti-Virus
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK
Advertisement
Register to Remove

Re: Firefox & IE 7 Search Redirects Plus other Odd Stuff

Unread postby Steve001 » August 1st, 2010, 10:31 am

I already had TFC from your previous instruction to download so I ran that immediately. Updated MBA before scanning. As for redirects all appears well. I like ESET online scanner. I decided to keep it installed.

Malwarebytes' Anti-Malware 1.46
http://www.malwarebytes.org

Database version: 4377

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

8/1/2010 10:28:48 AM
mbam-log-2010-08-01 (10-28-48).txt

Scan type: Quick scan
Objects scanned: 150844
Time elapsed: 7 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

# antistealth_checked=true
# utc_time=2010-08-01 03:47:57
# local_time=2010-08-01 11:47:57 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 8231689 8231689 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 100 62 0 2438457 0 0
# scanned=89546
# found=10
# cleaned=10
# scan_time=3698
C:\Qoobox\32788R22FWJFW\ftdisk.sys Win32/Olmarik.ZC trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\deborah\Application Data\028C0CA68054239B315BD294733F9D4E\appmodule719.exe.vir Win32/Adware.AntimalwareDoctor application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP182\A0248649.DLL Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP182\A0248656.dll Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP182\A0248658.DLL a variant of Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP204\A0291031.exe a variant of Win32/Kryptik.FRN trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP204\A0291097.exe a variant of Win32/Kryptik.FQS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP206\A0291399.exe a variant of Win32/Kryptik.FRN trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP207\A0294237.exe Win32/Adware.AntimalwareDoctor application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP207\A0297173.sys Win32/Olmarik.ZC trojan (cleaned - quarantined) 00000000000000000000000000000000 C
Steve001
Regular Member
 
Posts: 57
Joined: April 17th, 2010, 1:59 pm

Re: Firefox & IE 7 Search Redirects Plus other Odd Stuff

Unread postby melboy » August 1st, 2010, 6:14 pm

Hi Steve

RE: ESET scan
melboy wrote:Make sure that the option Remove found threats is NOT checked
Not that it matters much now, but you ran it with "Remove found threats" checked.
# scanned=89546
# found=10
# cleaned=10
As all antivirus scanners do from time to time, it could have falsely detected legitimate files as being infected. That is why we ask you to run it without it automatically removing found threats.


I want you to upload the file spider.exe again. How you attempted to do it last time didn't work.
Follow the instructions below to manually browse to the file.


Check a file
  • Go to VirusTotal
  • Click Browse...
  • When the "Choose File to upload" dialogue box opens, click "My Computer" to the left and manually navigate to the folder: C:\Program Files
  • Locate Spider.exe and click on it to highlight it.
  • Click Open.
  • On the VirusTotal page, click Send File, and the file will upload to VirusTotal where it will be scanned by several anti-virus programmes.
    NOTE: if you receive a message stating:
    • File has already been analyzed, click Reanalyze file Now.
  • After a while, a window will open, with details of what the scans found.
  • Copy and paste the results into your next reply.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Firefox & IE 7 Search Redirects Plus other Odd Stuff

Unread postby Steve001 » August 1st, 2010, 8:37 pm

I just took a look under program files and I don't see spider.exe. The closes I come is a program called Spider a Hidden URL inspector by Ward van Wanrooij - 1999. I then did a search for it and come up empty handed. Where's a safe place to acquire this executable from ?
Steve001
Regular Member
 
Posts: 57
Joined: April 17th, 2010, 1:59 pm

Re: Firefox & IE 7 Search Redirects Plus other Odd Stuff

Unread postby melboy » August 2nd, 2010, 8:00 am

Hi Steve

Steve001 wrote:The closes I come is a program called Spider a Hidden URL inspector by Ward van Wanrooij - 1999


That's the one. :thumbleft: That's enough information for me to make a positive ID. If you're happy with it, then so am I.



Update Adobe Reader

Your Adobe Reader is out of date.
Older versions may have vulnerabilities that malware can use to infect your system.
Please download Adobe Reader 9.3 to your PC's desktop.
  • Uninstall via Start > Control Panel > Add/Remove Programs:
    Adobe Reader 7.0.8
  • Install the new downloaded updated software.
  • Then using the internal updater update the software to the current increment 9.3.3
    • Open Adobe Reader go to > Help > Check for updates and allow the updater to check.
    • If updates are found click Show Details and check the boxes to click to download and install any necessary updates.



Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system.
The most current version of Sun Java is: Java Runtime Environment Version 6 Update 21.

  • Go to Sun Java
  • Scroll down to where it says "JDK 6 Update 21 (JDK or JRE)"
  • Click the orange Download JRE button to the right
  • In the Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u21-windows-i586.exe" and save the downloaded file to your desktop.
  • Uninstall all old versions of Java via Start > Control Panel > Add/Remove Programs:
    J2SE Runtime Environment 5.0 Update 6
    Java(TM) 6 Update 20
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer



Re-run - RSIT (Random's System Information Tool)
You should still have this program on your desktop.

  • Double click on RSIT.exe to run it.
  • Click Continue at the disclaimer screen.
    RSIT will start running. When done... ONLY the "C:\RSIT\log.txt"...will be reproduced. (it will be maximized)
  • Please post ONLY the "log.txt", file contents in your next reply.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Firefox & IE 7 Search Redirects Plus other Odd Stuff

Unread postby Steve001 » August 2nd, 2010, 9:05 am

melboy wrote:Hi Steve

RE: ESET scan
melboy wrote:Make sure that the option Remove found threats is NOT checked
Not that it matters much now, but you ran it with "Remove found threats" checked.
# scanned=89546
# found=10
# cleaned=10
As all antivirus scanners do from time to time, it could have falsely detected legitimate files as being infected. That is why we ask you to run it without it automatically removing found threats.


I want you to upload the file spider.exe again. How you attempted to do it last time didn't work.
Follow the instructions below to manually browse to the file.


Check a file
  • Go to VirusTotal
  • Click Browse...
  • When the "Choose File to upload" dialogue box opens, click "My Computer" to the left and manually navigate to the folder: C:\Program Files
  • Locate Spider.exe and click on it to highlight it.
  • Click Open.
  • On the VirusTotal page, click Send File, and the file will upload to VirusTotal where it will be scanned by several anti-virus programmes.
    NOTE: if you receive a message stating:
    • File has already been analyzed, click Reanalyze file Now.
  • After a while, a window will open, with details of what the scans found.
  • Copy and paste the results into your next reply.


I'm confused. Are we talking about the same spider.exe. I ask because there is the Spider.exe [389 KB (398,848 bytes) ] program. A program I downloaded and I transfered from my old pc when I bought this pc a few years ago I'm using now and there's this spider.exe [C:\Windows\System32] which is a Microsoft process [ http://www.file.net/process/spider.exe.html ] ?

Reinstalled new versions of Adobe and Sun Java
Steve001
Regular Member
 
Posts: 57
Joined: April 17th, 2010, 1:59 pm

Re: Firefox & IE 7 Search Redirects Plus other Odd Stuff

Unread postby melboy » August 2nd, 2010, 12:24 pm

Hi Steve
Steve001 wrote:Are we talking about the same spider.exe. I ask because there is the Spider.exe [389 KB (398,848 bytes) ] program.

Yes. That is the one I was referring to and the one that shows in your logs. I was suspicious of it because of; the Date/Time stamp, the fact it was a lone executable in the program files folder and the fact there is a legitimate Microsoft file named the same that is found in the System32 folder. All that considered, It bares the hallmarks of a possible malware related file and the reason I wanted to check it out. Malware likes to drop files on your system that are similarly named to legitimate files in an attempt to avoid detection. When that happens sometimes, one clue that it isn't really the real file is that it is found in a location where it shouldn't be.
2010-05-04 17:20 . 2005-08-16 08:18 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2005-08-16 08:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2005-08-16 08:18 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-03 13:05 . 2009-12-07 15:09 10752 ----a-w- c:\windows\DCEBoot.exe
2007-03-17 17:41 . 2006-10-04 16:31 825 ----a-w- c:\program files\Shortcut to HijackThis.lnk
1999-05-11 20:47 . 2006-10-06 15:39 398848 ----a-w- c:\program files\Spider.exe
2008-01-30 21:37 . 2007-03-17 02:45 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
With that date (1999), it sticks out like a sore thumb. However, with the further information you provided about it, I'm quite happy it's a legitimate file, so there is no need to upload it to have it checked out. :)


Continue with the instructions to re-run RSIT and if you are having no more problems, then we should be just about done.


Re-run - RSIT (Random's System Information Tool)
You should still have this program on your desktop.

  • Double click on RSIT.exe to run it.
  • Click Continue at the disclaimer screen.
    RSIT will start running. When done... ONLY the "C:\RSIT\log.txt"...will be reproduced. (it will be maximized)
  • Please post ONLY the "log.txt", file contents in your next reply.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Firefox & IE 7 Search Redirects Plus other Odd Stuff

Unread postby Steve001 » August 2nd, 2010, 3:34 pm

I should have added this about Spiderbite.exe. It was mentioned as a worthwhile download on a now defunct tv show called The Screen Savers a show I still miss to this day.

Logfile of random's system information tool 1.06 (written by random/random)
Run by steve at 2010-08-02 15:34:19
Microsoft Windows XP Professional Service Pack 3
System drive C: has 38 GB (53%) free of 71 GB
Total RAM: 2046 MB (80% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:24 PM, on 8/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\steve\Start Menu\Programs\Startup\Update Tool Notifier.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Documents and Settings\steve\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\steve.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... bd=6060927
O2 - BHO: SafeOnline BHO - {69D72956-317C-44bd-B369-8E44D4EF9801} - C:\WINDOWS\system32\PxSecure.dll
O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Update Tool Notifier.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 4893 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2810448116-9971513-1748473005-1006Core.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69D72956-317C-44bd-B369-8E44D4EF9801}]
SafeOnline BHO - C:\WINDOWS\system32\PxSecure.dll [2010-07-07 68120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3}]
ZoneAlarm Security Engine Registrar - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll [2010-05-26 591336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - ZoneAlarm Security Engine - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll [2010-05-26 591336]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-09-29 67584]
"SigmatelSysTrayApp"=C:\WINDOWS\stsystra.exe [2006-02-10 282624]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-06-10 81920]
"ISUSPM Startup"=C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe [2005-06-10 249856]
"tgcmd"=C:\Program Files\support.com\bin\tgcmd.exe [2002-04-24 1544192]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-08-05 344064]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2010-06-23 1043968]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-11-10 417792]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellHelp]
C:\Dell\DellHelp\DellHelp.exe [2004-04-01 1589248]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
C:\Program Files\Dell\Media Experience\DMXLauncher.exe [2005-10-05 94208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
C:\Documents and Settings\steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-11 136176]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe [2003-02-12 1232896]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISW]
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe [2010-05-26 730600]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2009-11-12 141600]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe [2002-10-08 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe [2003-05-08 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2009-11-10 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SharedAccess"=2
"iPod Service"=3
"Fax"=2
"Bonjour Service"=2
"Apple Mobile Device"=2
"CCALib8"=2
"JavaQuickStarterService"=2
"Lavasoft Ad-Aware Service"=2
"MDM"=2

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe

C:\Documents and Settings\steve\Start Menu\Programs\Startup
Update Tool Notifier.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\support.com\bin\tgcmd.exe"="C:\Program Files\support.com\bin\tgcmd.exe:*:Enabled:Support.com Scheduler and Command Dispatcher"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\WEB Framework\wbfrmwrk.exe"="C:\Program Files\WEB Framework\wbfrmwrk.exe:*:Enabled:WEBFramework"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 2 months======

2010-08-02 09:23:22 ----D---- C:\WINDOWS\hsperfdata_steve
2010-08-02 09:21:45 ----D---- C:\Documents and Settings\steve\Application Data\updatetool
2010-08-02 09:18:13 ----D---- C:\glassfishv3
2010-08-02 09:08:26 ----SHD---- C:\Config.Msi
2010-08-01 10:43:28 ----D---- C:\Program Files\ESET
2010-08-01 10:32:35 ----SHD---- C:\RECYCLER
2010-07-31 13:11:29 ----A---- C:\ComboFix.txt
2010-07-31 07:54:52 ----D---- C:\_OTM
2010-07-29 23:52:18 ----A---- C:\WINDOWS\system32\vsregexp.dll
2010-07-29 23:52:03 ----A---- C:\WINDOWS\system32\zlcommdb.dll
2010-07-29 23:52:03 ----A---- C:\WINDOWS\system32\zlcomm.dll
2010-07-29 23:51:58 ----A---- C:\WINDOWS\system32\vswmi.dll
2010-07-29 23:51:57 ----A---- C:\WINDOWS\system32\zpeng25.dll
2010-07-29 23:51:57 ----A---- C:\WINDOWS\system32\vsxml.dll
2010-07-29 23:51:57 ----A---- C:\WINDOWS\system32\vspubapi.dll
2010-07-29 23:51:57 ----A---- C:\WINDOWS\system32\vsmonapi.dll
2010-07-29 23:50:03 ----A---- C:\WINDOWS\system32\vsutil.dll
2010-07-29 23:50:03 ----A---- C:\WINDOWS\system32\vsinit.dll
2010-07-29 23:50:03 ----A---- C:\WINDOWS\system32\vsdata.dll
2010-07-29 23:44:10 ----D---- C:\Documents and Settings\All Users\Application Data\ZA_PreservedFiles
2010-07-16 09:09:33 ----D---- C:\WINDOWS\ie7updates
2010-07-16 09:08:10 ----D---- C:\WINDOWS\WBEM
2010-07-16 09:06:53 ----HDC---- C:\WINDOWS\ie7
2010-07-16 09:06:41 ----HDC---- C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
2010-07-16 09:06:15 ----HDC---- C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$
2010-07-14 17:37:14 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2010-07-14 17:37:01 ----HDC---- C:\WINDOWS\$NtUninstallKB981349$
2010-07-14 17:36:48 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2010-07-14 16:32:21 ----D---- C:\WINDOWS\Prefetch
2010-07-14 10:49:54 ----HDC---- C:\WINDOWS\$NtUninstallKB982381$
2010-07-14 10:49:37 ----HDC---- C:\WINDOWS\$NtUninstallKB980232$
2010-07-14 10:49:21 ----HDC---- C:\WINDOWS\$NtUninstallKB980218$
2010-07-14 10:49:04 ----HDC---- C:\WINDOWS\$NtUninstallKB980182$
2010-07-14 10:48:46 ----HDC---- C:\WINDOWS\$NtUninstallKB979683$
2010-07-14 10:48:26 ----HDC---- C:\WINDOWS\$NtUninstallKB979559$
2010-07-14 10:48:11 ----HDC---- C:\WINDOWS\$NtUninstallKB979482$
2010-07-14 10:47:55 ----HDC---- C:\WINDOWS\$NtUninstallKB979309$
2010-07-14 10:47:41 ----HDC---- C:\WINDOWS\$NtUninstallKB978706$
2010-07-14 10:47:25 ----HDC---- C:\WINDOWS\$NtUninstallKB978601$
2010-07-14 10:47:10 ----HDC---- C:\WINDOWS\$NtUninstallKB978542$
2010-07-14 10:46:55 ----HDC---- C:\WINDOWS\$NtUninstallKB978338$
2010-07-14 10:46:38 ----HDC---- C:\WINDOWS\$NtUninstallKB978037$
2010-07-14 10:46:23 ----HDC---- C:\WINDOWS\$NtUninstallKB977914$
2010-07-14 10:46:06 ----HDC---- C:\WINDOWS\$NtUninstallKB975713$
2010-07-14 10:45:51 ----HDC---- C:\WINDOWS\$NtUninstallKB975562$
2010-07-14 10:45:36 ----HDC---- C:\WINDOWS\$NtUninstallKB975561$
2010-07-14 10:45:20 ----HDC---- C:\WINDOWS\$NtUninstallKB975560$
2010-07-14 10:45:05 ----HDC---- C:\WINDOWS\$NtUninstallKB975467$
2010-07-14 10:44:50 ----HDC---- C:\WINDOWS\$NtUninstallKB975025$
2010-07-14 10:44:35 ----HDC---- C:\WINDOWS\$NtUninstallKB974571$
2010-07-14 10:44:19 ----HDC---- C:\WINDOWS\$NtUninstallKB974392$
2010-07-14 10:44:04 ----HDC---- C:\WINDOWS\$NtUninstallKB974318$
2010-07-14 10:43:49 ----HDC---- C:\WINDOWS\$NtUninstallKB974112$
2010-07-14 10:43:33 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2010-07-14 10:43:18 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2010-07-14 10:43:02 ----HDC---- C:\WINDOWS\$NtUninstallKB973687$
2010-07-14 10:42:47 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2010-07-14 10:42:32 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2010-07-14 10:42:16 ----HDC---- C:\WINDOWS\$NtUninstallKB972270$
2010-07-14 10:42:01 ----HDC---- C:\WINDOWS\$NtUninstallKB971737$
2010-07-14 10:41:46 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2010-07-14 10:41:32 ----HDC---- C:\WINDOWS\$NtUninstallKB971468$
2010-07-14 10:41:14 ----HDC---- C:\WINDOWS\$NtUninstallKB970430$
2010-07-14 10:40:58 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2010-07-14 10:40:43 ----HDC---- C:\WINDOWS\$NtUninstallKB969947$
2010-07-14 10:40:25 ----HDC---- C:\WINDOWS\$NtUninstallKB969059$
2010-07-14 10:40:03 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2010-07-14 10:39:33 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2010-07-14 10:38:50 ----HDC---- C:\WINDOWS\$NtUninstallKB982381_1$
2010-07-14 10:38:03 ----HDC---- C:\WINDOWS\$NtUninstallKB963027$
2010-07-14 10:37:36 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2010-07-14 10:37:18 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2010-07-14 10:36:54 ----HDC---- C:\WINDOWS\$NtUninstallKB961118$
2010-07-14 10:36:38 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2010-07-14 10:36:21 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2010-07-14 10:36:05 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2010-07-14 10:35:50 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2010-07-14 10:35:35 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2010-07-14 10:35:18 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2010-07-14 10:35:01 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2010-07-14 10:34:46 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2010-07-14 10:34:31 ----HDC---- C:\WINDOWS\$NtUninstallKB956844$
2010-07-14 10:34:14 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2010-07-14 10:33:59 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2010-07-14 10:33:39 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2010-07-14 10:33:18 ----HDC---- C:\WINDOWS\$NtUninstallKB955759$
2010-07-14 10:33:01 ----HDC---- C:\WINDOWS\$NtUninstallKB973687_1$
2010-07-14 10:32:46 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2010-07-14 10:32:28 ----HDC---- C:\WINDOWS\$NtUninstallKB974112_1$
2010-07-14 10:32:13 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2010-07-14 10:31:58 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2010-07-14 10:31:43 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2010-07-14 10:31:27 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2010-07-14 10:31:10 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2010-07-14 10:30:54 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2010-07-14 10:30:39 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2010-07-14 10:30:24 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2010-07-14 10:30:07 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2010-07-14 10:29:51 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2010-07-14 10:29:37 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2010-07-14 10:29:20 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2010-07-14 10:29:04 ----HDC---- C:\WINDOWS\$NtUninstallKB2229593$
2010-07-14 10:24:06 ----D---- C:\WINDOWS\system32\scripting
2010-07-14 10:24:05 ----D---- C:\WINDOWS\system32\en
2010-07-14 10:24:05 ----D---- C:\WINDOWS\system32\bits
2010-07-14 10:24:05 ----D---- C:\WINDOWS\l2schemas
2010-07-14 10:18:50 ----D---- C:\WINDOWS\network diagnostic
2010-07-14 10:13:48 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2010-07-14 08:39:09 ----HDC---- C:\WINDOWS\$NtUninstallKB980218_0$
2010-07-14 08:36:35 ----HDC---- C:\WINDOWS\$NtUninstallKB979904$
2010-07-14 08:35:52 ----HDC---- C:\WINDOWS\$NtUninstallKB980195$
2010-07-14 08:34:44 ----HDC---- C:\WINDOWS\$NtUninstallKB2229593_0$
2010-07-14 08:27:59 ----HDC---- C:\WINDOWS\$NtUninstallKB981793$
2010-07-14 08:27:52 ----HDC---- C:\WINDOWS\$NtUninstallKB979559_0$
2010-07-14 08:27:11 ----HDC---- C:\WINDOWS\$NtUninstallKB978695_WM9$
2010-07-14 08:27:02 ----HDC---- C:\WINDOWS\$NtUninstallKB979482_0$
2010-07-14 08:26:45 ----HDC---- C:\WINDOWS\$NtUninstallKB975562_0$
2010-07-14 08:19:19 ----HDC---- C:\WINDOWS\$NtUninstallKB982381_0$
2010-07-11 10:37:42 ----D---- C:\Documents and Settings\steve\Application Data\Malwarebytes
2010-07-11 10:37:29 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-07-07 17:43:51 ----D---- C:\Documents and Settings\steve\Application Data\CheckPoint
2010-07-07 17:38:38 ----D---- C:\Program Files\CheckPoint

======List of files/folders modified in the last 2 months======

2010-08-02 15:34:14 ----D---- C:\WINDOWS\Internet Logs
2010-08-02 14:39:35 ----D---- C:\WINDOWS\Temp
2010-08-02 14:39:35 ----D---- C:\WINDOWS\Registration
2010-08-02 14:39:30 ----D---- C:\WINDOWS
2010-08-02 10:36:21 ----A---- C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt
2010-08-02 10:36:20 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-08-02 09:12:49 ----SHD---- C:\WINDOWS\Installer
2010-08-02 09:12:49 ----D---- C:\Program Files\Common Files
2010-08-02 09:12:18 ----D---- C:\WINDOWS\system32
2010-08-02 09:11:44 ----D---- C:\Program Files\Java
2010-08-02 08:37:22 ----RASH---- C:\boot.ini
2010-08-02 08:37:22 ----A---- C:\WINDOWS\win.ini
2010-08-02 08:37:22 ----A---- C:\WINDOWS\system.ini
2010-08-02 07:52:04 ----D---- C:\WINDOWS\system32\CatRoot2
2010-08-01 20:34:47 ----D---- C:\Program Files
2010-08-01 13:38:53 ----D---- C:\Program Files\Ahead
2010-07-31 13:11:32 ----D---- C:\Qoobox
2010-07-31 13:07:06 ----D---- C:\WINDOWS\system32\drivers
2010-07-31 13:07:06 ----D---- C:\WINDOWS\AppPatch
2010-07-31 13:00:18 ----D---- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2010-07-31 09:23:04 ----SD---- C:\WINDOWS\Tasks
2010-07-31 08:50:28 ----D---- C:\Program Files\Panda Security
2010-07-31 08:15:29 ----D---- C:\Documents and Settings\steve\Application Data\QuickScan
2010-07-29 23:57:01 ----D---- C:\WINDOWS\system32\ZoneLabs
2010-07-29 07:58:59 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2010-07-29 07:58:55 ----DC---- C:\WINDOWS\system32\DRVSTORE
2010-07-28 17:03:49 ----HDC---- C:\WINDOWS\$NtUninstallKB900725$
2010-07-28 17:03:17 ----A---- C:\WINDOWS\ntbtlog.txt
2010-07-25 11:19:31 ----D---- C:\WINDOWS\system32\FxsTmp
2010-07-23 22:14:46 ----D---- C:\Program Files\Mozilla Firefox
2010-07-23 19:30:40 ----D---- C:\WINDOWS\system32\wbem
2010-07-23 19:30:40 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-07-21 15:58:46 ----D---- C:\WINDOWS\pchealth
2010-07-21 08:23:23 ----HD---- C:\WINDOWS\inf
2010-07-21 08:05:49 ----D---- C:\WINDOWS\WinSxS
2010-07-21 00:19:18 ----RD---- C:\WINDOWS\Offline Web Pages
2010-07-21 00:15:33 ----HDC---- C:\WINDOWS\$NtUninstallKB963027_0$
2010-07-20 00:25:40 ----D---- C:\WINDOWS\security
2010-07-20 00:21:27 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2010-07-18 12:37:16 ----A---- C:\WINDOWS\OEWABLog.txt
2010-07-17 12:20:14 ----A---- C:\WINDOWS\UnitConverter.ini
2010-07-17 09:32:56 ----D---- C:\WINDOWS\system32\CatRoot
2010-07-17 09:32:37 ----D---- C:\WINDOWS\system32\dllcache
2010-07-17 09:31:11 ----HD---- C:\WINDOWS\$hf_mig$
2010-07-16 15:39:33 ----D---- C:\WINDOWS\Help
2010-07-16 15:39:33 ----D---- C:\Program Files\Internet Explorer
2010-07-16 09:09:54 ----A---- C:\WINDOWS\imsins.BAK
2010-07-16 09:09:44 ----D---- C:\WINDOWS\system32\en-US
2010-07-16 09:08:18 ----D---- C:\WINDOWS\system32\config
2010-07-16 09:08:03 ----D---- C:\WINDOWS\Media
2010-07-15 20:38:38 ----D---- C:\WINDOWS\Microsoft.NET
2010-07-15 20:33:05 ----RSD---- C:\WINDOWS\assembly
2010-07-15 08:51:55 ----D---- C:\Documents and Settings\steve\Application Data\Canon
2010-07-14 17:36:33 ----HDC---- C:\WINDOWS\$NtUninstallKB971961$
2010-07-14 16:33:14 ----A---- C:\WINDOWS\setuplog.txt
2010-07-14 16:30:39 ----D---- C:\WINDOWS\system32\Setup
2010-07-14 16:30:37 ----RSD---- C:\WINDOWS\Fonts
2010-07-14 10:47:12 ----D---- C:\Program Files\Outlook Express
2010-07-14 10:45:37 ----D---- C:\Program Files\Movie Maker
2010-07-14 10:29:52 ----D---- C:\Program Files\Messenger
2010-07-14 10:24:16 ----D---- C:\WINDOWS\system32\inetsrv
2010-07-14 10:24:16 ----D---- C:\WINDOWS\ime
2010-07-14 10:24:06 ----D---- C:\WINDOWS\system32\usmt
2010-07-14 10:24:05 ----D---- C:\WINDOWS\PeerNet
2010-07-14 10:21:42 ----D---- C:\WINDOWS\ServicePackFiles
2010-07-14 10:21:22 ----D---- C:\WINDOWS\system32\Restore
2010-07-14 10:21:22 ----D---- C:\WINDOWS\system32\npp
2010-07-14 10:21:22 ----D---- C:\WINDOWS\mui
2010-07-14 10:21:19 ----D---- C:\WINDOWS\msagent
2010-07-14 10:21:16 ----D---- C:\WINDOWS\srchasst
2010-07-14 10:21:15 ----D---- C:\Program Files\NetMeeting
2010-07-14 10:21:11 ----D---- C:\WINDOWS\system32\Com
2010-07-14 10:21:04 ----D---- C:\Program Files\Windows NT
2010-07-14 10:20:58 ----D---- C:\Program Files\Common Files\System
2010-07-14 10:20:41 ----D---- C:\WINDOWS\system32\oobe
2010-07-14 10:20:39 ----D---- C:\WINDOWS\system
2010-07-14 10:17:26 ----D---- C:\WINDOWS\system32\ReinstallBackups
2010-07-14 10:13:44 ----D---- C:\WINDOWS\ehome
2010-07-13 15:42:50 ----D---- C:\WINDOWS\pss
2010-07-12 22:28:00 ----D---- C:\Documents and Settings\steve\Application Data\Apple Computer
2010-07-12 07:47:57 ----D---- C:\Program Files\Common Files\ScanSoft Shared
2010-07-11 23:49:40 ----D---- C:\WINDOWS\Minidump
2010-07-11 10:37:33 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-07-07 21:32:24 ----A---- C:\WINDOWS\system32\PxSecure.dll
2010-07-07 21:32:23 ----D---- C:\Program Files\Prevx
2010-07-07 21:32:15 ----A---- C:\WINDOWS\wininit.ini
2010-07-02 12:39:06 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 BANTExt;Belarc SMBios Access; C:\WINDOWS\System32\Drivers\BANTExt.sys [2008-02-27 3840]
R1 incdrm;InCD EasyWrite Reader; C:\WINDOWS\system32\drivers\incdrm.sys [2002-10-08 7582]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R2 ISWKL;ZoneAlarm Toolbar ISWKL; \??\C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys []
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R2 pxrts;pxrts; C:\WINDOWS\System32\drivers\pxrts.sys [2010-07-07 61752]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-08-04 1273344]
R3 E100B;Intel(R) PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2004-10-14 155648]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2003-11-17 1042432]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2003-11-17 212224]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 pxkbf;pxkbf; C:\WINDOWS\System32\drivers\pxkbf.sys [2010-07-07 24400]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2006-02-10 1107224]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2003-11-17 680704]
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 catchme;catchme; \??\C:\DOCUME~1\steve\LOCALS~1\Temp\catchme.sys []
S3 DSproct;DSproct; \??\C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys []
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-08-28 40448]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 BsUDF;InCD UDF Driver; C:\WINDOWS\system32\drivers\BsUDF.sys [2003-02-12 389504]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-08-04 380928]
R2 CSIScanner;CSIScanner; C:\Program Files\Prevx\prevx.exe [2010-07-07 6384592]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2005-12-15 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 IswSvc;ZoneAlarm Toolbar IswSvc; C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe [2010-05-26 493032]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 NetSvc;Intel NCS NetService; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [2004-11-19 147456]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-08-28 144672]
S4 CCALib8;Canon Camera Access Library 8; C:\Program Files\Canon\CAL\CALMAIN.exe [2007-01-31 96370]
S4 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S4 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-11-12 545568]
S4 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------
Steve001
Regular Member
 
Posts: 57
Joined: April 17th, 2010, 1:59 pm

Re: Firefox & IE 7 Search Redirects Plus other Odd Stuff

Unread postby melboy » August 2nd, 2010, 4:00 pm

Thanks Steve, that's great.

One last question before we wrap things up, what are the exact names for the versions of ZoneAlarm and Prevx you are using?
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Firefox & IE 7 Search Redirects Plus other Odd Stuff

Unread postby Steve001 » August 2nd, 2010, 11:13 pm

ZA Version 9.2.057.000 True Vector security engine version 9.2.057.000 1.5.227.0
MBAM v 3.0.5.179 Should I keep Prevx along with ZA ?

Melboy, I thank you very much for your generous assistance in this matter. Until we might meet again [ hopefully not] take care of yourself and others on this forum.

Cheers,
Steve
Steve001
Regular Member
 
Posts: 57
Joined: April 17th, 2010, 1:59 pm

Re: Firefox & IE 7 Search Redirects Plus other Odd Stuff

Unread postby melboy » August 3rd, 2010, 8:21 am

Steve001 wrote:Should I keep Prevx along with ZA ?


I'm trying to ascertain which of these gives you your antivirus potection as it is not clear from the logs.

Are the products free or paid for?

Which out of the following five products is the version of ZoneAlarm you use:

ZoneAlarm Free Firewall <- Free
ZoneAlarm Pro Firewall <- Paid
ZoneAlarm Antivirus <- Paid
ZoneAlarm Internet Security Suite <- Paid
ZoneAlarm Extreme Security <- Paid

http://www.zonealarm.com/security/en-gb ... ftware.htm


Which PrevX product do you use. Is it free or Paid for?

PrevX 3.0
PrevX Safe Online

http://info.prevx.com/downloadprevx.asp
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Firefox & IE 7 Search Redirects Plus other Odd Stuff

Unread postby Steve001 » August 3rd, 2010, 8:49 am

Zone alarm
Prevx 3.0

Both are free
Steve001
Regular Member
 
Posts: 57
Joined: April 17th, 2010, 1:59 pm

Re: Firefox & IE 7 Search Redirects Plus other Odd Stuff

Unread postby melboy » August 3rd, 2010, 4:07 pm

Steve,

Read through the following carefully. If you have any questions let me know.

Uninstall Prevx. The free version you have is not giving you sufficient protection. As you have stated you use the Free version of ZoneAlarm, this must be the firewall only as products with antivirus protection are paid for products requiring a subscription fee. Install a free antivirus from the list below.


Uninstall Programs
  • click on start
  • Click on control panel
  • Double click the icon add/remove programs
  • click on the program below and click Remove
Prevx


Antivirus

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic - Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast!Free Antivirus - Anti-virus program for Windows. The home edition is freeware for non-commercial users.
3) Microsoft Security Essentials - Free anti-malware solution that helps protect against viruses, spyware, and other malicious software

[Please note that trial pay is not needed to get any product for free.]

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts, system instability and false virus alerts.


======================================================


Important, please read!

Your computer was infected with a ROOTKIT. In particular, the TDL3 rootkit, also known as Win32/Alureon. A rootkit is a set of software tools intended for concealing running processes, files or system data from the operating system.

Due to its rootkit functionality, it's impossible to tell what may have been done when the system was compromised.

There were also signs of a Password Stealer/Keylogger infection, which means your system may have been compromised in the worst way. All sensitive data may have been seen by others.

Therefore it would be prudent to:

  1. Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts.
  2. Change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password)

Windows Rootkits

How do I respond to a possible identity theft and how do I prevent it


======================================================


Your log now appears to be clean.
This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are. If not, continue with the instructions below.



Uninstall Combofix
We Need to Remove ComboFix
  1. Please go to Start -> Run
  2. Enter "ComboFix /uninstall" (without quotes). Note the space between "ComboFix" and "/uninstall", it needs to be there.
    Image
  3. Press OK (Or hit enter).
  4. Allow ComboFix to remove itself.



OTC by OldTimer

Download OTC by Old Timer and save it to your Desktop.

  • Double-click OTC.exe
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? Prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it by yourself


=========================================================


General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.


  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
    Uninstall Tools for Major Antivirus Products
  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.
  • Make Internet Explorer More Secure
    Internet Explorer 8 <<< Recommended Version
    For older versions please read and follow the recommendations at this site
    Internet Explorer7


Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  • Malwarebytes' Anti-Malware
    As you already have Malwarebytes' Anti-Malware on board I would keep it regularly updated and run regular quick scans with it. (TIP: Cleaning out temp files can reduce scanning times.)
    Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. The Full version includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.
  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.


Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Firefox & IE 7 Search Redirects Plus other Odd Stuff

Unread postby Steve001 » August 4th, 2010, 11:05 am

Thanks and i'll try to stay clean
Steve001
Regular Member
 
Posts: 57
Joined: April 17th, 2010, 1:59 pm

Re: Firefox & IE 7 Search Redirects Plus other Odd Stuff

Unread postby melboy » August 4th, 2010, 11:53 am

You're welcome.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 29 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware