Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Browser Redirects from search results

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Extra Txt

Unread postby Tunaheart » March 20th, 2013, 6:17 pm

BTW I had deleted Getsavin yesterday, I found that it had an entry in the Add/Remove window , so I unistalled it.

OTL Extras logfile created on: 3/20/2013 6:05:34 PM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Chambers William\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.49 Gb Total Physical Memory | 3.03 Gb Available Physical Memory | 86.91% Memory free
4.82 Gb Paging File | 4.39 Gb Available in Paging File | 91.20% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 8.68 Gb Free Space | 11.66% Space Free | Partition Type: NTFS

Computer Name: 51WELLINGOFFICE | User Name: Chambers William | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-2444304784-286345585-3085264512-1005\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server
"C:\Program Files\Internet Explorer\iexplore.exe" = C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE" = C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE:*:Enabled:Microsoft Office Excel -- (Microsoft Corporation)
"C:\Program Files\TurboTax\Basic 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Basic 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax
"C:\Program Files\TurboTax\Basic 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Basic 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager
"C:\WINDOWS\system32\ftp.exe" = C:\WINDOWS\system32\ftp.exe:*:Disabled:File Transfer Program -- (Microsoft Corporation)
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe
"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe
"C:\WINDOWS\system32\LEXPPS.EXE" = C:\WINDOWS\system32\LEXPPS.EXE:*:Enabled:LEXPPS.EXE
"C:\Program Files\Real\realplayer\realplay.exe" = C:\Program Files\Real\realplayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.)
"C:\WINDOWS\system32\dlbccoms.exe" = C:\WINDOWS\system32\dlbccoms.exe:*:Enabled:Photo Printer 720 Server -- ( )
"C:\Program Files\Google\Google Earth\plugin\geplugin.exe" = C:\Program Files\Google\Google Earth\plugin\geplugin.exe:*:Enabled:Google Earth -- (Google)
"C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth -- (Google)
"C:\Program Files\Microsoft Games\FS2002\fs2002.exe" = C:\Program Files\Microsoft Games\FS2002\fs2002.exe:*:Enabled:Microsoft Flight Simulator Module -- (Microsoft Corporation)
"C:\Program Files\SquawkBox\squawkbox_fs.exe" = C:\Program Files\SquawkBox\squawkbox_fs.exe:*:Enabled:SquawkBox (for Flight Simulator 2002 and 2004)
"C:\WINDOWS\system32\dplaysvr.exe" = C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper -- (Microsoft Corporation)
"C:\Program Files\SquawkBox3\squawkbox.exe" = C:\Program Files\SquawkBox3\squawkbox.exe:*:Enabled:squawkbox.exe
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\WINDOWS\system32\rundll32.exe" = C:\WINDOWS\system32\rundll32.exe:*:Enabled:Run a DLL as an App -- (Microsoft Corporation)
"C:\WINDOWS\system32\mmc.exe" = C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console -- (Microsoft Corporation)
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"C:\WINDOWS\system32\lxeecoms.exe" = C:\WINDOWS\system32\lxeecoms.exe:*:Enabled:Pro700 Series Server -- ( )
"C:\Program Files\V CAST Music with Rhapsody\rhapsody.exe" = C:\Program Files\V CAST Music with Rhapsody\rhapsody.exe:*:Enabled:RealNetworks Rhapsody -- (Rhapsody International Inc.)
"C:\Program Files\AVG\AVG2012\avgmfapx.exe" = C:\Program Files\AVG\AVG2012\avgmfapx.exe:*:Enabled:AVG Installer
"C:\Program Files\AVG\AVG2013\avgmfapx.exe" = C:\Program Files\AVG\AVG2013\avgmfapx.exe:*:Enabled:AVG Installer -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour Service -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update v4 Shared Downloads Server -- (Intuit Inc.)
"C:\Program Files\AVG\AVG2013\avgnsx.exe" = C:\Program Files\AVG\AVG2013\avgnsx.exe:*:Enabled:Online Shield -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2013\avgdiagex.exe" = C:\Program Files\AVG\AVG2013\avgdiagex.exe:*:Enabled:AVG Diagnostics 2013 -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2013\avgemcx.exe" = C:\Program Files\AVG\AVG2013\avgemcx.exe:*:Enabled:Personal E-mail Scanner -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{058B32E2-6310-4359-B2D4-1988390C3B83}" = Broadcom Advanced Control Suite
"{05BDC796-3451-4F81-B91D-E98F7ADA76C2}" = TurboTax 2010 WinPerTaxSupport
"{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" = Lexmark Toolbar
"{10812DE7-2E57-4740-B226-6B3BE34AF9D7}" = Lexmark Tools for Office
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2070F79D-46BC-4EEA-8F02-9B4DCABAE7CB}" = iPod for Windows 2006-03-23
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{241DBC8D-14E3-4240-8EE5-3AC35086B638}" = AVG 2013
"{2B5DACE9-662B-415B-8C83-6C79B988CFC0}" = Golden Eagle FlightPrep 2007
"{3284FB04-8EEA-49D5-ACC2-2AB7B8845EE0}" = Deal Info
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35AD8A37-8ECE-4E97-A34E-B15BFEF0E2F2}" = Basic Webcam
"{3782EC09-4000-475E-8A59-9CABD6F03B4C}" = TurboTax 2010 WinPerFedFormset
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3D0ED490-BFAB-46F8-9AFB-0DAE0C90AC9E}" = calibre
"{459699C3-9430-4381-964B-4248D87B49F9}" = Apple Mobile Device Support
"{45EF1D41-FAC7-4204-A0B1-D9F05E0C7DB6}" = EarthLink spamBlocker Add-On
"{4F2FCCCF-29F3-44B9-886F-6D16F8417522}" = TurboTax 2010 wrapper
"{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.9
"{6F8CBBFB-7986-4140-91EC-D8C7F1EC8DF3}" = AVG 2013
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{868BF461-CFF9-4228-B52D-842FF59001D3}" = Micro Webcam
"{89EC099E-958D-462E-972C-385591946978}" = TurboTax 2012 WinPerFedFormset
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver
"{8BC47D4C-5091-4187-8DAA-B6F7F39E44B7}" = AOPA's Airport eDirectory
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A525E00B-6609-442E-9DCD-64453C233E8D}" = TurboTax 2010 WinPerReleaseEngine
"{A7EAAB60-854F-43E4-997B-DF0ADC44158F}" = EzTrends
"{A8B1F076-965D-4663-A9D4-C2FB58A42AE4}" = TurboTax 2012 WinPerTaxSupport
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AF0CE7C0-A3E4-4D73-988B-B29187EC6E9A}" = QuickTime
"{B0261E53-B6F1-474A-864B-E7C3CBF468E0}" = iTunes
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4AC94AE-A5CE-4BB5-897C-E45E558F3277}" = Golden Eagle FlightPrep 5.1
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{BD33CD92-3A42-4CE1-ADDE-A9B64CFFF24D}" = EarthLink FastLane
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCE825DB-347A-4004-A186-5F4A6FDD8547}" = Apple Application Support
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240D8}" = WinZip 17.0
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}" = SAMSUNG USB Driver for Mobile Phones
"{D218E98E-84ED-4EB8-8DCD-529B74364027}" = Garmin MetroGuide North America v8
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E83F5F27-43F3-4163-ABE5-F68C989286ED}" = TurboTax 2012 wrapper
"{F014B696-28C5-4554-802F-A15380418F53}" = TurboTax 2012 WinPerReleaseEngine
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F1362843-0E0E-4F74-8662-724CF101ADCE}" = Skype web features
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F42F3704-4CA7-4D28-9F5B-FDBF2E589EB2}" = Verizon Wireless Software Upgrade Assistant - SAMSUNG (TL-PC)
"{F48C6EA5-3B43-11D6-86A6-0050BA0259A2}" = ICatch (VI) PC Camera
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"{FF77941A-2BFA-4A18-BE2E-69B9498E4D55}" = User Profile Hive Cleanup Service
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player
"AVG" = AVG 2013
"Digital Editions" = Adobe Digital Editions
"DVD Decrypter" = DVD Decrypter (Remove Only)
"DVD Shrink_is1" = DVD Shrink 3.2
"DVDFab 8 Qt_is1" = DVDFab 8.1.7.8 (17/04/2012) Qt
"ERUNT_is1" = ERUNT 1.1j
"Flight Simulator 8.0" = Microsoft Flight Simulator 2002
"GARMIN 400 Series Trainer" = GARMIN 400 Series Trainer
"GoZone iSync" = GoZone iSync
"GroundSchool - Instrument Rating (IFR)_is1" = GroundSchool - Instrument Rating (IFR)
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{2070F79D-46BC-4EEA-8F02-9B4DCABAE7CB}" = iPod for Windows 2006-03-23
"InstallShield_{2B5DACE9-662B-415B-8C83-6C79B988CFC0}" = Golden Eagle FlightPrep 2007
"InstallShield_{35AD8A37-8ECE-4E97-A34E-B15BFEF0E2F2}" = Basic Webcam
"KLiteCodecPack_is1" = K-Lite Codec Pack 3.4.5 Full
"Lexmark Pro700 Series" = Lexmark Pro700 Series
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.70.0.1100
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PFCExpress" = PFCExpress by AT&W Technologies
"Picasa 3" = Picasa 3
"RealPlayer 12.0" = RealPlayer
"RipIt4Me" = RipIt4Me
"Savings Bond Wizard" = Savings Bond Wizard
"SmartInstaller" = Smart Installer
"ST6UNST #1" = COMPSYS21
"TurboTax 2010" = TurboTax 2010
"TurboTax 2012" = TurboTax 2012
"Uninstall_is1" = Uninstall 1.0.0.1
"V CAST Music with Rhapsody" = V CAST Music with Rhapsody
"VideoSplitter_is1" = Kate's Video Splitter 7.0
"Walmart MP3 Music Downloads" = Walmart MP3 Music Downloads
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Internet Mail" = Yahoo! Internet Mail
"Yahoo! Messenger" = Yahoo! Messenger
"YTdetect" = Yahoo! Detect

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2444304784-286345585-3085264512-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"ADDS Flight Path Tool" = ADDS Flight Path Tool
"f9598aeafb0efd18" = BabySmash!
"GoToMeeting" = GoToMeeting 5.3.0.977

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 3/17/2013 10:18:09 AM | Computer Name = 51WELLINGOFFICE | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module pswro.dll, version 0.5.2.0, fault address 0x00001230.

Error - 3/17/2013 10:18:13 AM | Computer Name = 51WELLINGOFFICE | Source = Application Error | ID = 1001
Description = Fault bucket -823315221.

Error - 3/17/2013 10:41:19 AM | Computer Name = 51WELLINGOFFICE | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module pswro.dll, version 0.5.2.0, fault address 0x00001230.

Error - 3/17/2013 10:41:24 AM | Computer Name = 51WELLINGOFFICE | Source = Application Error | ID = 1001
Description = Fault bucket -823315221.

Error - 3/17/2013 6:08:18 PM | Computer Name = 51WELLINGOFFICE | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 3/17/2013 6:08:18 PM | Computer Name = 51WELLINGOFFICE | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 3/17/2013 6:19:45 PM | Computer Name = 51WELLINGOFFICE | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module pswro.dll, version 0.5.2.0, fault address 0x00001230.

Error - 3/17/2013 6:19:49 PM | Computer Name = 51WELLINGOFFICE | Source = Application Error | ID = 1001
Description = Fault bucket -823315221.

Error - 3/17/2013 8:20:19 PM | Computer Name = 51WELLINGOFFICE | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module pswro.dll, version 0.5.2.0, fault address 0x00001230.

Error - 3/17/2013 8:24:43 PM | Computer Name = 51WELLINGOFFICE | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module pswro.dll, version 0.5.2.0, fault address 0x00001230.

[ System Events ]
Error - 3/20/2013 1:10:51 PM | Computer Name = 51WELLINGOFFICE | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the lxeeCATSCustConnectService
service to connect.

Error - 3/20/2013 1:10:51 PM | Computer Name = 51WELLINGOFFICE | Source = Service Control Manager | ID = 7000
Description = The lxeeCATSCustConnectService service failed to start due to the
following error: %%1053

Error - 3/20/2013 1:10:51 PM | Computer Name = 51WELLINGOFFICE | Source = Service Control Manager | ID = 7000
Description = The MCSTRM service failed to start due to the following error: %%2

Error - 3/20/2013 1:10:51 PM | Computer Name = 51WELLINGOFFICE | Source = Service Control Manager | ID = 7000
Description = The vToolbarUpdater14.2.0 service failed to start due to the following
error: %%2

Error - 3/20/2013 5:35:46 PM | Computer Name = 51WELLINGOFFICE | Source = Service Control Manager | ID = 7006
Description = The ScRegSetValueExW call failed for FailureActions with the following
error: %%5

Error - 3/20/2013 5:35:46 PM | Computer Name = 51WELLINGOFFICE | Source = Service Control Manager | ID = 7006
Description = The ScRegSetValueExW call failed for FailureActions with the following
error: %%5

Error - 3/20/2013 5:35:46 PM | Computer Name = 51WELLINGOFFICE | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the lxeeCATSCustConnectService
service to connect.

Error - 3/20/2013 5:35:46 PM | Computer Name = 51WELLINGOFFICE | Source = Service Control Manager | ID = 7000
Description = The lxeeCATSCustConnectService service failed to start due to the
following error: %%1053

Error - 3/20/2013 5:35:46 PM | Computer Name = 51WELLINGOFFICE | Source = Service Control Manager | ID = 7000
Description = The MCSTRM service failed to start due to the following error: %%2

Error - 3/20/2013 5:35:46 PM | Computer Name = 51WELLINGOFFICE | Source = Service Control Manager | ID = 7000
Description = The vToolbarUpdater14.2.0 service failed to start due to the following
error: %%2


< End of report >
Tunaheart
Regular Member
 
Posts: 23
Joined: March 18th, 2013, 3:45 pm
Advertisement
Register to Remove

Re: Browser Redirects from search results

Unread postby askey127 » March 20th, 2013, 6:48 pm

Tunaheart,
-------------------------------------------------
Run RogueKiller
  • First, quit all running programs.
  • Start RogueKiller.exe. (Double click in XP)
  • Note: If the program is blocked, do not hesitate to try several times.
    If it really does not work (it could happen), rename it to winlogon.exe or RogueKiller.com.
  • Wait until prescan has finished.
  • Click on the Delete button on the right. Wait for it to finish.
  • When the removals are complete, a file icon named RKreport.txt should appear on your desktop.
  • Please double click that file RKreport.txt and post its contents in your next Reply.
    (You can also open the report by clicking the Report button on the right).
----------------------------------------------
Perform a Custom Fix with OTL
Run OTL (Right click and choose "Run as administrator" in Vista/Win7)
  • In the Custom Scans/Fixes box at the bottom, paste in the following lines from the Code box (Do not include the word "Code"):
    Code: Select all
    :Commands
    [CREATERESTOREPOINT]
    
    :OTL
    [2008/06/05 17:09:21 | 000,000,152 | ---- | M] ()(C:\WINDOWS\System32\???????????????????????????????????????????g) -- C:\WINDOWS\System32\㩃停潲牧浡䘠汩獥䕜牡桴楌歮䕜牡桴楌歮倠潲整瑣潩潃瑮潲敃瑮牥卜湡屡潃普杩塜楖睥挮湯楦g
    [2008/06/05 17:09:21 | 000,000,152 | ---- | C] ()(C:\WINDOWS\System32\???????????????????????????????????????????g) -- C:\WINDOWS\System32\㩃停潲牧浡䘠汩獥䕜牡桴楌歮䕜牡桴楌歮倠潲整瑣潩潃瑮潲敃瑮牥卜湡屡潃普杩塜楖睥挮湯楦g
    [2012/08/16 17:43:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chambers William\Application Data\Ad-Aware Antivirus
    [2013/03/18 19:38:33 | 000,000,458 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
    O15 - HKU\S-1-5-21-2444304784-286345585-3085264512-1005\..Trusted Domains: navyfcu.org ([www] https in Trusted sites)
    O15 - HKU\S-1-5-21-2444304784-286345585-3085264512-1005\..Trusted Domains: turbotax.com ([]https in Trusted sites)
    O15 - HKU\S-1-5-21-2444304784-286345585-3085264512-1005\..Trusted Domains: vatsim.net ([]https in Trusted sites)
    O15 - HKU\S-1-5-21-2444304784-286345585-3085264512-1005\..Trusted Domains: xpressdeposit.com ([nfcu] https in Trusted sites)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)
    CHR - homepage: http://securesearch.lavasoft.com/?sourc ... 5145BED77D
    CHR - homepage: http://securesearch.lavasoft.com/?sourc ... 5145BED77D
    
    :Files
    c:\documents and settings\chambers william\local settings\application data\getsavin
    ipconfig /flushdns /c
    
    :Commands
    [EMPTYTEMP]
    
  • Then click the Run Fix button at the top.
  • Let the program run unhindered, and click to allow the Reboot when it is done.
    When the computer Reboots, and you start your usual account, a Notepad text file will appear.
  • Copy the contents of that file and post it in your next reply.
    The FIX log file will also be available and named by timestamp here: C:\_OTL\Moved Files\mmddyyyy_hhmmss.log
---------------------------------------------
Please download SystemLook from the link below and save it to your Desktop.
Download Mirror #1 (32-bit)

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :filefind
    *getsavin*
    
    :folderfind 
    *getsavin*
    
    :regfind
    getsavin /s
    8F4014F2-80BD-4A29-8086-C413AFF5E42F /s
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The results log can also be found on your Desktop, entitled SystemLook.txt

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Rogue Killer Scan & Delete

Unread postby Tunaheart » March 20th, 2013, 7:23 pm

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/fi ... guekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Chambers William [Admin rights]
Mode : Scan -- Date : 03/20/2013 19:19:23
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 13 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Temp (rundll32 "C:\Documents and Settings\Chambers William\Local Settings\Application Data\Wal-Mart Music Downloads\Temp\pswro.dll",SCBB2_CreateTransformTablesW) [-] -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Run : SearchProtection (C:\Documents and Settings\All Users\Application Data\Search Protection\_run.bat) -> FOUND
[RUN][SUSP PATH] HKUS\.DEFAULT[...]\Run : Temp (rundll32 "C:\Documents and Settings\Chambers William\Local Settings\Application Data\Wal-Mart Music Downloads\Temp\pswro.dll",SCBB2_CreateTransformTablesW) [-] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-19[...]\Run : Temp (rundll32 "C:\Documents and Settings\Chambers William\Local Settings\Application Data\Wal-Mart Music Downloads\Temp\pswro.dll",SCBB2_CreateTransformTablesW) [-] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-19_Classes[...]\Run : Temp (rundll32 "C:\Documents and Settings\Chambers William\Local Settings\Application Data\Wal-Mart Music Downloads\Temp\pswro.dll",SCBB2_CreateTransformTablesW) [-] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-20[...]\Run : Temp (rundll32 "C:\Documents and Settings\Chambers William\Local Settings\Application Data\Wal-Mart Music Downloads\Temp\pswro.dll",SCBB2_CreateTransformTablesW) [-] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-20_Classes[...]\Run : Temp (rundll32 "C:\Documents and Settings\Chambers William\Local Settings\Application Data\Wal-Mart Music Downloads\Temp\pswro.dll",SCBB2_CreateTransformTablesW) [-] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-2444304784-286345585-3085264512-1005[...]\Run : Temp (rundll32 "C:\Documents and Settings\Chambers William\Local Settings\Application Data\Wal-Mart Music Downloads\Temp\pswro.dll",SCBB2_CreateTransformTablesW) [-] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-2444304784-286345585-3085264512-1005_Classes[...]\Run : Temp (rundll32 "C:\Documents and Settings\Chambers William\Local Settings\Application Data\Wal-Mart Music Downloads\Temp\pswro.dll",SCBB2_CreateTransformTablesW) [-] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-18[...]\Run : Temp (rundll32 "C:\Documents and Settings\Chambers William\Local Settings\Application Data\Wal-Mart Music Downloads\Temp\pswro.dll",SCBB2_CreateTransformTablesW) [-] -> FOUND
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3808110AS +++++
--- User ---
[MBR] 2eb7f8fb2038b9a98980033a9dee5e18
[BSP] 11d467b9f31927f29d49c85858b51038 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 76245 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_S_03202013_02d1919.txt >>
RKreport[1]_S_03202013_02d1759.txt ; RKreport[2]_S_03202013_02d1919.txt
Tunaheart
Regular Member
 
Posts: 23
Joined: March 18th, 2013, 3:45 pm

OTl Run Fix Scan

Unread postby Tunaheart » March 20th, 2013, 7:31 pm

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
C:\WINDOWS\system32\㩃停潲牧浡䘠汩獥䕜牡桴楌歮䕜牡桴楌歮倠潲整瑣潩潃瑮潲敃瑮牥卜湡屡潃普杩塜楖睥挮湯楦g moved successfully.
File C:\WINDOWS\System32\㩃停潲牧浡䘠汩獥䕜牡桴楌歮䕜牡桴楌歮倠潲整瑣潩潃瑮潲敃瑮牥卜湡屡潃普杩塜楖睥挮湯楦g not found.
C:\Documents and Settings\Chambers William\Application Data\Ad-Aware Antivirus\Logs\20130317T130041.453125PID2016 folder moved successfully.
C:\Documents and Settings\Chambers William\Application Data\Ad-Aware Antivirus\Logs\20120911T002821.953125PID2284 folder moved successfully.
C:\Documents and Settings\Chambers William\Application Data\Ad-Aware Antivirus\Logs\20120828T012411.703125PID2348 folder moved successfully.
C:\Documents and Settings\Chambers William\Application Data\Ad-Aware Antivirus\Logs\20120816T214320.203125PID1296 folder moved successfully.
C:\Documents and Settings\Chambers William\Application Data\Ad-Aware Antivirus\Logs folder moved successfully.
C:\Documents and Settings\Chambers William\Application Data\Ad-Aware Antivirus folder moved successfully.
C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job moved successfully.
Registry key HKEY_USERS\S-1-5-21-2444304784-286345585-3085264512-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\navyfcu.org\www\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-2444304784-286345585-3085264512-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\turbotax.com\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-2444304784-286345585-3085264512-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\vatsim.net\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-2444304784-286345585-3085264512-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xpressdeposit.com\nfcu\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ deleted successfully.
C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll moved successfully.
Use Chrome's Settings page to change the HomePage.
Use Chrome's Settings page to change the HomePage.
========== FILES ==========
File\Folder c:\documents and settings\chambers william\local settings\application data\getsavin not found.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Chambers William\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Chambers William\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Chambers William
->Temp folder emptied: 25894246 bytes
->Temporary Internet Files folder emptied: 16786 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 1187 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 67369 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 25.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 03202013_192550

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
Tunaheart
Regular Member
 
Posts: 23
Joined: March 18th, 2013, 3:45 pm

Systemlook Text

Unread postby Tunaheart » March 20th, 2013, 7:38 pm

I had unistalled Getsavin yesterday from the ADD/REMOVE Programs Window

SystemLook 04.09.10 by jpshortstuff
Log created at 19:32 on 20/03/2013 by Chambers William
Administrator - Elevation successful

========== filefind ==========

Searching for "*getsavin*"
No files found.

========== folderfind ==========

Searching for "*getsavin*"
No folders found.

========== regfind ==========

Searching for "getsavin /s"
No data found.

Searching for "8F4014F2-80BD-4A29-8086-C413AFF5E42F /s"
No data found.

-= EOF =-
Tunaheart
Regular Member
 
Posts: 23
Joined: March 18th, 2013, 3:45 pm

Previous Rogue Killer Txt was incorrect

Unread postby Tunaheart » March 20th, 2013, 7:47 pm

Askey HI

Im sorry I sent you the incorrect Rogue Killer Txt file from the delete request They had been piling up and I grabbed the wrong one, this file is the latest Rogue Killer using the Delete

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/fi ... guekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Chambers William [Admin rights]
Mode : Remove -- Date : 03/20/2013 19:20:36
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 11 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Temp (rundll32 "C:\Documents and Settings\Chambers William\Local Settings\Application Data\Wal-Mart Music Downloads\Temp\pswro.dll",SCBB2_CreateTransformTablesW) [-] -> DELETED
[RUN][SUSP PATH] HKLM\[...]\Run : SearchProtection (C:\Documents and Settings\All Users\Application Data\Search Protection\_run.bat) -> DELETED
[RUN][SUSP PATH] HKUS\.DEFAULT[...]\Run : Temp (rundll32 "C:\Documents and Settings\Chambers William\Local Settings\Application Data\Wal-Mart Music Downloads\Temp\pswro.dll",SCBB2_CreateTransformTablesW) [-] -> DELETED
[RUN][SUSP PATH] HKUS\S-1-5-19[...]\Run : Temp (rundll32 "C:\Documents and Settings\Chambers William\Local Settings\Application Data\Wal-Mart Music Downloads\Temp\pswro.dll",SCBB2_CreateTransformTablesW) [-] -> DELETED
[RUN][SUSP PATH] HKUS\S-1-5-19_Classes[...]\Run : Temp (rundll32 "C:\Documents and Settings\Chambers William\Local Settings\Application Data\Wal-Mart Music Downloads\Temp\pswro.dll",SCBB2_CreateTransformTablesW) [-] -> DELETED
[RUN][SUSP PATH] HKUS\S-1-5-20[...]\Run : Temp (rundll32 "C:\Documents and Settings\Chambers William\Local Settings\Application Data\Wal-Mart Music Downloads\Temp\pswro.dll",SCBB2_CreateTransformTablesW) [-] -> DELETED
[RUN][SUSP PATH] HKUS\S-1-5-20_Classes[...]\Run : Temp (rundll32 "C:\Documents and Settings\Chambers William\Local Settings\Application Data\Wal-Mart Music Downloads\Temp\pswro.dll",SCBB2_CreateTransformTablesW) [-] -> DELETED
[RUN][SUSP PATH] HKUS\S-1-5-21-2444304784-286345585-3085264512-1005_Classes[...]\Run : Temp (rundll32 "C:\Documents and Settings\Chambers William\Local Settings\Application Data\Wal-Mart Music Downloads\Temp\pswro.dll",SCBB2_CreateTransformTablesW) [-] -> DELETED
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3808110AS +++++
--- User ---
[MBR] 2eb7f8fb2038b9a98980033a9dee5e18
[BSP] 11d467b9f31927f29d49c85858b51038 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 76245 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[3]_D_03202013_02d1920.txt >>
RKreport[1]_S_03202013_02d1759.txt ; RKreport[2]_S_03202013_02d1919.txt ; RKreport[3]_D_03202013_02d1920.txt
Tunaheart
Regular Member
 
Posts: 23
Joined: March 18th, 2013, 3:45 pm

Re: Browser Redirects from search results

Unread postby askey127 » March 20th, 2013, 8:03 pm

Tunaheart,
I wanted to run the search for "getsavin" anyway, because those applications frequently leave behind a lot of junk.
In this case it looks like a clean removal.
Your machine looks pretty good at this point.
How is it behaving?
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Browser Redirects from search results

Unread postby Tunaheart » March 20th, 2013, 8:16 pm

Askey Hi,

Seems to be ok, its noticeable quicker. I certainly appreciate the help. I was losing hope , thank goodness I found this forum.

What was the issue?

It's always a challenge for us layman to figure out what to do when things like this happen. With so many bogus offers and additonal "help" from questionable sites many for a fee.

I'm going to reboot and see if anything comes along..

cheers,

tunaheart
Tunaheart
Regular Member
 
Posts: 23
Joined: March 18th, 2013, 3:45 pm

Re: Browser Redirects from search results

Unread postby askey127 » March 21st, 2013, 7:31 am

Tunaheart,
There were a number of problems.
First Ad-Aware contains an antivirus, making a total of two antivirus apps on the machine.
More than one creates all kinds of system problems and slowdowns.
If you ever change AV applications, be sure to Uninstall the old one.

The free space issue on the hard drive causes slowdowns. Your objective on this machine should be 10Gb free.

The Get Savin redirects were brought in by one of your program downloads.
They don't always tell when they piggyback an add-on they get paid to peddle.

In General, avoid all toolbars and any extra security software, as well as any Registry helpers/boosters/optimizers.
Using AVG antivirus and running a scan with Malwarebytes Antimalware every week or so should be fine.
Malwarebytes is an antispyware only and does not interfere with antivirus behavior.

Disk Cleanup and Disk Defragmenter are both available at Start > Control Panel > Accessories > System Tools.
Use both once in a while to keep the speed up. Just choose NOT to allow disk cleanup to compress files on your drive.

The Java and Adobe Reader were both out of date. The older versions had flaws that would allow infections.
------------------------------------------------------------
Unless you have some serious need for Java I would suggest that you leave Java off your computer.
It has (and still does) carry some recognized security risks, and only a few web sites still use it.
If you find you must install it, make sure it is at least Java 7 update 17.
--------------------------------------------------------
Download and Install the newest version of Adobe Reader for reading pdf files, due to the vulnerabilities in earlier versions.
All versions numbered lower than 11.0.01 are vulnerable.
Go HERE to download AdbeRdr11001_en_US.exe
Save the file to your desktop and run it to install the latest version of Adobe Reader.
After the new Reader is installed, Open Adobe Reader XI, as it is called, and OK the license.
Click on Edit and select Preferences.
On the Left, click on the Javascript category and Uncheck Enable Acrobat Javascript.
Click on the Security (Enhanced) category
Uncheck Automatically trust sites from my Win OS security zones, and under Protected View, click on Files from potentially unsafe locations.
Click on the Trust Manager category and Uncheck Allow opening of non-PDF file attachments with external applications.
Click the OK button
When it asks if you are sure you want to make changes to Advanced Security Preferences, answer Yes.
When it finishes, you can remove the Installer from your desktop.

If you start OTL and click the Clean Up button it will remove most of our tools.
You should be good to go.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Thanks so much

Unread postby Tunaheart » March 21st, 2013, 8:34 am

Thank you very much!!

I'll be much more careful when downloading and read everything. Most of the apps are not worth this headache.

Thanks Again , appreciate it.
Tunaheart
Regular Member
 
Posts: 23
Joined: March 18th, 2013, 3:45 pm

Adobe not loading

Unread postby Tunaheart » March 21st, 2013, 10:19 pm

Askey HI,

I cleaned up the files as you suggested, found another ~2 gbytes of disk space.

Ive downloaded the Adobe executable and ran it, splash indicates initalizing and it completes but no links to Adobe in the program menus, nor are any of my PDF files associated with pdf and when opened ask for program to run.

Hmmmm
Tunaheart
Regular Member
 
Posts: 23
Joined: March 18th, 2013, 3:45 pm

Re: Browser Redirects from search results

Unread postby askey127 » March 22nd, 2013, 4:31 pm

Tunahearrt,
Do you mean that Start > All Programs does NOT show Adobe reader in the list?
If it doesn't show up, Start the installer and install it again (won't hurt anything)
You can set the Adobe Reader program as the default for PDF files using Windows Explorer (My Computer).
Open My Computer, click Tools in the top menu, choose File Types.
When the list of file types shows up, scroll down to PDFand choose Adobe reader as the program ot open with..

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re Adobe Reader

Unread postby Tunaheart » March 22nd, 2013, 6:28 pm

Askey124

Correct Adobe does not appear in the program list. The installer initalizes then the window showing its progress closes after 100% is reached with no other action occuring.

Only Adobe listing on the Program list is for Adobe Digital Editions (a couple books I purchased for my Kindle)?

Thanks
Bill
Tunaheart
Regular Member
 
Posts: 23
Joined: March 18th, 2013, 3:45 pm

Re: Browser Redirects from search results

Unread postby askey127 » March 22nd, 2013, 6:57 pm

Take a look at the suggestions here and tell me how you make out:
http://helpx.adobe.com/acrobat/kb/troub ... ndows.html
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Adobe Reader Probs

Unread postby Tunaheart » March 22nd, 2013, 8:07 pm

Askey 127

Ive tried those suggestions, no change, I posted a question to there help forum, I'll let you know how I do

Thanks
Bill
Tunaheart
Regular Member
 
Posts: 23
Joined: March 18th, 2013, 3:45 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 128 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware