Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

yet another search engine redirection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: yet another search engine redirection

Unread postby Scop » May 14th, 2011, 1:21 pm

I tried doing it overnight, but it seems to have gotten hung up. Restarting now; results as soon as I get them, along with the next OTL script, but it had already reported infection.

Do you recognize the following directory/file?
C:\Documents and Settings\All Users\Application Data\mMcHmPf06300\mMcHmPf06300


Only from the recent work that had us taking a look at it. Its name puts me somewhat in mind of the temporary internet folders that get created, but it also looks suspicious to me.

Results soon!
Scop
Regular Member
 
Posts: 41
Joined: April 17th, 2011, 2:08 am
Advertisement
Register to Remove

Re: yet another search engine redirection

Unread postby vict0r » May 15th, 2011, 12:32 am

Ok. Post back if it gets hung up again, please include the OTL log. :)
vict0r
Regular Member
 
Posts: 1043
Joined: December 3rd, 2008, 3:00 pm

Re: yet another search engine redirection

Unread postby Scop » May 15th, 2011, 1:23 pm

Activescan's still being difficult. I left it to scan for about twelve hours this time; it got to 41% and stayed that way, though it indicated it was still scanning files. The directory is was in was c:\windows\installer\, where the folders had alphanumeric names like temporary internet file folders. So I clicked Cancel, but it still exported the following log:



;***********************************************************************************************************************************************************************************
ANALYSIS: 2011-05-15 00:20:27
PROTECTIONS: 1
MALWARE: 28
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Microsoft Security Essentials 3.0.8107.0 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No c:\documents and settings\dillon\cookies\dillon@trafficmp[1].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No c:\documents and settings\dillon\cookies\dillon@casalemedia[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\documents and settings\dillon\cookies\dillon@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\documents and settings\dillon\cookies\dillon@atdmt[1].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\dillon\cookies\dillon@247realmedia[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No c:\documents and settings\dillon\cookies\dillon@fastclick[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No c:\documents and settings\dillon\cookies\dillon@tribalfusion[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No c:\documents and settings\dillon\cookies\dillon@mediaplex[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No c:\documents and settings\dillon\cookies\dillon@statcounter[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\documents and settings\dillon\cookies\dillon@ad.yieldmanager[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No c:\documents and settings\dillon\cookies\dillon@apmebf[2].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No c:\documents and settings\dillon\cookies\dillon@burstnet[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\documents and settings\dillon\cookies\dillon@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\documents and settings\dillon\cookies\dillon@bs.serving-sys[1].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No c:\documents and settings\dillon\cookies\dillon@www.burstbeacon[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\dillon\cookies\dillon@advertising[2].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No c:\documents and settings\dillon\cookies\dillon@statse.webtrendslive[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\documents and settings\dillon\cookies\dillon@ads.pointroll[1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No c:\documents and settings\dillon\cookies\dillon@overture[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\dillon\cookies\dillon@realmedia[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\documents and settings\dillon\cookies\dillon@questionmarket[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No c:\documents and settings\dillon\cookies\dillon@zedo[2].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No c:\documents and settings\dillon\cookies\dillon@atwola[2].txt
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No c:\documents and settings\dillon\cookies\dillon@citi.bridgetrack[2].txt
03009106 W32/Xor-encoded.A Virus No 0 Yes No c:\documents and settings\all users\application data\microsoft\microsoft antimalware\localcopy\{062877f8-8891-0c7d-b355-214bcf98c03b}-combofix.exe
08239156 Generic Trojan Virus/Trojan No 0 Yes No c:\vict0r\movedfiles\04282011_095911\c_program files\quicktime\qtsystem\quicktimevrauthoring.resources\pt.lproj\recursosquicktimequicktime.exe
08239156 Generic Trojan Virus/Trojan No 0 Yes No c:\vict0r\movedfiles\04282011_095911\c_program files\quicktime\qtsystem\quicktimewebhelper.resources\it.lproj\quicktimewebhelperquicktime7.6.51327.79.exe
08239156 Generic Trojan Virus/Trojan No 0 Yes No c:\vict0r\movedfiles\04282011_095911\c_program files\quicktime\qtsystem\quicktimeessentials.resources\ru.lproj\quicktimeresourcesquicktime.exe
08250032 Generic Trojan Virus/Trojan No 0 Yes No c:\vict0r\movedfiles\04282011_095911\c_windows\system32\config\systemprofile\application data\antivirus_antispyware_2011\securityhelper.exe
08250400 Generic Trojan Virus/Trojan No 0 Yes No c:\vict0r\movedfiles\04282011_095911\c_windows\system32\config\systemprofile\application data\antivirus_antispyware_2011\securitymanager.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================



I was trying the Full Scan option; if Quick is more likely to work, I can give that a try. The OTL scan's log follows here:



OTL logfile created on: 5/15/2011 9:36:36 AM - Run 8
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Dillon\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.00 Mb Total Physical Memory | 367.00 Mb Available Physical Memory | 73.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 70.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.05 Gb Total Space | 5.93 Gb Free Space | 15.99% Space Free | Partition Type: NTFS

Computer Name: DILLONA | User Name: Dillon | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Dillon\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe (SupportSoft, Inc.)
PRC - C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe (SupportSoft, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
PRC - C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe (HP)
PRC - C:\WINDOWS\system32\hphmon03.exe (Hewlett-Packard)
PRC - C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe ()
PRC - C:\Program Files\Hp\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Dillon\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
MOD - C:\Program Files\Comcast\Desktop Doctor\bin\sprthook.dll (SupportSoft, Inc.)
MOD - C:\Program Files\WIDCOMM\Bluetooth Software\BTKeyInd.dll ()
MOD - C:\WINDOWS\system32\SynTPFcs.dll (Synaptics, Inc.)


========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
SRV - (sprtsvc_ddoctorv2) SupportSoft Sprocket Service (ddoctorv2) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe (SupportSoft, Inc.)
SRV - (Pml Driver) -- C:\WINDOWS\system32\hphipm09.exe (HP)


========== Driver Services (SafeList) ==========

DRV - (ssadmdm) -- C:\WINDOWS\system32\drivers\ssadmdm.sys (MCCI Corporation)
DRV - (ssadbus) SAMSUNG Android USB Composite Device driver (WDM) -- C:\WINDOWS\system32\drivers\ssadbus.sys (MCCI Corporation)
DRV - (ssadmdfl) SAMSUNG Android USB Modem (Filter) -- C:\WINDOWS\system32\drivers\ssadmdfl.sys (MCCI Corporation)
DRV - (pavboot) -- C:\WINDOWS\system32\drivers\pavboot.sys (Panda Security, S.L.)
DRV - (MCSTRM) -- C:\WINDOWS\System32\drivers\mcstrm.sys (RealNetworks, Inc.)
DRV - (w29n51) Intel(R) -- C:\WINDOWS\system32\drivers\w29n51.sys (Intel® Corporation)
DRV - (RT25USBAP) -- C:\WINDOWS\system32\drivers\RT25USBAP.SYS (Ralink Technology Inc.)
DRV - (tifm21) -- C:\WINDOWS\system32\drivers\tifm21.sys (Texas Instruments)
DRV - (eabfiltr) -- C:\WINDOWS\system32\drivers\eabfiltr.sys (Hewlett-Packard Development Company, L.P.)
DRV - (eabusb) -- C:\WINDOWS\system32\drivers\EabUsb.sys (Hewlett-Packard Development Company, L.P.)
DRV - (CAMCHALA) -- C:\WINDOWS\system32\drivers\camc6hal.sys (Conexant Systems Inc.)
DRV - (CAMCAUD) -- C:\WINDOWS\system32\drivers\camc6aud.sys (Conexant Systems Inc.)
DRV - (HSFHWICH) -- C:\WINDOWS\system32\drivers\HSFHWICH.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys (Realtek Semiconductor Corporation )
DRV - (btaudio) -- C:\WINDOWS\system32\drivers\btaudio.sys (Broadcom Corporation.)
DRV - (BTWDNDIS) -- C:\WINDOWS\system32\drivers\btwdndis.sys (Broadcom Corporation.)
DRV - (BTKRNL) -- C:\WINDOWS\system32\drivers\btkrnl.sys (Broadcom Corporation.)
DRV - (BTWUSB) -- C:\WINDOWS\system32\drivers\btwusb.sys (Broadcom Corporation.)
DRV - (IFP800) -- C:\WINDOWS\system32\drivers\ifp800.sys (iRiver, Inc.)
DRV - (Dot4 HPH09) -- C:\WINDOWS\system32\drivers\hphid409.sys (HP)
DRV - (Dot4Storage HPH09) Storage Class Driver for IEEE-1284.4 (HPH09) -- C:\WINDOWS\system32\drivers\hphs2k09.sys (Hewlett-Packard)
DRV - (Dot4Usb HPH09) -- C:\WINDOWS\system32\drivers\hphius09.sys (HP)
DRV - (Dot4Print HPH09) -- C:\WINDOWS\system32\drivers\hphipr09.sys (HP)
DRV - (2WIREPCP) -- C:\WINDOWS\system32\drivers\2WirePCP.sys (2Wire, Inc.)
DRV - (PalmUSBD) -- C:\WINDOWS\system32\drivers\PalmUSBD.sys (Palm, Inc.)
DRV - (GT680x) -- C:\WINDOWS\system32\drivers\gt680x.sys ( )
DRV - (SMCIRDA) -- C:\WINDOWS\system32\drivers\smcirda.sys (SMC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net?cid=ie8_0904
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch =


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = :0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = :0



IE - HKU\S-1-5-21-3863108728-1907864540-2948979912-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-3863108728-1907864540-2948979912-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\S-1-5-21-3863108728-1907864540-2948979912-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKU\S-1-5-21-3863108728-1907864540-2948979912-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
IE - HKU\S-1-5-21-3863108728-1907864540-2948979912-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3863108728-1907864540-2948979912-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>



O1 HOSTS File: ([2011/05/01 20:26:50 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (HP view) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\Hp\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)
O3 - HKU\S-1-5-21-3863108728-1907864540-2948979912-1006\..\Toolbar\ShellBrowser: (HP view) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\Hp\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)
O3 - HKU\S-1-5-21-3863108728-1907864540-2948979912-1006\..\Toolbar\WebBrowser: (HP view) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\Hp\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)
O4 - HKLM..\Run: [ddoctorv2] C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [DeviceDiscovery] C:\Program Files\Hp\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)
O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe (Hewlett-Packard )
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe ()
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe (HP)
O4 - HKLM..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe (Hewlett-Packard)
O4 - HKLM..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\AutoTBar.exe (Hewlett-Packard)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\StartUp\BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\AutoTBar.exe (Hewlett-Packard)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3863108728-1907864540-2948979912-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3863108728-1907864540-2948979912-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3863108728-1907864540-2948979912-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-3863108728-1907864540-2948979912-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} http://www.nintendowifi.com/troubleshoo ... aptest.cab (USBAPTester Class)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/200 ... oader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} http://h20278.www2.hp.com/HPISWeb/Custo ... anager.CAB (Hewlett-Packard Online Support Services)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} http://h20270.www2.hp.com/ediags/gmn/in ... er_gmn.cab (VerifyGMN Class)
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} C:\Program Files\Yahoo!\common\yucconfig.dll (yucsetreg Class)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdat ... /opuc3.cab (Office Update Installation Engine)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/Shar ... /cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftup ... 7434653125 (MUWebControl Class)
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoftware.com/activescan ... stubie.cab (ActiveScan 2.0 Installer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.76.182 68.87.78.134
O18 - Protocol\Handler\widimg {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\BTXPPanel.dll (Broadcom Corporation.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Dillon\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Dillon\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/15 09:07:45 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/05/13 22:53:48 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2011/05/13 22:52:22 | 000,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2011/05/06 14:24:10 | 000,000,000 | ---D | C] -- C:\Program Files\Dwarf Fortress
[2011/05/06 14:23:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dillon\My Documents\New Folder
[2011/05/06 13:39:15 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/05/06 13:32:49 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/05/02 22:04:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dillon\Desktop\FixPolicies
[2011/05/02 21:16:49 | 001,445,888 | ---- | C] (Option^Explicit Software Solutions) -- C:\Documents and Settings\Dillon\Desktop\WinsockxpFix.exe
[2011/05/02 21:16:41 | 000,186,368 | ---- | C] (CEXX.ORG) -- C:\Documents and Settings\Dillon\Desktop\LSPFix.exe
[2011/05/02 21:16:32 | 000,036,864 | ---- | C] (Rock Systems & Development) -- C:\Documents and Settings\Dillon\Desktop\SafeMSI.exe
[2011/05/02 21:15:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\CA-SupportBridge
[2011/05/01 20:28:33 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Dillon\Application Data\yahoo!
[2011/05/01 20:22:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/05/01 20:06:22 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/05/01 20:06:22 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/05/01 20:06:22 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/05/01 20:06:22 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/05/01 20:05:36 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/04/28 09:59:11 | 000,000,000 | ---D | C] -- C:\vict0r
[2011/04/28 09:58:20 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dillon\Desktop\OTL.exe
[2011/04/28 09:55:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2011/04/28 09:55:03 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/04/28 09:50:13 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Dillon\Desktop\erunt-setup.exe
[2011/04/28 09:07:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dillon\Application Data\Malwarebytes
[2011/04/28 09:07:06 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/04/28 09:07:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/28 09:07:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/04/28 09:07:01 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/04/28 09:06:59 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/28 09:05:25 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Dillon\Desktop\mbam-setup.exe
[2011/04/27 18:06:45 | 000,258,560 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dillon\Desktop\master.exe
[2011/04/27 16:08:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dillon\Desktop\tdsskiller
[2011/04/26 12:14:15 | 000,566,272 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Dillon\Desktop\aswMBR.exe
[2011/04/26 08:31:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dillon\Application Data\com.amazon.music.uploader
[2011/04/26 08:30:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dillon\My Documents\Amazon MP3 Uploader
[2011/04/26 08:27:31 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2011/04/24 16:24:16 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/04/24 16:18:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/04/24 09:01:42 | 000,000,000 | ---D | C] -- C:\Program Files\trend micro
[2011/04/24 09:01:36 | 000,000,000 | ---D | C] -- C:\rsit
[2007/04/11 17:09:46 | 000,018,120 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\gt680x.sys
[8 C:\Documents and Settings\Dillon\My Documents\*.tmp files -> C:\Documents and Settings\Dillon\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/15 09:29:00 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{432DC279-F38A-4F95-9128-676D04ECB646}.job
[2011/05/15 09:07:45 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/05/15 08:56:16 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/15 08:55:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/15 08:55:23 | 526,897,152 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/06 22:55:27 | 000,879,081 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\SecurityCheck.exe
[2011/05/06 13:34:32 | 000,379,392 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\subinacl.msi
[2011/05/05 15:20:29 | 004,342,555 | R--- | M] () -- C:\Documents and Settings\Dillon\Desktop\Combofix.exe
[2011/05/04 23:19:04 | 000,659,968 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\MicrosoftFixit50195.msi
[2011/05/04 23:00:42 | 001,373,616 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\MCPR.exe
[2011/05/03 22:00:34 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\MBR_2011-05-03.bin
[2011/05/03 22:00:00 | 001,452,824 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\MBRBackup.exe
[2011/05/03 09:35:17 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\MBRCheck.exe
[2011/05/03 09:23:24 | 000,089,088 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\vmr.com
[2011/05/02 22:04:05 | 000,185,065 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\FixPolicies.exe
[2011/05/02 21:16:50 | 001,445,888 | ---- | M] (Option^Explicit Software Solutions) -- C:\Documents and Settings\Dillon\Desktop\WinsockxpFix.exe
[2011/05/02 21:16:42 | 000,186,368 | ---- | M] (CEXX.ORG) -- C:\Documents and Settings\Dillon\Desktop\LSPFix.exe
[2011/05/02 21:16:37 | 000,036,864 | ---- | M] (Rock Systems & Development) -- C:\Documents and Settings\Dillon\Desktop\SafeMSI.exe
[2011/05/01 21:13:43 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\MBR.dat
[2011/05/01 20:26:50 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/05/01 13:49:25 | 000,244,224 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\CF_UNINST.EXE
[2011/04/29 12:04:24 | 000,441,692 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/04/29 12:04:24 | 000,071,462 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/04/28 10:14:45 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\RKUnhookerLE.EXE
[2011/04/28 09:58:22 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dillon\Desktop\OTL.exe
[2011/04/28 09:55:04 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\ERUNT.lnk
[2011/04/28 09:50:15 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Dillon\Desktop\erunt-setup.exe
[2011/04/28 09:07:07 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/28 09:05:28 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Dillon\Desktop\mbam-setup.exe
[2011/04/27 18:06:46 | 000,258,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dillon\Desktop\master.exe
[2011/04/27 16:05:19 | 001,263,721 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\tdsskiller.zip
[2011/04/26 17:38:38 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/26 12:14:23 | 000,566,272 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Dillon\Desktop\aswMBR.exe
[2011/04/26 12:14:01 | 000,075,264 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\SystemLook.exe
[2011/04/24 16:24:26 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/04/24 08:45:10 | 000,339,991 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\RSIT.exe
[2011/04/24 08:43:29 | 001,006,778 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\rkill.exe
[2011/04/16 23:04:30 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\dds.scr
[2011/04/15 10:27:46 | 000,319,544 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[8 C:\Documents and Settings\Dillon\My Documents\*.tmp files -> C:\Documents and Settings\Dillon\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/06 22:55:25 | 000,879,081 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\SecurityCheck.exe
[2011/05/06 13:34:31 | 000,379,392 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\subinacl.msi
[2011/05/04 23:19:04 | 000,659,968 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\MicrosoftFixit50195.msi
[2011/05/04 23:00:42 | 001,373,616 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\MCPR.exe
[2011/05/03 22:00:34 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\MBR_2011-05-03.bin
[2011/05/03 21:59:57 | 001,452,824 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\MBRBackup.exe
[2011/05/03 09:35:17 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\MBRCheck.exe
[2011/05/03 08:49:26 | 000,089,088 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\vmr.com
[2011/05/02 22:04:06 | 000,185,065 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\FixPolicies.exe
[2011/05/01 20:06:22 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/05/01 20:06:22 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/05/01 20:06:22 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/05/01 20:06:22 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/05/01 20:06:22 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/05/01 19:55:33 | 004,342,555 | R--- | C] () -- C:\Documents and Settings\Dillon\Desktop\Combofix.exe
[2011/05/01 13:49:22 | 000,244,224 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\CF_UNINST.EXE
[2011/04/28 10:14:45 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\RKUnhookerLE.EXE
[2011/04/28 09:55:04 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\ERUNT.lnk
[2011/04/28 09:07:07 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/27 16:05:12 | 001,263,721 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\tdsskiller.zip
[2011/04/26 22:51:11 | 526,897,152 | -HS- | C] () -- C:\hiberfil.sys
[2011/04/26 12:24:41 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\MBR.dat
[2011/04/26 12:14:00 | 000,075,264 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\SystemLook.exe
[2011/04/26 08:30:12 | 000,000,921 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Amazon MP3 Uploader.lnk
[2011/04/24 16:24:26 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/04/24 16:24:19 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/04/24 08:45:08 | 000,339,991 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\RSIT.exe
[2011/04/24 08:43:24 | 001,006,778 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\rkill.exe
[2011/04/16 23:04:30 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\dds.scr
[2011/01/08 10:05:14 | 000,181,600 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/01/04 17:10:56 | 000,974,848 | ---- | C] () -- C:\WINDOWS\System32\cis-2.4.dll
[2011/01/04 17:10:56 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\issacapi_bs-2.3.dll
[2011/01/04 17:10:56 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\issacapi_pe-2.3.dll
[2011/01/04 17:10:56 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\issacapi_se-2.3.dll
[2007/09/30 08:28:49 | 000,000,057 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2007/04/21 21:46:11 | 000,007,313 | ---- | C] () -- C:\WINDOWS\hpdj3500.ini
[2007/04/21 21:45:35 | 000,000,414 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
[2007/02/16 14:23:13 | 000,000,107 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2007/02/16 14:22:44 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\pdfmona.dll
[2007/02/16 14:22:44 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2006/11/17 12:34:40 | 000,091,848 | ---- | C] () -- C:\WINDOWS\HPBroker.dll
[2006/06/14 20:03:52 | 000,001,362 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/05/13 21:21:11 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2006/04/29 08:38:16 | 000,000,206 | ---- | C] () -- C:\WINDOWS\HPGdiPlus.ini
[2006/02/26 09:33:53 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/02/26 09:26:20 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/02/20 18:38:32 | 000,000,008 | ---- | C] () -- C:\Documents and Settings\Dillon\Application Data\usb.dat.bin
[2006/02/07 19:44:53 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iplayer.INI
[2006/02/01 22:14:47 | 000,000,034 | ---- | C] () -- C:\WINDOWS\hpfsched.ini
[2006/01/31 10:29:58 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\Dillon\Local Settings\Application Data\fusioncache.dat
[2006/01/31 10:19:55 | 000,050,523 | ---- | C] () -- C:\WINDOWS\hpdins05.dat
[2006/01/31 10:19:55 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpdmdl01.dat
[2006/01/30 00:16:05 | 000,000,203 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2006/01/29 10:35:40 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll
[2006/01/28 18:32:40 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Dillon\Local Settings\Application Data\FASTWiz.html
[2005/11/11 16:46:02 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\usbaptest.dll
[2005/08/26 15:28:20 | 000,024,576 | ---- | C] () -- C:\WINDOWS\shortcut.exe
[2005/04/11 04:43:13 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/04/11 04:41:01 | 000,015,669 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/11/29 20:44:04 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2004/08/07 06:16:54 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/07 06:16:44 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/07 06:10:30 | 000,441,692 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/07 06:10:30 | 000,071,462 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/07 06:10:08 | 000,000,882 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/07 06:02:54 | 000,319,544 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/07 05:57:54 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/07 05:54:58 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/04 01:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 01:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 01:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 01:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 01:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 01:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 01:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 01:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/01/13 20:46:34 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\tifmicon.dll
[2003/03/05 22:03:18 | 000,004,978 | ---- | C] () -- C:\WINDOWS\hpfmdl01.dat
[2003/03/05 18:28:38 | 000,000,309 | ---- | C] () -- C:\WINDOWS\hpfins01.dat
[2003/01/30 19:55:40 | 000,036,864 | ---- | C] () -- C:\WINDOWS\hpfsched.exe
[2003/01/30 19:54:28 | 000,003,691 | ---- | C] () -- C:\WINDOWS\hphinfs.dat
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/07/26 15:09:58 | 000,143,360 | ---- | C] () -- C:\WINDOWS\unzip.exe
[2002/07/22 17:57:58 | 000,045,056 | ---- | C] () -- C:\WINDOWS\devenum.exe
[2002/05/28 01:55:42 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/05/28 01:54:40 | 000,004,605 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/11/14 13:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== LOP Check ==========

[2008/07/13 19:05:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
[2006/12/14 07:04:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA
[2011/05/02 21:15:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA-SupportBridge
[2011/02/27 21:03:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\mMcHmPf06300
[2005/04/11 05:06:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\muvee Technologies
[2008/01/28 11:59:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2007/02/16 14:22:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2009/06/01 09:17:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2011/02/27 20:26:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/10/21 11:23:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2006/10/10 17:23:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dillon\Application Data\Alien Skin
[2009/11/10 11:42:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dillon\Application Data\Amazon
[2011/04/26 08:31:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dillon\Application Data\com.amazon.music.uploader
[2006/01/30 01:17:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dillon\Application Data\InterVideo
[2006/01/29 11:08:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dillon\Application Data\Leadertech
[2006/01/30 17:29:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dillon\Application Data\Musicmatch
[2011/01/07 12:08:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dillon\Application Data\Samsung
[2009/10/19 18:40:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2011/05/15 09:29:00 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{432DC279-F38A-4F95-9128-676D04ECB646}.job

========== Purity Check ==========



========== Custom Scans ==========


< C:\Windows\System32\ipsec.dll /md5 >

< C:\Windows\System32\appmgmt.dll /md5 >

< C:\Windows\System32\browsvr.dll /md5 >

< C:\Windows\System32\trkw.dll /md5 >

< C:\Windows\System32\trks.dll /md5 >

< C:\Windows\System32\kdc.dll /md5 >

< C:\Windows\System32\dmsrv.dll /md5 >

< C:\Windows\System32\mesg.dll /md5 >

< C:\Windows\System32\netlogin.dll /md5 >

< C:\Windows\System32\protstrg.dll /md5 >

< C:\Windows\System32\lmhosts.dll /md5 >

< C:\Windows\System32\w32t.dll /md5 >

< C:\Windows\System32\ntms.dll /md5 >

< C:\Windows\System32\Drivers\usb2.sys /md5 >

< >

< End of report >
Scop
Regular Member
 
Posts: 41
Joined: April 17th, 2011, 2:08 am

Re: yet another search engine redirection

Unread postby vict0r » May 16th, 2011, 2:23 pm

:(

No need to try the Panda scan again.


AVP Tool by Kaspersky

Download the AVP Tool by Kaspersky from Here & save it to your desktop. Be aware that this is a large file.... approximately 111Mb.
  • Plugin any hard drives or thumb drives if you own such drives.
  • Double click the setup file to run it
  • Choose the language and click ok.
  • Click Next to continue
  • Accept the Licence agreement then click Next
  • It will by default install to your desktop folder. Click Next
  • Once installed it will open a box. Click the Autoscan tab if not already open.
  • Under Automatic scan make sure the following are checked:
  • Hidden Startup Objects
  • System Memory
  • Disk Boot Sectors
  • My Computer
  • Any hard- or thumb-drives that you may have.
  • Change "Prompt for action" to Prompt on completion
Leave the rest of the settings as they appear

  • Click on Start scan button.
  • If prompted when the scan has finished, click on Neutralize all.
  • If you receive a message that an item cannot be neutralized then choose the Delete option when prompted
  • Once finished click the Reports button at the bottom
  • Name the file Kas & save it somewhere convenient like your desktop
  • Copy/paste only the detected Virus\malware from the report. It will be at the very top under Detected & post those results in your next reply

    Note: This program will ask to uninstall when you close it. Please post the log first, then go ahead and uninstall the program.
vict0r
Regular Member
 
Posts: 1043
Joined: December 3rd, 2008, 3:00 pm

Re: yet another search engine redirection

Unread postby Scop » May 17th, 2011, 9:50 am

That worked well. It had 6 events that could not be disinfected automatically and required deletion at the end of the scan.



Autoscan: completed 7 minutes ago (events: 38, objects: 355938, time: 06:14:02)
Result: Detected (events: 18)
5/17/2011 1:56:14 AM C:\vict0r\MovedFiles\04282011_095911\c_program files\QuickTime\QTSystem\QuickTimeVRAuthoring.Resources\pt.lproj\RecursosQuickTimeQuickTime.exe
5/17/2011 1:56:16 AM C:\vict0r\MovedFiles\04282011_095911\c_program files\QuickTime\QTSystem\QuickTimeWebHelper.Resources\it.lproj\QuickTimeWebHelperQuickTime7.6.51327.79.exe
5/17/2011 1:56:16 AM C:\vict0r\MovedFiles\04282011_095911\c_program files\QuickTime\QTSystem\QuickTimeEssentials.Resources\ru.lproj\QuickTimeResourcesQuickTime.exe
5/17/2011 2:31:42 AM C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\28\4e16e85c-2cf4d1b2/olig/aret.class
5/17/2011 2:31:42 AM C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\28\4e16e85c-2cf4d1b2/manty/rova.class
5/17/2011 2:31:42 AM C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\28\4e16e85c-2cf4d1b2/manty/peleza.class
5/17/2011 3:00:38 AM C:\vict0r\MovedFiles\04282011_095911\c_program files\QuickTime\QTSystem\QuickTimeVRAuthoring.Resources\pt.lproj\RecursosQuickTimeQuickTime.exe
5/17/2011 3:00:38 AM C:\vict0r\MovedFiles\04282011_095911\c_program files\QuickTime\QTSystem\QuickTimeEssentials.Resources\ru.lproj\QuickTimeResourcesQuickTime.exe
5/17/2011 3:00:38 AM C:\vict0r\MovedFiles\04282011_095911\c_program files\QuickTime\QTSystem\QuickTimeWebHelper.Resources\it.lproj\QuickTimeWebHelperQuickTime7.6.51327.79.exe
5/17/2011 3:08:43 AM C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\28\4e16e85c-2cf4d1b2/olig/aret.class
5/17/2011 3:08:44 AM C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\28\4e16e85c-2cf4d1b2/manty/rova.class
5/17/2011 3:08:44 AM C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\28\4e16e85c-2cf4d1b2/manty/peleza.class
5/17/2011 3:09:56 AM C:\vict0r\MovedFiles\04282011_095911\c_program files\QuickTime\QTSystem\QuickTimeEssentials.Resources\ru.lproj\QuickTimeResourcesQuickTime.exe
5/17/2011 6:37:58 AM C:\vict0r\MovedFiles\04282011_095911\c_program files\QuickTime\QTSystem\QuickTimeVRAuthoring.Resources\pt.lproj\RecursosQuickTimeQuickTime.exe
5/17/2011 6:38:22 AM C:\vict0r\MovedFiles\04282011_095911\c_program files\QuickTime\QTSystem\QuickTimeWebHelper.Resources\it.lproj\QuickTimeWebHelperQuickTime7.6.51327.79.exe
5/17/2011 6:38:30 AM C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\28\4e16e85c-2cf4d1b2/manty/peleza.class
5/17/2011 6:38:44 AM C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\28\4e16e85c-2cf4d1b2/manty/rova.class
5/17/2011 6:38:51 AM C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\28\4e16e85c-2cf4d1b2/olig/aret.class
Scop
Regular Member
 
Posts: 41
Joined: April 17th, 2011, 2:08 am

Re: yet another search engine redirection

Unread postby vict0r » May 18th, 2011, 1:06 pm

Hi.

The computer was infected with Rootkit.TDSS, also known as Win32/Alureon. A rootkit is a set of software tools intended for concealing running processes, files or system data from the operating system. Due to its rootkit functionality, it's impossible to tell what may have been done when the system was compromised.

The following steps should be taken:

  • If you have ever handled anything related to money (online banking, online shopping, etc), call your bank company and say that you might be a victim of identity theft and put a watch on your accounts
  • Change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password)

Read this for further information:
What are rootkits from Wikipedia
How do I respond to a possible identity theft and how do I prevent it


Random Access Memory Advice

502.00 Mb Total Physical Memory

Though Microsoft claims XP will run with this amount of system memory installed, it will run far better far better with 1-2 GB which are pretty cheap nowadays.

If you wish to upgrade the installed memory in your system, Crucial have a small scanner (Crucial System Scanner tool) which is perfectly safe to download and run. It will advise if your system can support any upgraded memory modules. They cater for the US/UK and Europe.


Combofix uninstaller

Double click CF_Uninstall.exe on your desktop to uninstall Combofix.

Let me know if it fails and skip the cleanup with OTL in the next step.


Run OTL Script

We need to run another OTL script. Save all work before continuing in case of reboot.

  • Double-click OTL.exe (on your desktop) to start the program.
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code: Select all
    :files
    c:\vict0r
    C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0
    C:\Documents and Settings\Dillon\Desktop\FixPolicies
    C:\Documents and Settings\Dillon\Desktop\FixPolicies.exe
    C:\Documents and Settings\Dillon\Desktop\master.exe
    C:\Documents and Settings\Dillon\Desktop\aswMBR.exe
    C:\Documents and Settings\Dillon\Desktop\FixPolicies.exe
    C:\Documents and Settings\Dillon\Desktop\CF_UNINST.EXE
    C:\Documents and Settings\Dillon\Desktop\rkill.exe
    C:\Documents and Settings\Dillon\Desktop\vmr.com
    
    
  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad (also after the reboot). Close it.


OTL-Cleanup

  1. Double click on OTL.exe to run it.
  2. Press the CleanUp button.
  3. When done, you will be prompted to reboot your system to finish file removal... please select OK to reboot your computer.
If you did not reboot your computer normally, please do so now, before continuing.


Delete the following tools

Please delete the following tools:

MicrosoftFixit50195.exe
Norton Removal Tool
MCPR
rkunhooker
MBRCheck
MBRBackup


You can also delete the following setup programs:
mbam-setup.exe
erunt-setup.exe


Update Windows and Internet Explorer

Update Windows and Internet Explorer to protect your computer from malware. Please go to the windows update site to get the critical updates. Repeat this update process until no further important updates are offered.


Foxit, the Adobe alternative.

You can get Foxit 4.3 from the following link:http://cdn01.foxitsoftware.com/pub/foxit/reader/desktop/win/4.x/4.3/enu/FoxitReader431_enu_Setup.exe

Note: During Foxit's Setup/Installation process after the license agreement, uncheck the following boxes and click Decline to avoid installation of The Foxit Search Bar powered by Ask:
  • Make Ask my browser default search provider
  • Set Ask.com as my homepage


Save backups to a safe location

Save these files to a safe location (external drive/online backup).
C:\Documents and Settings\Dillon\Desktop\MBR.dat
C:\Documents and Settings\Dillon\Desktop\MBR_2011-05-03.bin

You should also move them to another location, i.e. My Documents


Your computer now appears to be malware free. The logs are clean. Good job! :)

Please follow these simple steps in order to keep your computer clean and secure.


Keep your system updated:

Make sure automatic updates for Windows XP is enabled to get the latest patches from Microsoft to fix bugs and security holes:

    Go to Start > Control Panel > Automatic Updates
    1. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
    2. Select Download updates for me, but let me choose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
    3. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.


Keep your non-Microsoft applications updated as well:

Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it and install the suggested updates at least once a week.


Consider using the following programs to secure your computer further:


  • WinPatrol
    This is a lightweight system monitor. Download it from here and you can find information about how WinPatrol works here.

  • Hosts File
    A simple explanation of what a Hosts file does is here (includes a description on how to use HostsXpert to easily download and manage your hosts file). For more information regarding hosts files: MVPS Hosts.

  • Malwarebytes' Anti-Malware
    Update Malwarebytes Anti-Malware and perform a quick scan 1-2 times a week.


    It is ABSOLUTELY ESSENTIAL to keep Windows, Java, Adobe/Foxit and all of your security programs up to date.


Read these articles to learn more about how to protect yourself while on the internet:



Please reply one more time so I know we can archive this topic or post any related questions.
vict0r
Regular Member
 
Posts: 1043
Joined: December 3rd, 2008, 3:00 pm

Re: yet another search engine redirection

Unread postby Scop » May 18th, 2011, 5:12 pm

Thanks a million for all your help and patience; we've spent almost four weeks working through this. I'll read further on your recommendations; Foxit's already running smoothly for me, and my machine's function is looking much better. I know where to refer friends who are struggling with malware issues now. :)
Scop
Regular Member
 
Posts: 41
Joined: April 17th, 2011, 2:08 am

Re: yet another search engine redirection

Unread postby vict0r » May 20th, 2011, 6:20 am

I'm glad I could help. :)

This program can also be very useful for you. It can be setup to run automatically at startup to perform cleanup of accumulated junk:


Download and configure CCleaner:

    Download and install CCleaner-Slim from here


Set Options in CCleaner for Regular Use:

Open CCleaner if it's not already running. Do not use the Registry block to clean anything with this program. It is for experts only and it is risky!

  • Check Internet Explorer, Windows Explorer, and System so that all items are checked. Then under Internet Explorer, Uncheck "History" if you do not want' to lose it. In the Advanced section, have a check only on Old PreFetch Data.
  • Click on the Options block on the left, then choose Settings. Check Run CCleaner when computer starts.
  • Choose Cookies on the Options block on the left.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.

If you need settings for Firefox, Opera, Java or other programs, take a look at the Applications tab and choose your desired settings.

You can now perform a Cleaning Scan if you don't want to wait until the next reboot/startup. Click on the Cleaner block on the left. Choose the Windows tab. Click the Run Cleaner button. When CCleaner shows how much has been removed, cleaning is finished.


I will now ask for this topic to be closed.

Safe surfing! :)
vict0r
Regular Member
 
Posts: 1043
Joined: December 3rd, 2008, 3:00 pm

Re: yet another search engine redirection

Unread postby NonSuch » May 21st, 2011, 7:53 pm

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 46 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware