Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

redirected from google search

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: redirected from google search

Unread postby shinybeast » December 17th, 2009, 11:33 am

Hi lamedemem,

Did you end up running TDSSKiller twice? The log didn't show that it did anything but if you ran it twice, then the original log was overwritten and that would explain things. You can thank the folks at Kaspersky, they are the ones that "did it." :)

We need to do a couple of checks so we can finish the removal and set things right.


Scan with GMER MBR rootkit detector

Click here to download MBR Rootkit Detector by GMER and save it to your desktop.

  • Copy the text in the code box below
    Code: Select all
    "%userprofile%\Desktop\mbr.exe" -t
  • Click Start, click Run... and paste the above command in the Open: box and click OK.
  • A window will open briefly then close.
  • There will be a log named MBR.log on the desktop.
  • Please post the contents of that log in your next reply.


OTL

  • Double-click OTL.exe to start the program (it should still be on your desktop).
  • Copy all of the text in the code box below and paste it in the white area under Custom Scans/Fixes (under the cyan line at the bottom of the window)
    Code: Select all
    /md5start
    atapi.sys
    /md5stop
    
    reg query HKLM\SYSTEM\CurrentControlSet\Services\atapi /v ImagePath /c
  • Click Quick Scan near the top of the window
  • When the scan is finished, a log will open OTL.txt
  • Please post the contents of that log in your next reply.


In your next reply, please include the MBR log and the OTL log and let me know if the computer is still behaving OK.
User avatar
shinybeast
Retired Graduate
 
Posts: 1187
Joined: October 29th, 2008, 6:56 pm
Location: -5 hrs GMT (EST)
Advertisement
Register to Remove

Re: redirected from google search

Unread postby lamedmem » December 20th, 2009, 11:39 pm

Thanks

OTL Log

OTL logfile created on: 12/20/2009 7:45:52 PM - Run 2
OTL by OldTimer - Version 3.1.17.0 Folder = C:\Documents and Settings\hhhhhh\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1021.98 Mb Total Physical Memory | 198.88 Mb Available Physical Memory | 19.46% Memory free
1.90 Gb Paging File | 1.34 Gb Available in Paging File | 70.62% Paging File free
Paging file location(s): c:\pagefile.sys 1022 1222 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 425.72 Gb Total Space | 182.07 Gb Free Space | 42.77% Space Free | Partition Type: NTFS
Drive D: | 649.83 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 2.19 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DBDHXY71
Current User Name: hhhhhh
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/17 10:32:39 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/12/13 23:11:13 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\hhhhhh\Desktop\OTL.exe
PRC - [2009/12/12 09:25:30 | 02,033,432 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2009/12/12 09:25:21 | 00,503,576 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2009/12/12 09:25:19 | 00,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2009/11/12 19:03:53 | 01,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2009/11/12 19:03:53 | 00,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/11/12 19:03:50 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2009/10/10 16:07:08 | 00,320,832 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
PRC - [2008/12/16 13:36:06 | 00,165,160 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Seagate\FreeAgent_Theater\Sync\MediaAggreService.exe
PRC - [2008/11/10 12:23:38 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ZuneBusEnum.exe
PRC - [2007/12/11 16:15:04 | 00,012,800 | ---- | M] (Agere Systems) -- C:\WINDOWS\system32\agrsmsvc.exe
PRC - [2007/06/13 05:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/11/13 12:39:52 | 01,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe
PRC - [2006/11/13 12:39:34 | 00,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe
PRC - [2005/07/26 17:51:22 | 00,606,316 | ---- | M] (Executive Software International, Inc.) -- C:\Program Files\Executive Software\Diskeeper\DkService.exe


========== Modules (SafeList) ==========

MOD - [2009/12/13 23:11:13 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\hhhhhh\Desktop\OTL.exe
MOD - [2006/10/01 13:04:00 | 00,063,032 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\patrolpro.dll
MOD - [2006/08/25 10:45:55 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (LogWatch)
SRV - [2009/11/12 19:03:50 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/05/16 21:24:46 | 00,182,768 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/03/30 10:53:25 | 00,133,104 | ---- | M] (Google Inc.) [Disabled | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c9b14fb1942f82) Google Update Service (gupdate1c9b14fb1942f82)
SRV - [2008/12/16 13:36:06 | 00,165,160 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Seagate\FreeAgent_Theater\Sync\MediaAggreService.exe -- (FreeAgentTheater Service)
SRV - [2008/11/10 12:23:50 | 05,117,568 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2008/11/10 12:23:42 | 00,243,840 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2008/11/10 12:23:38 | 00,060,032 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ZuneBusEnum.exe -- (ZuneBusEnum)
SRV - [2008/07/18 12:13:20 | 00,053,760 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.dll -- (Pml Driver HPZ12)
SRV - [2008/07/18 12:13:20 | 00,044,032 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\system32\HPZinw12.dll -- (Net Driver HPZ12)
SRV - [2008/03/25 20:27:36 | 00,135,168 | ---- | M] (Hewlett-Packard Co.) [Auto | Running] -- C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll -- (hpqddsvc)
SRV - [2008/03/25 19:38:24 | 00,217,088 | ---- | M] (Hewlett-Packard Co.) [On_Demand | Running] -- C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll -- (hpqcxs08)
SRV - [2008/01/03 13:45:18 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2007/12/11 16:15:04 | 00,012,800 | ---- | M] (Agere Systems) [Auto | Running] -- C:\WINDOWS\system32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2007/04/20 08:03:02 | 00,411,168 | ---- | M] (Acronis) [Disabled | Stopped] -- C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2007/03/20 16:41:24 | 00,153,792 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3)
SRV - [2006/11/03 18:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/02/28 12:42:38 | 00,229,376 | ---- | M] (Apple Computer, Inc.) [On_Demand | Stopped] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2005/07/26 17:51:22 | 00,606,316 | ---- | M] (Executive Software International, Inc.) [Auto | Running] -- C:\Program Files\Executive Software\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2005/03/16 12:35:38 | 00,126,976 | ---- | M] (Computer Associates International Inc.) [On_Demand | Stopped] -- C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe -- (CA_LIC_CLNT)
SRV - [2004/10/22 02:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/12/17 13:59:48 | 00,143,360 | ---- | M] (Intel(R) Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe -- (NetSvc)
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://newsvote.bbc.co.uk/"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.716
FF - prefs.js..extensions.enabledItems: avg@igeared:3.011.025.005
FF - prefs.js..extensions.enabledItems: {C4A22BA1-6D61-45F1-82A9-140FD33F1110}:1.0.4.88
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: firefox@tvunetworks.com:2
FF - prefs.js..extensions.enabledItems: 4
FF - prefs.js..extensions.enabledItems: 9
FF - prefs.js..extensions.enabledItems: 1
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.5.200812101546
FF - prefs.js..extensions.enabledItems: esnipesnipeit@esnipe.com:1.0.9
FF - prefs.js..keyword.URL: "http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p="


FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2009/12/12 09:27:12 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared [2009/12/17 15:55:17 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/17 10:32:45 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/17 10:32:45 | 00,000,000 | ---D | M]

[2008/06/17 21:23:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hhhhhh\Application Data\Mozilla\Extensions
[2009/12/20 12:24:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hhhhhh\Application Data\Mozilla\Firefox\Profiles\rmumy5hf.default\extensions
[2009/02/06 06:20:00 | 00,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\hhhhhh\Application Data\Mozilla\Firefox\Profiles\rmumy5hf.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/12/17 18:30:28 | 00,000,000 | ---D | M] (Hebrew Calendar) -- C:\Documents and Settings\hhhhhh\Application Data\Mozilla\Firefox\Profiles\rmumy5hf.default\extensions\{C4A22BA1-6D61-45F1-82A9-140FD33F1110}
[2008/05/13 08:39:54 | 00,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\hhhhhh\Application Data\Mozilla\Firefox\Profiles\rmumy5hf.default\extensions\{c7182bab-dd8e-4e4e-a5c3-f60359142d6d}
[2008/12/12 06:13:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hhhhhh\Application Data\Mozilla\Firefox\Profiles\rmumy5hf.default\extensions\esnipesnipeit@esnipe.com
[2009/12/17 18:30:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hhhhhh\Application Data\Mozilla\Firefox\Profiles\rmumy5hf.default\extensions\firefox@tvunetworks.com
[2008/06/19 23:22:47 | 00,002,117 | ---- | M] () -- C:\Documents and Settings\hhhhhh\Application Data\Mozilla\Firefox\Profiles\rmumy5hf.default\searchplugins\babylon.xml
[2009/12/20 12:24:17 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2006/12/24 22:08:06 | 00,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2007/07/17 17:54:19 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\realplayer@partners.mozilla.com
[2008/05/19 13:57:00 | 02,641,920 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npRACtrl.dll
[2008/09/15 10:52:06 | 00,376,832 | ---- | M] ( ) -- C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll
[2008/02/28 13:30:00 | 00,008,784 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\ractrlkeyhook.dll
[2008/02/28 13:33:00 | 00,245,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\unicows.dll

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - Reg Error: Value error. File not found
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: ViVL: Save Pictures... - C:\Program Files\ViVL.COM\vivlWebSaverImage.html ()
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: ViVL Web Picture Saver - {D3B9FE31-191E-443B-9E43-D0D0DF53F3C2} - C:\Program Files\ViVL.COM\vivlWebSaverBar.html ()
O9 - Extra Button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O15 - HKCU\..Trusted Domains: 59 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} http://w4s2.work4sure.com/c/ge/w4sgeen9.exe (Reg Error: Key error.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shoc ... tor/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} http://nigel.viewnetcam.com:81/kxhcm10.ocx (KX-HCM10 Control)
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} https://208.125.27.194/ConnectComputer/nshelp.dll (NSHelp Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupda ... 3612711456 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/fl ... rashim.cab (Reg Error: Key error.)
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} https://photos.riteaid.com/control/Rite ... Online.cab (Rite Aid One Hour Photo Online Control)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/aut ... s-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/fl ... wflash.cab (Shockwave Flash Object)
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} http://cvs.pnimedia.com/upload/activex/ ... 0.0.10.cab? (Photo Upload Plugin Class)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 68.237.161.12
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 13:04:08 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{408e29b2-cebf-11dc-a70c-0011118debd2}\Shell - "" = AutoRun
O33 - MountPoints2\{408e29b2-cebf-11dc-a70c-0011118debd2}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{408e29b2-cebf-11dc-a70c-0011118debd2}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2009/12/15 11:49:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\hhhhhh\Desktop\New Folder (16)
[2009/12/15 11:43:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\hhhhhh\Desktop\tdsskiller
[2009/12/15 11:40:29 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/12/15 11:36:56 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/12/15 11:33:42 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\hhhhhh\Desktop\erunt-setup.exe
[2009/12/14 14:59:39 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\hhhhhh\Recent
[2009/12/13 23:11:09 | 00,538,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\hhhhhh\Desktop\OTL.exe
[2009/11/12 18:02:22 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/11/12 18:02:22 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/11/12 18:02:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/11/12 18:02:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/03/30 10:53:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2008/10/08 11:24:55 | 00,546,120 | R--- | C] ( ) -- C:\WINDOWS\System32\drivers\slusbvip.sys
[2008/10/08 11:24:55 | 00,014,888 | R--- | C] ( ) -- C:\WINDOWS\System32\drivers\TLRecAgent.sys
[2008/06/30 21:38:49 | 00,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\hhhhhh\Application Data\pcouffin.sys
[2008/03/30 23:07:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\HPAppData
[2008/01/27 15:40:02 | 00,769,536 | ---- | C] (Toshiba Samsung Storage Technology Coporation) -- C:\Documents and Settings\hhhhhh\Application Data\sfdnwin.dll
[2007/06/12 09:49:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/02/27 22:21:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\WinPatrol
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\Documents and Settings\hhhhhh\My Documents\*.tmp files -> C:\Documents and Settings\hhhhhh\My Documents\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2009/12/20 19:39:53 | 00,077,312 | ---- | M] () -- C:\Documents and Settings\hhhhhh\Desktop\mbr.exe
[2009/12/20 19:18:02 | 00,000,982 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1329665198-3272703715-2708353175-1006UA.job
[2009/12/20 18:46:41 | 46,855,652 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/12/20 18:45:42 | 00,127,520 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/12/20 01:18:01 | 00,000,930 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1329665198-3272703715-2708353175-1006Core.job
[2009/12/18 16:22:19 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/12/18 09:29:13 | 00,013,668 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/18 09:28:40 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/18 09:28:33 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/18 09:28:32 | 10,716,97920 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/18 09:24:46 | 11,534,336 | -H-- | M] () -- C:\Documents and Settings\hhhhhh\NTUSER.DAT
[2009/12/17 15:44:05 | 00,083,741 | ---- | M] () -- C:\Documents and Settings\hhhhhh\Desktop\Welcome to Greatwings.pdf
[2009/12/16 23:27:00 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/12/16 16:28:27 | 00,074,240 | ---- | M] () -- C:\Documents and Settings\hhhhhh\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/15 13:22:54 | 00,000,000 | ---- | M] () -- C:\Documents
[2009/12/15 13:10:22 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\hhhhhh\ntuser.ini
[2009/12/15 11:43:47 | 00,095,360 | ---- | M] () -- C:\WINDOWS\System32\drivers\tsk_atapi.sys
[2009/12/15 11:41:50 | 00,117,293 | ---- | M] () -- C:\Documents and Settings\hhhhhh\Desktop\tdsskiller.zip
[2009/12/15 11:37:01 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\hhhhhh\Desktop\NTREGOPT.lnk
[2009/12/15 11:37:00 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\hhhhhh\Desktop\ERUNT.lnk
[2009/12/15 11:33:49 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\hhhhhh\Desktop\erunt-setup.exe
[2009/12/13 23:32:26 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\hhhhhh\defogger_reenable
[2009/12/13 23:31:24 | 00,050,621 | ---- | M] () -- C:\Documents and Settings\hhhhhh\Desktop\Defogger.exe
[2009/12/13 23:11:13 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\hhhhhh\Desktop\OTL.exe
[2009/12/13 13:11:57 | 00,441,856 | ---- | M] () -- C:\Documents and Settings\hhhhhh\Desktop\CKScanner.exe
[2009/12/09 03:31:14 | 00,446,804 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/09 03:31:14 | 00,073,416 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/09 03:31:13 | 00,530,526 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/08 22:12:15 | 02,937,706 | ---- | M] () -- C:\Documents and Settings\hhhhhh\Desktop\SPEECH1.pdf
[2009/12/08 22:11:31 | 02,937,706 | ---- | M] () -- C:\Documents and Settings\hhhhhh\My Documents\SPEECH1.pdf
[2009/12/08 22:10:28 | 02,966,016 | ---- | M] () -- C:\Documents and Settings\hhhhhh\My Documents\SPEECH1.doc
[2009/12/07 11:37:36 | 00,045,530 | ---- | M] () -- C:\Documents and Settings\hhhhhh\Desktop\La Guardia to 739 E New Yor...pdf
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\Documents and Settings\hhhhhh\My Documents\*.tmp files -> C:\Documents and Settings\hhhhhh\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/20 19:39:51 | 00,077,312 | ---- | C] () -- C:\Documents and Settings\hhhhhh\Desktop\mbr.exe
[2009/12/17 15:44:05 | 00,083,741 | ---- | C] () -- C:\Documents and Settings\hhhhhh\Desktop\Welcome to Greatwings.pdf
[2009/12/15 13:22:54 | 00,000,000 | ---- | C] () -- C:\Documents
[2009/12/15 11:43:47 | 00,095,360 | ---- | C] () -- C:\WINDOWS\System32\drivers\tsk_atapi.sys
[2009/12/15 11:41:49 | 00,117,293 | ---- | C] () -- C:\Documents and Settings\hhhhhh\Desktop\tdsskiller.zip
[2009/12/15 11:37:01 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\hhhhhh\Desktop\NTREGOPT.lnk
[2009/12/15 11:37:00 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\hhhhhh\Desktop\ERUNT.lnk
[2009/12/13 23:32:26 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\hhhhhh\defogger_reenable
[2009/12/13 23:31:23 | 00,050,621 | ---- | C] () -- C:\Documents and Settings\hhhhhh\Desktop\Defogger.exe
[2009/12/13 13:11:56 | 00,441,856 | ---- | C] () -- C:\Documents and Settings\hhhhhh\Desktop\CKScanner.exe
[2009/12/08 22:12:15 | 02,937,706 | ---- | C] () -- C:\Documents and Settings\hhhhhh\Desktop\SPEECH1.pdf
[2009/12/08 22:11:31 | 02,937,706 | ---- | C] () -- C:\Documents and Settings\hhhhhh\My Documents\SPEECH1.pdf
[2009/12/08 22:09:53 | 02,966,016 | ---- | C] () -- C:\Documents and Settings\hhhhhh\My Documents\SPEECH1.doc
[2009/12/07 11:37:36 | 00,045,530 | ---- | C] () -- C:\Documents and Settings\hhhhhh\Desktop\La Guardia to 739 E New Yor...pdf
[2009/05/17 22:52:32 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/05/17 22:52:31 | 00,084,480 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/05/17 18:38:47 | 00,049,152 | R--- | C] () -- C:\WINDOWS\System32\AVerIO.dll
[2009/05/17 18:38:47 | 00,003,456 | R--- | C] () -- C:\WINDOWS\System32\AVerIO.sys
[2009/05/17 18:38:35 | 00,262,144 | R--- | C] () -- C:\WINDOWS\System32\sptlib01.dll
[2009/05/17 18:38:35 | 00,249,856 | R--- | C] () -- C:\WINDOWS\System32\sptlib02.dll
[2009/05/17 18:36:01 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll
[2009/05/04 14:32:05 | 00,002,528 | ---- | C] () -- C:\Documents and Settings\hhhhhh\Application Data\$_hpcst$.hpc
[2008/10/08 11:25:23 | 00,244,240 | ---- | C] () -- C:\WINDOWS\System32\slvipgx.dll
[2008/10/08 11:25:23 | 00,150,032 | ---- | C] () -- C:\WINDOWS\System32\slvipco.dll
[2008/10/08 11:25:23 | 00,084,912 | ---- | C] () -- C:\WINDOWS\System32\drivers\slvad.sys
[2008/07/07 07:45:31 | 00,815,104 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/07/07 07:45:31 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/06/30 21:38:55 | 00,000,034 | ---- | C] () -- C:\Documents and Settings\hhhhhh\Application Data\pcouffin.log
[2008/06/30 21:38:49 | 00,087,608 | ---- | C] () -- C:\Documents and Settings\hhhhhh\Application Data\inst.exe
[2008/06/30 21:38:49 | 00,007,887 | ---- | C] () -- C:\Documents and Settings\hhhhhh\Application Data\pcouffin.cat
[2008/06/30 21:38:49 | 00,001,144 | ---- | C] () -- C:\Documents and Settings\hhhhhh\Application Data\pcouffin.inf
[2008/06/24 18:29:21 | 03,049,984 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2008/06/24 18:29:21 | 00,404,480 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2008/06/24 18:29:21 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2008/06/24 18:29:21 | 00,114,688 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2008/04/08 14:21:08 | 00,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2008/04/02 15:03:33 | 00,000,020 | ---- | C] () -- C:\WINDOWS\InfModM.ini
[2008/04/02 15:02:33 | 00,000,029 | ---- | C] () -- C:\WINDOWS\wgedit.ini
[2008/01/27 14:35:01 | 00,000,465 | ---- | C] () -- C:\Documents and Settings\hhhhhh\Application Data\SamsungLiveUpdateConfig.ini
[2008/01/03 14:06:18 | 02,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2007/11/12 17:53:53 | 00,006,347 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2007/10/07 11:17:21 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2007/09/28 11:07:52 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/09/28 11:05:50 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2007/09/28 11:05:50 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2007/09/28 11:05:08 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2007/08/07 13:06:43 | 00,000,085 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2007/07/06 13:04:32 | 00,000,043 | ---- | C] () -- C:\WINDOWS\gswin32.ini
[2007/05/27 09:39:49 | 00,000,032 | ---- | C] () -- C:\WINDOWS\Autorun.INI
[2007/05/22 18:14:58 | 00,008,784 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2007/05/13 18:58:44 | 00,098,304 | ---- | C] () -- C:\WINDOWS\System32\resourceGeneric.dll
[2007/04/15 13:10:57 | 00,074,240 | ---- | C] () -- C:\Documents and Settings\hhhhhh\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/03/04 10:42:49 | 00,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2006/10/30 20:53:14 | 00,000,121 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/07/04 10:34:23 | 00,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2006/06/19 20:03:47 | 00,000,125 | -HS- | C] () -- C:\Documents and Settings\hhhhhh\Application Data\.zreglib
[2006/03/22 00:48:21 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/11/17 16:55:52 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/08/10 10:17:41 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\nssckbi.dll
[2005/08/10 10:16:47 | 00,000,151 | ---- | C] () -- C:\WINDOWS\UPSWSHIP.INI
[2005/08/09 12:42:09 | 00,000,129 | ---- | C] () -- C:\Documents and Settings\hhhhhh\Local Settings\Application Data\fusioncache.dat
[2005/07/21 08:31:30 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/07/21 07:52:34 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2005/07/21 07:52:20 | 00,000,302 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/10 13:12:05 | 00,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 13:01:18 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/04 07:00:00 | 00,095,360 | ---- | C] () -- C:\WINDOWS\System32\drivers\atapi.sys
[2003/12/17 06:19:00 | 00,005,743 | ---- | C] () -- C:\WINDOWS\UN021217.INI
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2009/11/12 18:50:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2009/12/15 06:20:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2007/08/07 13:06:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
[2008/01/24 15:09:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Maxtor
[2009/12/02 22:43:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Seagate
[2007/01/27 20:59:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/07/02 00:46:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\vsosdk
[2007/11/29 20:23:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hhhhhh\Application Data\Acubix PicoBackup Outlook Express Edition
[2009/12/06 00:06:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hhhhhh\Application Data\Desktopicon
[2008/11/23 22:14:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hhhhhh\Application Data\DVDFab
[2006/08/09 12:17:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hhhhhh\Application Data\Elaborate Bytes
[2006/03/07 15:30:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hhhhhh\Application Data\Leadertech
[2006/06/07 21:21:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hhhhhh\Application Data\Musicmatch
[2009/10/17 22:26:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hhhhhh\Application Data\PDF reDirect
[2007/07/06 13:10:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hhhhhh\Application Data\PDFill
[2008/12/15 14:05:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hhhhhh\Application Data\Photo! Web Album
[2008/01/02 20:26:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hhhhhh\Application Data\Quark
[2006/06/19 20:07:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hhhhhh\Application Data\SlySoft
[2006/03/05 14:17:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hhhhhh\Application Data\Snapfish
[2007/01/27 20:59:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hhhhhh\Application Data\Viewpoint
[2009/04/20 20:56:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hhhhhh\Application Data\Vso
[2006/12/02 23:30:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hhhhhh\Application Data\WinPatrol
[2009/12/16 23:27:00 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: ATAPI.SYS >
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys
[2004/08/04 07:00:00 | 00,095,360 | ---- | M] () MD5=AEE97DE2F477CD3FEF869004103D01EA -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 07:00:00 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\i386\atapi.sys

< >

< reg query HKLM\SYSTEM\CurrentControlSet\Services\atapi /v ImagePath /c >
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\ATAPI
IMAGEPATH REG_EXPAND_SZ system32\Drivers\tsk_atapi.sys

========== Files - Unicode (All) ==========
[2007/10/31 12:45:10 | 00,042,496 | ---- | M] ()(C:\Documents and Settings\hhhhhh\My Documents\????? ????? ??? ????? ???? ?.doc) -- C:\Documents and Settings\hhhhhh\My Documents\הרבעש הנשבש יפל גאדומ ינאו ה.doc
[2007/10/31 10:32:14 | 00,042,496 | ---- | C] ()(C:\Documents and Settings\hhhhhh\My Documents\????? ????? ??? ????? ???? ?.doc) -- C:\Documents and Settings\hhhhhh\My Documents\הרבעש הנשבש יפל גאדומ ינאו ה.doc
< End of report >


MBR Log

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys tsk_atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK



Thanking you very much
lamedmem
Regular Member
 
Posts: 15
Joined: December 2nd, 2009, 9:57 pm

Re: redirected from google search

Unread postby shinybeast » December 22nd, 2009, 9:10 pm

Hi lamedemem,

Please perform the below to update Java and check for leftovers. :)


Update Java

Older versions of Java may have vulnerabilities that can be exploited by malware.
Please follow the steps below to update the Java Runtime Enviornment

Download and install newest version:

  • Click here to visit Sun Java download page
  • Scroll down the page a bit and click Image under Image
  • Select your platform and agree to the license agreement (after having read it, of course) by clicking the checkbox. Click Continue.
  • Click the link (jre-6u17-windows-i586-p.exe) under Available Files and download the offline installer to your desktop.
  • Close any programs you may have running, including web browsers.
  • From your desktop, double-click on the download to install the newest version.
  • Reboot your computer.


Remove older version(s):

  • Click Start, click Run...
  • Type appwiz.cpl and click OK
  • For each of the Java installations listed below, highlight them in the list and click Remove

    Java 2 Runtime Environment, SE v1.4.2_03
    Java(TM) 6 Update 5
  • Click here to download JavaRa and save it to your desktop
  • Extract JavaRa.zip to your Desktop
  • Double-click JavaRa.exe to start JavaRa
  • Choose language in the drop-down menu, then click Select
  • In the new JavaRa window click Remove Older Versions to remove leftovers from uninstalls
  • Click Yes in the dialog box that pops up to uninstall
  • Close all browser windows (you will get a warning from JavaRa)
  • Click OK in the dialog box that pops up to open the log. Close the log. It is saved in the root of the windows drive (i.e. C:\)


Update and Scan with MalwareBytes'

  • Start MalwareBytes' Anti-Malware (MBAM)
  • Click the Update tab, then click Check for Updates button
  • Allow MBAM to check for and download updates, then click OK
  • Click the Scanner tab and select (tick) Perform quick scan
  • Click Scan to start then scan.
  • When it finishes, click OK in the window that pops up and then click Show Results in the main window
  • Ensure that all items are checked and click Remove Selected.
  • When the removal is complete, a logfile will open. Please copy and paste the entire contents of the logfile in your next reply. See NOTE below
  • If necessary, the logfile can also be accessed by running Malwarebytes' and clicking the Log tab. Double-click the current log to open it.
NOTE: If Malwarebytes' encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let it proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent Malwarebytes' from removing all the malware.[/list]


ESET Online Scanner

Note: You will need to disable your Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Please include the MalwareBytes' log, the ESET log in your next reply.
User avatar
shinybeast
Retired Graduate
 
Posts: 1187
Joined: October 29th, 2008, 6:56 pm
Location: -5 hrs GMT (EST)

Re: redirected from google search

Unread postby shinybeast » December 28th, 2009, 11:50 pm

From PM

lamedemem wrote:Hi sorry I was away

Malwarebytes' Anti-Malware 1.42
Database version: 3442
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

12/27/2009 10:30:51 PM
mbam-log-2009-12-27 (22-30-51).txt

Scan type: Quick Scan
Objects scanned: 131923
Time elapsed: 6 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Thanks I ran the ESET Scan yesterday as you asked it found 3 infections but i made a mistake to remove the program before i saved the log what should i do now?
User avatar
shinybeast
Retired Graduate
 
Posts: 1187
Joined: October 29th, 2008, 6:56 pm
Location: -5 hrs GMT (EST)

Re: redirected from google search

Unread postby lamedmem » December 29th, 2009, 12:57 am

What should i do next?
lamedmem
Regular Member
 
Posts: 15
Joined: December 2nd, 2009, 9:57 pm

Re: redirected from google search

Unread postby shinybeast » December 29th, 2009, 1:15 am

Hi lamedemem,


Backup Registry With ERUNT

Before we make changes to the registry, we need to back it up.

  • Start ERUNT (Start > All Programs > ERUNT > ERUNT)
  • Click OK at the Welcome dialog box
  • Ensure the System Registry and Current User Registry boxes are checked and click OK to backup the registry to the default location and filename.
  • A window should appear that says "Registry backup is complete!." Click OK in that window.

IMPORTANT: If you do not complete ERUNT backup successfully, do not continue further and post back to let me know.


Create and Run a Batch File

Please open Notepad. (Start > Run..., type "notepad" and click OK)
Click Format in the menu bar and ensure Word Wrap is not checked.
Then, copy the entire contents of the code box below and paste it into Notepad.

Code: Select all
@echo off
copy /y C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys C:\WINDOWS\System32\drivers\atapi.sys > result.txt 2>>&1
reg add HKLM\SYSTEM\CurrentControlSet\Services\atapi /v ImagePath /t REG_EXPAND_SZ /d System32\drivers\atapi.sys /f >> result.txt 2>>&1
sc stop CA_LIC_CLNT >> result.txt 2>>&1
sc config CA_LIC_CLNT start= disabled >> result.txt 2>>&1
start result.txt
del %0


Then click File and Save As...
Save the file to your Desktop as "runme.bat" (You must include the quotes!)
Locate runme.bat on your Desktop and double-click it to execute the batch file
When it has completed, a text file named result.txt should open.
NOTE: If WinPatrol warns you of any changes after running runme.bat, please allow them.


TFC (Temp File Cleaner)

  • Click here to download TFC by OldTimer and save it to your desktop.
    NOTE: Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click Yes to reboot.

Note: TFC should not take longer than a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.


ESET Online Scanner

Note: You will need to disable your Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!


Please copy and paste the entire contents of result.txt, the ESET log and a new HijackThis log in your next reply.
Also, please inform me of how the computer is running. :)
User avatar
shinybeast
Retired Graduate
 
Posts: 1187
Joined: October 29th, 2008, 6:56 pm
Location: -5 hrs GMT (EST)

Re: redirected from google search

Unread postby lamedmem » December 30th, 2009, 12:02 am

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=dc3790b46a14594cbcf047149a571597
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-12-29 07:52:15
# local_time=2009-12-29 02:52:15 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 1343700 1343700 0 0
# compatibility_mode=1024 16777191 100 0 3913281 3913281 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=200503
# found=2
# cleaned=0
# scan_time=6391
C:\Documents and Settings\hhhhhh\Desktop\Unused Desktop Shortcuts\mail 2000\Inbox.dbx multiple threats 00000000000000000000000000000000 I
C:\Documents and Settings\hhhhhh\Desktop\Unused Desktop Shortcuts\mail 2000\Sent Items.dbx Win32/Bagle.BA worm 00000000000000000000000000000000 I
lamedmem
Regular Member
 
Posts: 15
Joined: December 2nd, 2009, 9:57 pm

Re: redirected from google search

Unread postby shinybeast » December 30th, 2009, 5:10 pm

Hi lamedemem,

Were you able to do the following steps from my previous post?

Backup Registry With ERUNT

Create and Run a Batch File

If you were able to do them, please post the contents of result.txt and a new HijackThis log.

If you were not able to do them, please let me know.
User avatar
shinybeast
Retired Graduate
 
Posts: 1187
Joined: October 29th, 2008, 6:56 pm
Location: -5 hrs GMT (EST)

Re: redirected from google search

Unread postby lamedmem » December 30th, 2009, 8:58 pm

Sorry

Result log

1 file(s) copied.

The operation completed successfully
[SC] ControlService FAILED 1062:

The service has not been started.


[SC] ChangeServiceConfig SUCCESS

Hajackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:58:04 PM, on 12/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Seagate\FreeAgent_Theater\Sync\MediaAggreService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - (no file)
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: ViVL: Save Pictures... - C:\Program Files\ViVL.COM\vivlWebSaverImage.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: ViVL Web Picture Saver - {D3B9FE31-191E-443B-9E43-D0D0DF53F3C2} - C:\Program Files\ViVL.COM\vivlWebSaverBar.html
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - http://nigel.viewnetcam.com:81/kxhcm10.ocx
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - https://208.125.27.194/ConnectComputer/nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3612711456
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/Rite ... Online.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/ ... 0.0.10.cab?
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Seagate FreeAgent Theater (FreeAgentTheater Service) - Seagate Technology LLC - C:\Program Files\Seagate\FreeAgent_Theater\Sync\MediaAggreService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 11407 bytes
lamedmem
Regular Member
 
Posts: 15
Joined: December 2nd, 2009, 9:57 pm

Re: redirected from google search

Unread postby shinybeast » December 31st, 2009, 10:34 am

Hi lamedemem,


Infected Email

ESET scan flagged several infected email messages in these files.

C:\Documents and Settings\hhhhhh\Desktop\Unused Desktop Shortcuts\mail 2000\Inbox.dbx
C:\Documents and Settings\hhhhhh\Desktop\Unused Desktop Shortcuts\mail 2000\Sent Items.dbx

There is no easy way to determine which email messages are infected. Unless there is something in there that you need to save, I suggest you delete those files.


HijackThis

Start HijackThis and select Do a system scan only
Place a check next to the lines listed below and Close all windows except for HijackThis
Click Fix checked:

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe


Close HijackThis and reboot the computer.

After reboot, please post a new HijackThis log and please tell me how the computer is running.
User avatar
shinybeast
Retired Graduate
 
Posts: 1187
Joined: October 29th, 2008, 6:56 pm
Location: -5 hrs GMT (EST)

Re: redirected from google search

Unread postby lamedmem » December 31st, 2009, 12:11 pm

The Files you asked me to delete are saved files from a previous computer I may need some of them what can i do?

I did what you asked and ran another scan the computer seams to be running about the same

log as follows:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:47 AM, on 12/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Seagate\FreeAgent_Theater\Sync\MediaAggreService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: ViVL: Save Pictures... - C:\Program Files\ViVL.COM\vivlWebSaverImage.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ViVL Web Picture Saver - {D3B9FE31-191E-443B-9E43-D0D0DF53F3C2} - C:\Program Files\ViVL.COM\vivlWebSaverBar.html
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - http://nigel.viewnetcam.com:81/kxhcm10.ocx
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - https://208.125.27.194/ConnectComputer/nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3612711456
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/Rite ... Online.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/ ... 0.0.10.cab?
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Seagate FreeAgent Theater (FreeAgentTheater Service) - Seagate Technology LLC - C:\Program Files\Seagate\FreeAgent_Theater\Sync\MediaAggreService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 10895 bytes
lamedmem
Regular Member
 
Posts: 15
Joined: December 2nd, 2009, 9:57 pm

Re: redirected from google search

Unread postby shinybeast » January 2nd, 2010, 11:24 pm

Hi lamedmem,

I haven't forgotten about you. I am trying to discover the best way to clean the infected email archives. I hope to reply with a solution soon.
User avatar
shinybeast
Retired Graduate
 
Posts: 1187
Joined: October 29th, 2008, 6:56 pm
Location: -5 hrs GMT (EST)

Re: redirected from google search

Unread postby shinybeast » January 3rd, 2010, 10:36 pm

Hi lamedmem,

Let's try to find out which emails are infected. There doesn't seem to be an easy way to do it.

Windows OneCare Safety Scanner

Using Internet Explorer visit http://onecare.live.com/site/en-za/default.htm?mkt=en-za
  • Click Full Service Scan button
  • Another window will open and will download scanning tools.
  • After completion it will ask to Choose a scan
  • Click the customize... link under Complete scan
  • Uncheck everything under Performance and Network Safety
  • Under Protection click the Select folders... link
  • A directory tree of your hard drive(s) will open.
  • Expand C: (click "+" next to it)
  • Continue to expand the folders from the path below until you get to mail 2000
    C:\Documents and Settings\hhhhhh\Desktop\Unused Desktop Shortcuts\mail 2000
  • Place a check next to only the mail 2000 folder.
  • Click Next and more tools will then be downloaded.
  • Once that is complete, the scan will start.
  • Once the scan is complete the scanner will hopefully list the infected emails.
  • If is says which ones are infected, write down all the info about the emails before clicking next as OneCare most likely will not be able to clean them automatically.
  • Once you have the information about which emails are infected, open the archives with Outlook and find and delete infected emails. (Also, you should delete any other emails you do not need to help remove possibly infected ones.)
  • After infected emails are deleted, compact and save the archives.


After deleting the emails, repeat the OneCare scan on the "mail 2000" folder as above to check if you've deleted all the infected emails.

Let me know if you have any questions and how the process works out.
User avatar
shinybeast
Retired Graduate
 
Posts: 1187
Joined: October 29th, 2008, 6:56 pm
Location: -5 hrs GMT (EST)

Re: redirected from google search

Unread postby lamedmem » January 4th, 2010, 12:46 am

Thank you i did the scan and it said congratulations no threats found on your computer
lamedmem
Regular Member
 
Posts: 15
Joined: December 2nd, 2009, 9:57 pm

Re: redirected from google search

Unread postby shinybeast » January 4th, 2010, 4:23 pm

Hi lamedmem,


OTL Cleanup

Please run OTL which should still be on your desktop
In the upper right click CleanUp
This will delete OTL and will clean up after it.


Delete Tools
Delete the randomly named GMER .exe file from your desktop. It looks like this: Image
Delete TDSSKiller.exe and mbr.exe as well.


Defogger

Close running programs and save work as a reboot will be required. Defogger should still be on your desktop. If it is not, please download it from here

  • Double-click Defogger.exe to run the tool
  • In the window that opens click Re-enable
  • It will ask if you want to continue; click Yes
  • Click OK at the Finsihed! popup.
  • Click OK to reboot the computer.
    NOTE: If the computer does not reboot automatically, please reboot manually

After the reboot, delete defogger.exe.


Create a new System Restore point and clear old ones

Please clear old restore points in order to avoid reintroducing malware from a restore point in the future.

Create a new restore point
  • Navigate to Start > All Programs > Accessories > System Tools and click System Restore
  • On the right side of the welcome window, select (tick) Create a restore point, then click Next
  • Under Restore point desciption, name the restore point (I suggest post-malware removal or something similar)
  • Click Create, then click Close

Delete old restore points
  • Click Start, click Run..., type cleanmgr and press Enter
  • Select the drive XP is installed on (usually C: ) and click OK
  • Once the Disk Cleanup dialog opens, click the More Options tab
  • Under System Restore click Clean up...
  • You will be asked if you are sure you want to clean all restore points but the most recent one, click Yes
  • Close the Disk Cleanup dialog to finish.
Note: Do the above once. Restore points should not be routinely deleted.


Implementing the following suggestions will greatly reduce your chances of malware problems in the future.


Update Windows

It is important to keep Windows and Microsoft programs updated to close vulnerabilities as they are discovered.

You are running Service Pack 2. Unless you have reason not to install Service Pack 3, I suggest you install it by visiting Microsoft Update as described below.

Close all windows and temporarily disable your anti-virus (usually through a tray icon)

Use Internet Explorer to visit this site: http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-US

Once the page loads follow instructions to install Service Pack 3 and all critical updates. You may need to repeat this process until fully updated.


Keep installed programs up to date

Anti-virus
Most important is keeping your anti-virus software up to date. An out of date anti-virus is not much better than no anti-virus. If your anti-virus is not set to update automatically (preferred), it is imperative that you occasionally update it manually. You usually can accomplish this through a tray icon.

Update Other Vulnerable Software
Malware writers are increasingly targeting vulnerabilities in commonly used applications. There are several online sites which will scan your computer for outdated software. I've listed two below. I recommend occasionally visiting and scanning your computer to detect vulnerable software that should be updated.
F-Secure Health Check - requires Internet Explorer
Secunia Online Software Inspector


Best Practices for Email and Downloaded Files.

  • Do not read emails from unknown sources.
  • Make it a habit to never open email attachments from anyone, including people you know, unless you absolutely have to. If you need to open an attachment, scan it with your anti-virus before you open it.
  • Do not use Peer to Peer software to "share" media and software. You will get more than you expected and the "bonus" will not be something you want and will bring you back seeking help.
  • Do not use keygens or hacked software. First, it is stealing. Second, it is almost always infected with something. If you cannot afford to buy something, there is likely a free alternative that will be a good substitute. Search around and seek out advice from a trusted forum. Most will be glad to tell you of their favorite free program that performs the job you want done.


Additional Protection Programs

The programs listed below are excellent for improving your computer's security.

WinPatrol by Bill Pytlovany - "WinPatrol is a multi-purpose utility designed to increase performance and protect against unwanted changes." Information on it's many features can be found here

MVPS Hosts file - A replacement HOSTS file that redirects known malicious and ad serving sites to the localhost, thus preventing connection to them.
Note: MVPS Hosts file can sometimes slow down the computer so read the information on the site to mitigate this effect.

I encourage you to check out Tony Klein's article "How did I get infected in the first place?"
and miekiemoes' article "How to prevent Malware:"

If you have any questions about these suggestions, I would be happy to answer them.

Regards,
shinybeast

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
User avatar
shinybeast
Retired Graduate
 
Posts: 1187
Joined: October 29th, 2008, 6:56 pm
Location: -5 hrs GMT (EST)
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 296 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware