Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Redirect Malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Redirect Malware

Unread postby JoeC » March 9th, 2011, 5:50 pm

Hello,

I have a very annoying little malware hiding somewhere in my computer that hijacks any link I click on and redirects me to advertisement sites. The initial redirect is to yafraudcheckonline.com which bounces me to some other site. It will always randomly open a new window and take me to sites while I'm online. Avast! doesn't even show there's an infection, nor does MalwareBytes. I've read a post from someone with the same problem but they were running Windows7 and I'm using XP Media Center Edition. I have a MBRCheck log ready as well, here's the DDS

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by HP_Administrator at 16:31:29.04 on Wed 03/09/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.406 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton Internet Worm Protection *Disabled*
FW: AVG Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
svchost.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\NETGEAR\WN111v2\WN111V2.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\HP_Administrator\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com?o=14196&l=dis
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: MHURLSearchHook Class: {1c4ab6a5-595f-4e86-b15f-f93cce2bbd48} - c:\program files\celebrity toolbar\tbhelper.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: MHTBPos00 Class: {0c37b053-fd68-456a-82e1-d788ee342e6f} - c:\program files\celebrity toolbar\tbcore3.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\drop down deals\YontooIEClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Celebrity Toolbar: {fd2fd708-1f6f-4b68-b141-c5778f0c19bb} - c:\program files\celebrity toolbar\tbcore3.dll
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
dRun: [CE8SIIFGSU] c:\windows\temp\Kdh.exe
dRun: [fmdvugru] c:\windows\temp\rtohdowlp\msnuebbhmof.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wn111v2\WN111V2.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
TCP: {B836BCE7-53A9-4AC1-B21C-BC44A2B2BDC2} = 192.168.100.11,192.168.100.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\h1fnazoe.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-2-18 357968]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-2-18 294608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-2-18 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-2-18 40384]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2003-7-24 17149]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2008-10-1 57440]
R3 WN111v2;NETGEAR WN111v2 USB2.0 Wireless Card Service;c:\windows\system32\drivers\WN111v2.sys [2009-1-14 458752]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2008-12-13 133104]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-4-16 36608]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\netgear\wn111v2\jswpsapi.exe [2008-2-27 360547]
.
=============== Created Last 30 ================
.
2011-03-01 06:14:52 -------- d-----w- c:\docume~1\hp_adm~1\locals~1\applic~1\SecondLife
2011-03-01 06:14:05 -------- d-----w- c:\program files\SecondLifeViewer2
2011-02-25 20:57:25 -------- d-----w- c:\program files\Drop Down Deals
2011-02-25 20:57:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\Tarma Installer
2011-02-18 16:43:56 -------- d-----w- c:\program files\Yontoo Layers Client
2011-02-18 07:38:08 57408 ----a-w- c:\windows\system32\drivers\wsimd.sys
2011-02-18 07:37:56 -------- d-----w- c:\program files\Atheros
2011-02-18 07:21:37 357968 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-02-18 07:21:09 38848 ----a-w- c:\windows\avastSS.scr
2011-02-18 07:20:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2011-02-18 06:40:20 -------- d-----w- c:\program files\Perfect Uninstaller
.
==================== Find3M ====================
.
2011-01-21 14:44:37 439296 ------w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 17:26:00 730112 ------w- c:\windows\system32\lsasrv.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3200820AS rev.3.AHG -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8615F5DC]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x861657b8]; MOV EAX, [0x86165834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86099AB8]
3 CLASSPNP[0xF7610FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000080[0x861E0F18]
5 ACPI[0xF7487620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x860C8940]
\Driver\atapi[0x86126F38] -> IRP_MJ_CREATE -> 0x8615F5DC
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5c; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-e -> \??\IDE#DiskST3200820AS_____________________________3.AHG___#5&320f6b24&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8615F422
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 16:32:58.82 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 1/27/2010 6:30:06 AM
System Uptime: 3/9/2011 3:37:38 AM (13 hours ago)
.
Motherboard: ASUSTek Computer INC. | | Pyrite
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ | Socket AM2 | 2004/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 177 GiB total, 103.242 GiB free.
D: is FIXED (FAT32) - 9 GiB total, 0.575 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is FIXED (NTFS) - 466 GiB total, 458.037 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: AVG miniport driver
Device ID: ROOT\GR_AVGFWMP\0001
Manufacturer: AVG Technologies
Name: WAN Miniport (IPX) - AVG miniport driver
PNP Device ID: ROOT\GR_AVGFWMP\0001
Service: Avgfwdx
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: AVG miniport driver
Device ID: ROOT\GR_AVGFWMP\0002
Manufacturer: AVG Technologies
Name: Microsoft TV/Video Connection - AVG miniport driver
PNP Device ID: ROOT\GR_AVGFWMP\0002
Service: Avgfwdx
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: AVG miniport driver
Device ID: ROOT\GR_AVGFWMP\0003
Manufacturer: AVG Technologies
Name: NVIDIA nForce Networking Controller - AVG miniport driver
PNP Device ID: ROOT\GR_AVGFWMP\0003
Service: Avgfwdx
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: AVG miniport driver
Device ID: ROOT\GR_AVGFWMP\0004
Manufacturer: AVG Technologies
Name: WAN Miniport (IP) - AVG miniport driver
PNP Device ID: ROOT\GR_AVGFWMP\0004
Service: Avgfwdx
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: AVG miniport driver
Device ID: ROOT\GR_AVGFWMP\0005
Manufacturer: AVG Technologies
Name: HP EN1207D-TX PCI 10/100 Fast Ethernet Adapter - AVG miniport driver
PNP Device ID: ROOT\GR_AVGFWMP\0005
Service: Avgfwdx
.
==== System Restore Points ===================
.
RP382: 12/9/2010 5:54:05 PM - System Checkpoint
RP383: 12/10/2010 6:42:29 PM - System Checkpoint
RP384: 12/11/2010 7:38:51 PM - System Checkpoint
RP385: 12/12/2010 8:38:51 PM - System Checkpoint
RP386: 12/13/2010 9:38:51 PM - System Checkpoint
RP387: 12/14/2010 10:45:36 PM - System Checkpoint
RP388: 12/15/2010 11:38:53 PM - System Checkpoint
RP389: 12/16/2010 3:00:26 AM - Software Distribution Service 3.0
RP390: 12/17/2010 3:11:29 AM - System Checkpoint
RP391: 12/18/2010 4:49:57 AM - System Checkpoint
RP392: 12/19/2010 5:29:23 AM - System Checkpoint
RP393: 12/20/2010 5:46:19 AM - System Checkpoint
RP394: 12/21/2010 6:54:59 AM - System Checkpoint
RP395: 12/22/2010 7:28:23 AM - System Checkpoint
RP396: 12/23/2010 8:25:10 AM - System Checkpoint
RP397: 12/24/2010 9:25:11 AM - System Checkpoint
RP398: 12/25/2010 10:26:15 AM - System Checkpoint
RP399: 12/26/2010 11:26:15 AM - System Checkpoint
RP400: 12/27/2010 12:25:12 PM - System Checkpoint
RP401: 12/28/2010 4:37:50 PM - System Checkpoint
RP402: 12/29/2010 5:51:05 PM - System Checkpoint
RP403: 12/30/2010 6:24:38 PM - System Checkpoint
RP404: 12/31/2010 7:12:23 PM - System Checkpoint
RP405: 1/2/2011 6:13:29 AM - System Checkpoint
RP406: 1/3/2011 7:12:23 AM - System Checkpoint
RP407: 1/4/2011 8:12:24 AM - System Checkpoint
RP408: 1/5/2011 9:12:23 AM - System Checkpoint
RP409: 1/6/2011 9:29:35 AM - System Checkpoint
RP410: 1/7/2011 10:19:52 AM - System Checkpoint
RP411: 1/8/2011 10:20:59 AM - System Checkpoint
RP412: 1/9/2011 11:19:52 AM - System Checkpoint
RP413: 1/10/2011 11:30:05 AM - System Checkpoint
RP414: 1/11/2011 12:44:53 PM - System Checkpoint
RP415: 1/12/2011 1:30:05 PM - System Checkpoint
RP416: 1/12/2011 2:02:35 PM - Software Distribution Service 3.0
RP417: 1/13/2011 2:45:57 PM - System Checkpoint
RP418: 1/14/2011 3:33:42 PM - System Checkpoint
RP419: 1/15/2011 4:52:02 PM - System Checkpoint
RP420: 1/16/2011 5:46:57 PM - System Checkpoint
RP421: 1/17/2011 7:41:20 PM - System Checkpoint
RP422: 1/18/2011 8:03:27 PM - System Checkpoint
RP423: 1/19/2011 8:32:28 PM - System Checkpoint
RP424: 1/20/2011 9:32:28 PM - System Checkpoint
RP425: 1/21/2011 9:57:39 PM - System Checkpoint
RP426: 1/23/2011 11:26:40 PM - System Checkpoint
RP427: 1/25/2011 1:17:27 AM - System Checkpoint
RP428: 1/26/2011 1:58:13 AM - System Checkpoint
RP429: 1/27/2011 4:12:49 AM - System Checkpoint
RP430: 1/28/2011 4:58:13 AM - System Checkpoint
RP431: 1/29/2011 5:09:13 AM - System Checkpoint
RP432: 1/30/2011 5:55:48 AM - System Checkpoint
RP433: 1/31/2011 6:55:47 AM - System Checkpoint
RP434: 2/1/2011 7:55:47 AM - System Checkpoint
RP435: 2/2/2011 8:55:47 AM - System Checkpoint
RP436: 2/3/2011 10:05:56 AM - System Checkpoint
RP437: 2/4/2011 11:05:54 AM - System Checkpoint
RP438: 2/5/2011 12:05:54 PM - System Checkpoint
RP439: 2/6/2011 1:05:53 PM - System Checkpoint
RP440: 2/7/2011 1:48:18 PM - System Checkpoint
RP441: 2/8/2011 2:25:40 PM - System Checkpoint
RP442: 2/9/2011 3:25:41 PM - System Checkpoint
RP443: 2/9/2011 9:19:13 PM - Software Distribution Service 3.0
RP444: 2/10/2011 10:11:05 PM - System Checkpoint
RP445: 2/11/2011 11:10:58 PM - System Checkpoint
RP446: 2/13/2011 12:10:57 AM - System Checkpoint
RP447: 2/14/2011 12:56:02 AM - System Checkpoint
RP448: 2/15/2011 2:29:17 PM - System Checkpoint
RP449: 2/16/2011 4:43:14 PM - System Checkpoint
RP450: 2/17/2011 6:19:06 PM - System Checkpoint
RP451: 2/18/2011 12:40:35 AM - Installed AVG 2011
RP452: 2/18/2011 12:40:42 AM - Removed AVG 2011
RP453: 2/18/2011 1:10:40 AM - Removed AVG 2011
RP454: 2/18/2011 1:31:36 AM - Installed AVG 2011
RP455: 2/18/2011 1:34:32 AM - Installed AVG 2011
RP456: 2/18/2011 1:34:38 AM - Removed AVG 2011
RP457: 2/18/2011 2:20:48 AM - avast! Pro Antivirus Setup
RP458: 2/18/2011 2:32:24 AM - Configured RangeMax Wireless-N USB Adapter WN111v2
RP459: 2/18/2011 2:37:10 AM - Installed RangeMax Wireless-N USB Adapter WN111v2
RP460: 2/19/2011 5:37:59 AM - System Checkpoint
RP461: 2/20/2011 6:31:18 AM - System Checkpoint
RP462: 2/21/2011 7:02:52 AM - System Checkpoint
RP463: 2/22/2011 7:03:49 AM - System Checkpoint
RP464: 2/23/2011 7:08:25 AM - System Checkpoint
RP465: 2/24/2011 7:55:26 AM - System Checkpoint
RP466: 2/25/2011 7:57:54 AM - System Checkpoint
RP467: 2/26/2011 8:29:33 AM - System Checkpoint
RP468: 2/27/2011 8:41:53 AM - System Checkpoint
RP469: 2/28/2011 8:54:17 AM - System Checkpoint
RP470: 3/1/2011 8:58:04 AM - System Checkpoint
RP471: 3/2/2011 9:48:32 AM - System Checkpoint
RP472: 3/3/2011 10:21:51 AM - System Checkpoint
RP473: 3/4/2011 10:55:54 AM - System Checkpoint
RP474: 3/5/2011 11:55:54 AM - System Checkpoint
RP475: 3/6/2011 12:55:54 PM - System Checkpoint
RP476: 3/7/2011 4:00:37 PM - System Checkpoint
RP477: 3/8/2011 6:27:08 PM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Linguistics CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 7.0.5
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Apple Application Support
Apple Software Update
avast! Pro Antivirus
AVG PC Tuneup 2011
CamStudio
Codec Pack - All In 1 6.0.3.0
Connect
Data Fax SoftModem with SmartCP
Destinations
DeviceManagementQFolder
Enhanced Multimedia Keyboard Solution
Fraps (remove only)
FrostWire 4.21.3
gBurner
Google Earth
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Player 10 (KB903157)
HP Boot Optimizer
HP DigitalMedia Archive
HP DVD Play 2.1
HP Imaging Device Functions 7.0
HP Photosmart for Media Center PC
HP Update
HP Web Helper
HPPhotoSmartExpress
HpSdpAppCoreApp
J2SE Runtime Environment 5.0 Update 6
Java Auto Updater
Java(TM) 6 Update 22
kuler
LightScribe 1.4.105.1
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Corporation
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft LifeCam
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.13)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA Drivers
Otto
PC Connectivity Solution
PDF Settings CS4
Perfect Uninstaller v6.3.3.8
Photoshop Camera Raw
PokerStars
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
RangeMax Wireless-N USB Adapter WN111v2
Realtek High Definition Audio Driver
ROCKIT PRO DJ 4.0
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile Composite Device Software
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
SamsungConnectivityCableDriver
SecondLifeViewer2 (remove only)
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Segoe UI
Sierra Utilities
Skype™ 4.1
Sonic Express Labeler
Suite Shared Configuration CS4
Unload
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office Outlook 2007 (KB2412171)
Update for Outlook 2007 Junk Email Filter (KB2492475)
Updates from HP (remove only)
VLC media player 1.1.4
WebFldrs XP
WildTangent Web Driver
Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)
Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)
Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WN111v2
Yahoo! Toolbar for Internet Explorer
.
==== Event Viewer Messages From Past Week ========
.
3/7/2011 3:06:33 AM, error: Service Control Manager [7022] - The MSCamSvc service hung on starting.
3/7/2011 3:05:12 AM, error: Service Control Manager [7024] - The Routing and Remote Access service terminated with service-specific error 2 (0x2).
3/7/2011 3:05:11 AM, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The specified module could not be found.
3/7/2011 3:05:10 AM, error: RemoteAccess [20103] - Unable to load C:\WINDOWS\System32\iprtrmgr.dll.
3/7/2011 12:50:45 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
3/7/2011 12:48:45 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
3/7/2011 1:34:39 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/4/2011 3:54:11 AM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
3/4/2011 3:54:11 AM, error: Service Control Manager [7022] - The Automatic Updates service hung on starting.
3/3/2011 7:21:11 PM, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 30469A072EFC has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================
JoeC
Active Member
 
Posts: 6
Joined: March 9th, 2011, 5:34 pm
Advertisement
Register to Remove

Re: Redirect Malware

Unread postby deltalima » March 9th, 2011, 5:59 pm

Checking your log - back soon.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Redirect Malware

Unread postby deltalima » March 9th, 2011, 6:45 pm

Hi JoeC,

Welcome to the forum.

My nickname is deltalima and I will be helping you with your malware issue.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


Please note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please do not run any scans or make any changes to the system unless I ask you too.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Remove P2P Programs

  • I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    FrostWire 4.21.3


  • Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
  • Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

  • Click on start
  • Then Run
  • In the open text entry box please copy/paste appwiz.cpl Then click enter.
  • Press the "Remove" or "Change/Remove"...button to uninstall the programs listed above (in red) and any other P2P you have installed NOW.
  • Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

Security Check
Please download Security Check ... by screen317. Save it to your desktop.
Alternate download site: Link 2
  1. Double click the SecurityCheck.exe icon to begin.
  2. Press the Space Bar when you see the "press any key to continue..." message.
    A Notepad results file will open automatically called checkup.txt
  3. Save "checkup.txt" to your desktop. (This output file is NOT automatically saved!)
  4. Please copy/paste the entire contents of the checkup.txt file into your next reply.

CKScanner

  • Please download CKScanner from here to your Desktop.
  • Make sure that CKScanner.exe is on the your Desktop before running the application!
  • Double-click on CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved
  • Double-click on the CKFiles.txt icon on your Desktop and copy/paste the contents in your next reply.

Next

  • Please download this tool from Microsoft.
  • Double click on MGADiag.exe to run it.
  • Click Continue.
  • The program will run. It takes a while to finish the diagnosis, please be patient.
  • Once done, click on Copy.
  • Open Notepad and paste the contents in the window.
  • Save this file and copy/paste it in your next reply.

Please let me know if the computer is used for home or for business use.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Redirect Malware

Unread postby JoeC » March 9th, 2011, 7:03 pm

Thanks for helping, here are all the logs. This is my home computer.


Results of screen317's Security Check version 0.99.9
Windows XP Service Pack 3
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
avast! Pro Antivirus
AVG PC Tuneup 2011
Antivirus out of date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
AVG PC Tuneup 2011
Java(TM) 6 Update 22
Out of date Java installed!
Adobe Flash Player 10.1.102.64
Adobe Reader 7.0.5
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.13)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Alwil Software Avast5 AvastSvc.exe
Alwil Software Avast5 avastUI.exe
``````````End of Log````````````

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\hp_administrator\desktop\file setup\1click\1 click dvd copy pro v3.3.5.0 + crack rezman1984\1 click dvd copy pro v3.3.5.0 setup.exe
c:\documents and settings\hp_administrator\desktop\file setup\1click\1 click dvd copy pro v3.3.5.0 + crack rezman1984\readme first!!!.txt
c:\documents and settings\hp_administrator\desktop\file setup\1click\1 click dvd copy pro v3.3.5.0 + crack rezman1984\rez! crack\1clickdvdcopypro.exe
c:\documents and settings\hp_administrator\desktop\file setup\photoshop\adobe photoshop cs4 extended\crack\activation blocker.cmd
c:\documents and settings\hp_administrator\desktop\file setup\photoshop\adobe photoshop cs4 extended\crack\amtlib.dll (x64)\amtlib.dll
c:\documents and settings\hp_administrator\my documents\downloads\avast! pro av + is 5.0.677 final + crack (till 2025) [rh]\avast.proav.is.5.0.677_[rh].rar
c:\documents and settings\hp_administrator\my documents\downloads\avg pc tuneup 2011 v10.0.0.22 final software + crack\avg pc tuneup 2011 v10.0.0.22 final software + crack.rar
c:\documents and settings\hp_administrator\my documents\downloads\avg pc tuneup 2011 v10.0.0.22 final software + crack\~utorrentpartfile_84380c.dat
c:\documents and settings\hp_administrator\my documents\frostwire\saved\malwarebytes' anti-malware 1.44 keygen 1.1 [theorb666][h33t]\[info]+changelog.txt
c:\documents and settings\hp_administrator\my documents\frostwire\torrents\malwarebytes__039__anti_malware_1_44_keygen_v1_1_theorb666.torrent
hosts 127.0.0.1 activate.adobe.com
hosts 127.0.0.1 practivate.adobe.com
hosts 127.0.0.1 ereg.adobe.com
hosts 127.0.0.1 activate.wip3.adobe.com
hosts 127.0.0.1 wip3.adobe.com
hosts 127.0.0.1 3dns-3.adobe.com
hosts 127.0.0.1 3dns-2.adobe.com
hosts 127.0.0.1 adobe-dns.adobe.com
hosts 127.0.0.1 adobe-dns-2.adobe.com
hosts 127.0.0.1 adobe-dns-3.adobe.com
hosts 127.0.0.1 ereg.wip3.adobe.com
hosts 127.0.0.1 activate-sea.adobe.com
hosts 127.0.0.1 wwis-dubc1-vip60.adobe.com
hosts 127.0.0.1 activate-sjc0.adobe.com
scanner sequence 3.ZZ.11
----- EOF -----


Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Validation Control not Installed
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-9TCCK-JPCBM-B2FQ8
Windows Product Key Hash: B/IohRcCzV6LJrex8WpCdnxgTvg=
Windows Product ID: 76487-OEM-2211906-00803
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010100.3.0.med
ID: {6955B1D8-7222-466E-BDDB-0FD67C5D552F}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Professional Plus 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{6955B1D8-7222-466E-BDDB-0FD67C5D552F}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.med</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-B2FQ8</PKey><PID>76487-OEM-2211906-00803</PID><PIDType>2</PIDType><SID>S-1-5-21-704905762-12611631-4051743828</SID><SYSTEM><Manufacturer>HP Pavilion 061</Manufacturer><Model>RC677AA-ABA s7627c</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version> 3.05</Version><SMBIOSVersion major="2" minor="4"/><Date>20061101000000.000000+000</Date><SLPBIOS>HP PAVILION</SLPBIOS></BIOS><HWID>97053DFF0184C068</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Hewlett-Packard Company</name><model>HP Pavilion</model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0011-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Plus 2007</Name><Ver>12</Ver><Val>83770C147C39586</Val><Hash>HujjXRyTgOYjf4RCWfGtC0B0HlY=</Hash><Pid>89409-707-1230233-65548</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1010C:Compaq Computer Corporation|1010C:Compaq Computer Corporation|1010C:Hewlett-Packard Company|1005F:Hewlett-Packard Company
Marker string from OEMBIOS.DAT: HP PAVILION

OEM Activation 2.0 Data-->
N/A
JoeC
Active Member
 
Posts: 6
Joined: March 9th, 2011, 5:34 pm

Re: Redirect Malware

Unread postby deltalima » March 10th, 2011, 5:33 am

Hi JoeC,

You need to validate your copy of Windows.

Please visit this site and follow the instructions.

Cracked/Keygen related software detected!!!

While going through your logs I found out that you have downloaded various keygen/cracked software and that you are actively using it.

Our forum policy Here says we will not help people who use cracked or pirated software.
You likely got infected by using cracked software or visiting crack sites.
Hence, i would like you to remove all the crack/keygen applications that are present on your system, then run CKScanner again and post the new log.

NOTE: If you give me advice that the software/Keygens have been removed & I find it has not (the tools we use can & will detect it) then I will have no choice but to have this thread closed.

No anti-virus

Now you have removed the unlicensed version of avast! Pro Antivirus you will need to install one of the following free antivirus programs.


Note: You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.

Please run a new scan with MGADiag.exe and post the log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Redirect Malware

Unread postby JoeC » March 10th, 2011, 3:43 pm

Deltalima,

Everything's validated and the other software removed, my brother thinks he's a computer genius and could fix it with stuff he didn't have to pay for. I've downloaded, installed, and updated Security Essentials. It's scanning now, here's the updated MGA


Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-9TCCK-JPCBM-B2FQ8
Windows Product Key Hash: B/IohRcCzV6LJrex8WpCdnxgTvg=
Windows Product ID: 76487-OEM-2211906-00803
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010100.3.0.med
ID: {6955B1D8-7222-466E-BDDB-0FD67C5D552F}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Professional Plus 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1

Browser Data-->
Proxy settings:
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{6955B1D8-7222-466E-BDDB-0FD67C5D552F}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.med</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-B2FQ8</PKey><PID>76487-OEM-2211906-00803</PID><PIDType>2</PIDType><SID>S-1-5-21-704905762-12611631-4051743828</SID><SYSTEM><Manufacturer>HP Pavilion 061</Manufacturer><Model>RC677AA-ABA s7627c</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version> 3.05</Version><SMBIOSVersion major="2" minor="4"/><Date>20061101000000.000000+000</Date><SLPBIOS>HP PAVILION</SLPBIOS></BIOS><HWID>97053DFF0184C068</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Hewlett-Packard Company</name><model>HP Pavilion</model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0011-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Plus 2007</Name><Ver>12</Ver><Val>83770C147C39586</Val><Hash>HujjXRyTgOYjf4RCWfGtC0B0HlY=</Hash><Pid>89409-707-1230233-65548</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1010C:Compaq Computer Corporation|1010C:Compaq Computer Corporation|1010C:Hewlett-Packard Company|1005F:Hewlett-Packard Company
Marker string from OEMBIOS.DAT: HP PAVILION

OEM Activation 2.0 Data-->
N/A
JoeC
Active Member
 
Posts: 6
Joined: March 9th, 2011, 5:34 pm

Re: Redirect Malware

Unread postby deltalima » March 10th, 2011, 3:54 pm

Hi JoeC,

Run Combofix

Temporarily disable any antispyware, antivirus and or antimalware real-time protection as they may interfere with running of ComboFix.

Download ComboFix from here to your Desktop.

For more information about Combofix please see here.

Close all programs.

Double click combofix.exe and follow the prompts.

If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures, if not, then follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Once installed, you should see the following message:

The recovery console was successfuly installed.
Click ‘YES’ to continue scanning for malware
Click ‘NO’ for exit

Click the YES button.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your “drive access” light. If it is flashing, Combofix is still at work.

When finished ComboFix will produce a log file. Please post the contents of this log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Redirect Malware

Unread postby JoeC » March 11th, 2011, 1:27 pm

ComboFix 11-03-10.04 - HP_Administrator 03/11/2011 11:59:31.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.539 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\My Documents\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
c:\documents and settings\HP_Administrator\Application Data\Desktopicon
c:\documents and settings\HP_Administrator\Application Data\Desktopicon\eBay.ico
c:\documents and settings\HP_Administrator\Application Data\Desktopicon\uninst.exe
c:\documents and settings\HP_Administrator\Application Data\inst.exe
c:\program files\Drop Down Deals
c:\program files\Drop Down Deals\YontooIEClient.dll
c:\program files\Internet Explorer\SET148.tmp
c:\program files\Internet Explorer\SET149.tmp
c:\program files\Internet Explorer\SET14B.tmp
c:\program files\Internet Explorer\SET1AF.tmp
c:\program files\Internet Explorer\SET1B0.tmp
c:\program files\Internet Explorer\SET1B1.tmp
C:\s
c:\windows\sv.ini
c:\windows\system32\system
D:\Autorun.inf
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_GOOGLEUPDATEBETA
-------\Legacy_SSHNAS
.
.
((((((((((((((((((((((((( Files Created from 2011-02-11 to 2011-03-11 )))))))))))))))))))))))))))))))
.
.
2011-03-11 16:08 . 2011-03-11 16:09 -------- d-----w- C:\32788R22FWJFW.2.tmp
2011-03-11 08:14 . 2011-02-23 14:35 5943120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{48451504-293C-400A-955C-4257432FE391}\mpengine.dll
2011-03-11 07:52 . 2011-03-11 07:52 -------- d-----w- C:\32788R22FWJFW.1.tmp
2011-03-10 17:15 . 2011-02-02 22:11 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-03-10 17:15 . 2011-03-11 16:11 -------- d-----w- C:\47ca7199bdfafb09e7a0fb8e7d43b304
2011-03-10 16:56 . 2011-03-10 17:12 -------- d-----w- c:\program files\Microsoft Security Client
2011-03-10 16:36 . 2011-03-10 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-03-09 22:59 . 2011-03-09 22:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2011-02-18 16:43 . 2011-02-19 20:54 -------- d-----w- c:\program files\Yontoo Layers Client
2011-02-18 07:38 . 2007-12-14 09:31 57408 ----a-w- c:\windows\system32\drivers\wsimd.sys
2011-02-18 07:37 . 2011-02-18 07:37 -------- d-----w- c:\program files\Atheros
2011-02-18 07:20 . 2011-03-10 16:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2011-02-18 07:20 . 2011-02-18 07:20 -------- d-----w- c:\program files\Alwil Software
2011-02-18 06:40 . 2011-03-11 16:18 -------- d-----w- c:\program files\Perfect Uninstaller
2011-02-16 23:17 . 2011-02-16 23:17 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2011-02-16 23:15 . 2011-02-16 23:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-03 02:40 . 2010-12-05 21:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 00:19 . 2010-01-28 02:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-21 14:44 . 2004-08-10 04:00 439296 ------w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-10 04:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-10 04:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-10 04:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:09 . 2010-08-28 08:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-08-28 08:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2004-08-10 04:00 730112 ------w- c:\windows\system32\lsasrv.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"VX3000"="c:\windows\vVX3000.exe" [2009-07-24 762208]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WN111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WN111v2\WN111V2.exe [2009-11-4 1507431]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-9-7 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-9-7 27136]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-08-02 14:02 12536 ----a-w- c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GamersFirst LIVE!.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GamersFirst LIVE!.lnk
backup=c:\windows\pss\GamersFirst LIVE!.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
2005-08-03 06:19 77312 ------w- c:\windows\arpwrmsg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
2006-04-13 16:05 90112 ----a-w- c:\program files\HP DigitalMedia Archive\DMAScheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-30 04:01 67584 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ftutil2]
2004-06-07 21:05 106496 ------w- c:\windows\system32\ftutil2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2009-07-24 20:05 118640 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-05-09 22:50 7311360 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-05-09 22:50 1519616 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2005-07-23 05:14 237568 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-06-14 03:05 16239616 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
2009-07-24 20:05 762208 ----a-w- c:\windows\vVX3000.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Adobe\\Adobe Bridge\\Bridge.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\SecondLifeViewer2\\SLVoice.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"58932:TCP"= 58932:TCP:Pando Media Booster
"58932:UDP"= 58932:UDP:Pando Media Booster
"3724:TCP"= 3724:TCP:Blizz
"6112:TCP"= 6112:TCP:Blizz
"6113:TCP"= 6113:TCP:Blizz
"6114:TCP"= 6114:TCP:Blizz
"4000:TCP"= 4000:TCP:Blizz
"5353:TCP"= 5353:TCP:Adobe CSI CS4
.
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [10/1/2008 4:45 PM 57440]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/13/2008 12:46 PM 133104]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [7/24/2003 11:10 AM 17149]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [4/16/2010 4:22 AM 36608]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\NETGEAR\WN111v2\jswpsapi.exe [2/27/2008 11:54 AM 360547]
S3 WN111v2;NETGEAR WN111v2 USB2.0 Wireless Card Service;c:\windows\system32\drivers\WN111v2.sys [1/14/2009 2:23 AM 458752]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-13 12:21]
.
2011-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-13 12:21]
.
2011-03-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=14196&l=dis
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: {B836BCE7-53A9-4AC1-B21C-BC44A2B2BDC2} = 192.168.100.11,192.168.100.1
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\h1fnazoe.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - c:\program files\Ask.com\GenericAskToolbar.dll
URLSearchHooks-{1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48} - c:\program files\Celebrity Toolbar\tbhelper.dll
BHO-{0C37B053-FD68-456a-82E1-D788EE342E6F} - c:\program files\Celebrity Toolbar\tbcore3.dll
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
BHO-{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - c:\program files\Drop Down Deals\YontooIEClient.dll
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
Toolbar-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - c:\program files\Celebrity Toolbar\tbcore3.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - c:\program files\Celebrity Toolbar\tbcore3.dll
HKLM-Run-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe
MSConfigStartUp-BitTorrent DNA - c:\program files\DNA\btdna.exe
MSConfigStartUp-Pando Media Booster - c:\program files\Pando Networks\Media Booster\PMB.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe
MSConfigStartUp-Steam - c:\program files\Steam\Steam.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-11 12:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BattC]
"MofImagePath"="System32\Drive\00\00?\0b\00\00?\00\00\00?\00?"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2004)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\system32\acs.exe
c:\windows\arservice.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\hp\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
.
**************************************************************************
.
Completion time: 2011-03-11 12:22:31 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-11 17:22
.
Pre-Run: 123,962,445,824 bytes free
Post-Run: 124,885,458,944 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - DF014362F868553810C03F58A10F4D3C
JoeC
Active Member
 
Posts: 6
Joined: March 9th, 2011, 5:34 pm

Re: Redirect Malware

Unread postby deltalima » March 11th, 2011, 5:09 pm

Hi JoeC,

Did you uninstall adobe photoshop cs4 ?

It is important to save files to the location that I specify, Combofix should have been run from the Desktop.

TFC

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

Please run Malwarebytes, update and then run a quick scan ad post the logs in your next reply

Download and run OTL
Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Redirect Malware

Unread postby JoeC » March 12th, 2011, 12:20 am

Yes CS4 is gone, and sorry about the ComboFix I'll have everything to the letter from here out. Here's the logs.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6028

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

3/11/2011 11:06:39 PM
mbam-log-2011-03-11 (23-06-39).txt

Scan type: Quick scan
Objects scanned: 165624
Time elapsed: 5 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


OTL Extras logfile created on: 3/11/2011 11:09:07 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\HP_Administrator\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

958.00 Mb Total Physical Memory | 505.00 Mb Available Physical Memory | 53.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 177.45 Gb Total Space | 116.78 Gb Free Space | 65.81% Space Free | Partition Type: NTFS
Drive D: | 8.84 Gb Total Space | 0.57 Gb Free Space | 6.50% Space Free | Partition Type: FAT32
Drive J: | 465.76 Gb Total Space | 458.07 Gb Free Space | 98.35% Space Free | Partition Type: NTFS

Computer Name: JOE | User Name: HP_Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-704905762-12611631-4051743828-1007\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"58932:TCP" = 58932:TCP:*:Enabled:Pando Media Booster
"58932:UDP" = 58932:UDP:*:Enabled:Pando Media Booster
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
"3724:TCP" = 3724:TCP:*:Enabled:Blizz
"6112:TCP" = 6112:TCP:*:Enabled:Blizz
"6113:TCP" = 6113:TCP:*:Enabled:Blizz
"6114:TCP" = 6114:TCP:*:Enabled:Blizz
"4000:TCP" = 4000:TCP:*:Enabled:Blizz

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft LifeCam\LifeCam.exe" = C:\Program Files\Microsoft LifeCam\LifeCam.exe:*:Enabled:LifeCam.exe -- (Microsoft Corporation)
"C:\Program Files\Microsoft LifeCam\LifeEnC2.exe" = C:\Program Files\Microsoft LifeCam\LifeEnC2.exe:*:Enabled:LifeEnC2.exe -- (Microsoft Corporation)
"C:\Program Files\Microsoft LifeCam\LifeExp.exe" = C:\Program Files\Microsoft LifeCam\LifeExp.exe:*:Enabled:LifeExp.exe -- (Microsoft Corporation)
"C:\Program Files\Microsoft LifeCam\LifeTray.exe" = C:\Program Files\Microsoft LifeCam\LifeTray.exe:*:Enabled:LifeTray.exe -- (Microsoft Corporation)
"C:\Program Files\Adobe\Adobe Bridge\Bridge.exe" = C:\Program Files\Adobe\Adobe Bridge\Bridge.exe:*:Enabled:Adobe Bridge -- (Adobe Systems, Inc.)
"C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth -- (Google)
"C:\Program Files\Google\Google Earth\plugin\geplugin.exe" = C:\Program Files\Google\Google Earth\plugin\geplugin.exe:*:Enabled:Google Earth -- (Google)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{1341D838-719C-4A05-B50F-49420CA1B4BB}" = HP Boot Optimizer
"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR
"{1C0E9C6B-D4D5-4D3C-8A10-F10A3E7BEEA5}" = WN111v2
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 24
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36C97B5B-5593-45B8-B50E-DAD87036BD9D}" = Microsoft LifeCam
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP DVD Play 2.1
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware
"{77A776C4-D10F-416D-88F0-53F2D9DCD9B3}" = Microsoft Security Client
"{787D1A33-A97B-4245-87C0-7174609A540C}" = HP Update
"{7E84FAC8-C518-40F9-9807-7455301D6D25}" = SamsungConnectivityCableDriver
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9F7AF7CD-E3D0-4C68-A3BA-C76C359B3AA8}" = LightScribe 1.4.105.1
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC599724-5755-48C1-ABE7-ABB857652930}" = PC Connectivity Solution
"{AC76BA86-7AD7-1033-7B44-A70500000002}" = Adobe Reader 7.0.5
"{B3BC9DB1-0B0A-48B0-B86B-EA77CAA7F800}" = Microsoft Corporation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C768790F-04FB-11E0-9B2C-001AA037B01E}" = Google Earth
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{DAAD5187-62C5-4AD6-A526-803C18C4944D}" = HP Web Helper
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F80239D8-7811-4D5E-B033-0D0BBFE32920}" = HP DigitalMedia Archive
"{FB15E224-67C3-491F-9F5C-F257BC418412}" = Destinations
"3A5DEFA413DDE699DBA6EBE0A63534ACA524D30F" = Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
"6194C28A8F62DD817EA1B918E6E46E806A21B452" = Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)
"65B6FE5418CE28F4D72543FB2D964C3CEC83F161" = Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1" = Data Fax SoftModem with SmartCP
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"Cool's_Codec_pack_4.12" = Codec Pack - All In 1 6.0.3.0
"gBurner" = gBurner
"HP Imaging Device Functions" = HP Imaging Device Functions 7.0
"HP Photosmart for Media Center PC" = HP Photosmart for Media Center PC
"HPOOVClient-9972322 Uninstaller" = Updates from HP (remove only)
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{1C0E9C6B-D4D5-4D3C-8A10-F10A3E7BEEA5}" = RangeMax Wireless-N USB Adapter WN111v2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox (3.6.15)" = Mozilla Firefox (3.6.15)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"PokerStars" = PokerStars
"PROPLUS" = Microsoft Office Professional Plus 2007
"Python 2.2.3" = Python 2.2.3
"pywin32-py2.2" = Python 2.2 pywin32 extensions (build 203)
"ROCKIT PRO DJ" = ROCKIT PRO DJ 4.0
"SAMSUNG CDMA Modem" = SAMSUNG CDMA Modem Driver Set
"SAMSUNG Mobile Composite Device" = SAMSUNG Mobile Composite Device Software
"SAMSUNG Mobile Modem" = SAMSUNG Mobile Modem Driver Set
"Samsung Mobile phone USB driver" = Samsung Mobile phone USB driver Software
"SAMSUNG Mobile USB Modem" = SAMSUNG Mobile USB Modem Software
"SAMSUNG Mobile USB Modem 1.0" = SAMSUNG Mobile USB Modem 1.0 Software
"ShockwaveFlash" = Macromedia Flash Player 8
"Sierra Utilities" = Sierra Utilities
"VLC media player" = VLC media player 1.1.4
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WildTangent CDA" = WildTangent Web Driver
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar for Internet Explorer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/5/2011 10:55:14 AM | Computer Name = JOE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/5/2011 10:55:14 AM | Computer Name = JOE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/5/2011 11:25:02 AM | Computer Name = JOE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/5/2011 11:25:02 AM | Computer Name = JOE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/5/2011 12:25:14 PM | Computer Name = JOE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/5/2011 12:25:14 PM | Computer Name = JOE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/5/2011 12:59:02 PM | Computer Name = JOE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/5/2011 12:59:02 PM | Computer Name = JOE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/5/2011 2:12:14 PM | Computer Name = JOE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/5/2011 2:12:14 PM | Computer Name = JOE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

[ System Events ]
Error - 3/11/2011 11:55:16 PM | Computer Name = JOE | Source = Service Control Manager | ID = 7034
Description = The ARSVC service terminated unexpectedly. It has done this 1 time(s).

Error - 3/11/2011 11:55:16 PM | Computer Name = JOE | Source = Service Control Manager | ID = 7031
Description = The Microsoft Antimalware Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
15000 milliseconds: Restart the service.

Error - 3/11/2011 11:55:16 PM | Computer Name = JOE | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 3/11/2011 11:55:16 PM | Computer Name = JOE | Source = Service Control Manager | ID = 7034
Description = The LightScribeService Direct Disc Labeling Service service terminated
unexpectedly. It has done this 1 time(s).

Error - 3/11/2011 11:55:16 PM | Computer Name = JOE | Source = Service Control Manager | ID = 7034
Description = The Atheros Configuration Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 3/11/2011 11:55:16 PM | Computer Name = JOE | Source = Service Control Manager | ID = 7034
Description = The MSCamSvc service terminated unexpectedly. It has done this 1
time(s).

Error - 3/11/2011 11:55:16 PM | Computer Name = JOE | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 3/11/2011 11:58:01 PM | Computer Name = JOE | Source = RemoteAccess | ID = 20103
Description = Unable to load C:\WINDOWS\System32\iprtrmgr.dll.

Error - 3/11/2011 11:58:02 PM | Computer Name = JOE | Source = Service Control Manager | ID = 7000
Description = The adfs service failed to start due to the following error: %%2

Error - 3/11/2011 11:58:03 PM | Computer Name = JOE | Source = Service Control Manager | ID = 7024
Description = The Routing and Remote Access service terminated with service-specific
error 2 (0x2).


< End of report >


OTL logfile created on: 3/11/2011 11:09:07 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\HP_Administrator\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

958.00 Mb Total Physical Memory | 505.00 Mb Available Physical Memory | 53.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 177.45 Gb Total Space | 116.78 Gb Free Space | 65.81% Space Free | Partition Type: NTFS
Drive D: | 8.84 Gb Total Space | 0.57 Gb Free Space | 6.50% Space Free | Partition Type: FAT32
Drive J: | 465.76 Gb Total Space | 458.07 Gb Free Space | 98.35% Space Free | Partition Type: NTFS

Computer Name: JOE | User Name: HP_Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\NETGEAR\WN111v2\WN111V2.exe (NETGEAR)
PRC - C:\WINDOWS\vVX3000.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft LifeCam\MSCamS32.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\acs.exe (Atheros)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\arservice.exe (Microsoft)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (MsMpSvc) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
SRV - (MSCamSvc) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe (Microsoft Corporation)
SRV - (ACS) -- C:\WINDOWS\system32\acs.exe (Atheros)
SRV - (ServiceLayer) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia.)
SRV - (jswpsapi) -- C:\Program Files\NETGEAR\WN111v2\jswpsapi.exe (Atheros Communications, Inc.)
SRV - (ARSVC) -- C:\WINDOWS\arservice.exe (Microsoft)


========== Driver Services (SafeList) ==========

DRV - (MpKsl5766fd0a) -- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{89E83101-2C86-447E-9E3D-FE1672F680D8}\MpKsl5766fd0a.sys (Microsoft Corporation)
DRV - (MpKsl07ac18d8) -- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{89E83101-2C86-447E-9E3D-FE1672F680D8}\MpKsl07ac18d8.sys (Microsoft Corporation)
DRV - (VX3000) -- C:\WINDOWS\system32\drivers\VX3000.sys (Microsoft Corporation)
DRV - (FsUsbExDisk) -- C:\WINDOWS\system32\FsUsbExDisk.Sys ()
DRV - (WN111v2) -- C:\WINDOWS\system32\drivers\WN111v2.sys (Atheros Communications, Inc.)
DRV - (JSWSCIMD) -- C:\WINDOWS\system32\drivers\jswscimd.sys (Atheros Communications, Inc.)
DRV - (NwlnkIpx) -- C:\WINDOWS\system32\drivers\nwlnkipx.sys (Microsoft Corporation)
DRV - (WSIMD) -- C:\WINDOWS\system32\drivers\wsimd.sys (Atheros Communications, Inc.)
DRV - (pccsmcfd) -- C:\WINDOWS\system32\drivers\pccsmcfd.sys (Nokia)
DRV - (sscdmdm) -- C:\WINDOWS\system32\drivers\sscdmdm.sys (MCCI Corporation)
DRV - (sscdmdfl) -- C:\WINDOWS\system32\drivers\sscdmdfl.sys (MCCI Corporation)
DRV - (sscdbus) SAMSUNG USB Composite Device driver (WDM) -- C:\WINDOWS\system32\drivers\sscdbus.sys (MCCI Corporation)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (nvnetbus) -- C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation)
DRV - (Ps2) -- C:\WINDOWS\system32\drivers\PS2.sys (Hewlett-Packard Company)
DRV - (HSXHWBS2) -- C:\WINDOWS\system32\drivers\HSXHWBS2.sys (Conexant Systems, Inc.)
DRV - (HSX_DP) -- C:\WINDOWS\system32\drivers\HSX_DP.sys (Conexant Systems, Inc.)
DRV - (ftsata2) -- C:\WINDOWS\system32\DRIVERS\ftsata2.sys (Promise Technology, Inc.)
DRV - (AmdK8) -- C:\WINDOWS\system32\drivers\AmdK8.sys (Advanced Micro Devices)
DRV - (NwlnkNb) -- C:\WINDOWS\system32\drivers\nwlnknb.sys (Microsoft Corporation)
DRV - (NwlnkSpx) -- C:\WINDOWS\system32\drivers\nwlnkspx.sys (Microsoft Corporation)
DRV - (rtl8139) Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)
DRV - (bb-run) -- C:\WINDOWS\system32\DRIVERS\bb-run.sys (Promise Technology, Inc.)
DRV - (DNINDIS5) -- C:\WINDOWS\system32\DNINDIS5.sys (Printing Communications Assoc., Inc. (PCAUSA))


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:33440

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:33440



IE - HKU\S-1-5-21-704905762-12611631-4051743828-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
IE - HKU\S-1-5-21-704905762-12611631-4051743828-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=14196&l=dis
IE - HKU\S-1-5-21-704905762-12611631-4051743828-1007\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-704905762-12611631-4051743828-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.3
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..network.proxy.type: 4

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/10 11:39:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/10 11:39:36 | 000,000,000 | ---D | M]

[2011/02/17 23:25:09 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Extensions
[2011/03/10 14:37:28 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\h1fnazoe.default\extensions
[2011/02/21 23:31:33 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\h1fnazoe.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/02/19 04:13:26 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\h1fnazoe.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011/03/10 14:37:28 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/03/10 11:37:13 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2010/01/27 21:30:46 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/02/02 21:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/08/03 15:07:42 | 000,373,104 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\npOGAPlugin.dll
[2011/02/25 15:57:21 | 000,001,919 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing-zugo.xml

O1 HOSTS File: ([2011/03/11 12:17:21 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - Reg Error: Value error. File not found
O2 - BHO: (hpWebHelper Class) - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll (Hewlett-Packard)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-704905762-12611631-4051743828-1007\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [HPBootOp] C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [VX3000] C:\WINDOWS\vVX3000.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WN111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WN111v2\WN111V2.exe (NETGEAR)
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\Pin.lnk = C:\hp\bin\cloaker.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\PinMcLnk.lnk = C:\hp\bin\cloaker.exe (Hewlett-Packard Co.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-704905762-12611631-4051743828-1007\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-704905762-12611631-4051743828-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-704905762-12611631-4051743828-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-704905762-12611631-4051743828-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O9 - Extra 'Tools' menuitem : Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_24)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - Reg Error: Key error. File not found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/07 09:55:22 | 000,000,100 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/27 08:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/11 23:08:08 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
[2011/03/11 22:54:54 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\TFC.exe
[2011/03/11 22:44:43 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/03/11 13:00:03 | 000,013,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieudinit.exe
[2011/03/11 13:00:02 | 002,452,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieapfltr.dat
[2011/03/11 13:00:02 | 000,991,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll.mui
[2011/03/11 13:00:02 | 000,380,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieapfltr.dll
[2011/03/11 13:00:02 | 000,063,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\icardie.dll
[2011/03/11 11:47:44 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/03/11 02:33:46 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/03/10 12:15:39 | 000,222,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2011/03/10 12:15:36 | 000,000,000 | ---D | C] -- C:\47ca7199bdfafb09e7a0fb8e7d43b304
[2011/03/10 11:56:02 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2011/03/10 11:37:11 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/03/10 11:37:11 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/03/10 11:37:11 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/03/10 11:36:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2011/03/09 17:59:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2011/03/01 01:14:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Application Data\SecondLife
[2011/03/01 01:14:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\SecondLife
[2011/02/26 01:33:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/02/18 11:43:56 | 000,000,000 | ---D | C] -- C:\Program Files\Yontoo Layers Client
[2011/02/18 02:38:08 | 000,057,408 | ---- | C] (Atheros Communications, Inc.) -- C:\WINDOWS\System32\drivers\wsimd.sys
[2011/02/18 02:37:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\NETGEAR WN111v2 Adapter
[2011/02/18 02:37:56 | 000,000,000 | ---D | C] -- C:\Program Files\Atheros
[2011/02/18 02:20:48 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2011/02/18 02:20:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2011/02/18 01:40:20 | 000,000,000 | ---D | C] -- C:\Program Files\Perfect Uninstaller
[2011/02/17 23:24:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox
[2011/02/17 23:24:51 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2011/02/16 18:17:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
[2011/02/16 18:15:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/02/15 19:15:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Mozilla
[2009/08/04 13:35:01 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\HP_Administrator\Application Data\pcouffin.sys

========== Files - Modified Within 30 Days ==========

[2011/03/11 23:08:08 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
[2011/03/11 23:03:23 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/03/11 23:00:05 | 000,000,246 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.dat
[2011/03/11 22:58:43 | 000,043,531 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/03/11 22:58:32 | 000,000,902 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/11 22:57:54 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/11 22:57:53 | 1005,113,344 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/11 22:54:54 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\TFC.exe
[2011/03/11 22:27:24 | 000,000,826 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/03/11 22:23:02 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/11 21:25:00 | 000,000,906 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/11 12:17:21 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/03/11 11:47:51 | 000,000,325 | RHS- | M] () -- C:\boot.ini
[2011/03/10 14:38:15 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/10 11:54:34 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/02/26 01:33:09 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/02/18 02:37:58 | 000,001,799 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WN111v2 Smart Wizard.lnk
[2011/02/18 02:37:58 | 000,001,779 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\NETGEAR WN111v2 Smart Wizard.lnk
[2011/02/18 01:40:25 | 000,000,042 | ---- | M] () -- C:\WINDOWS\System32\AK083E209605E394C.lie
[2011/02/17 23:24:56 | 000,001,631 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/02/17 23:24:56 | 000,001,613 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/02/16 13:55:43 | 000,645,916 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\iavifw.avm
[2011/02/16 13:55:38 | 106,241,920 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2011/02/15 14:01:55 | 000,049,664 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== Files Created - No Company Name ==========

[2011/03/11 02:21:20 | 1005,113,344 | -HS- | C] () -- C:\hiberfil.sys
[2011/03/10 12:01:26 | 000,000,424 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/03/10 11:56:12 | 000,001,691 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
[2011/02/18 02:37:58 | 000,001,799 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WN111v2 Smart Wizard.lnk
[2011/02/18 02:37:57 | 000,001,779 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\NETGEAR WN111v2 Smart Wizard.lnk
[2011/02/18 01:40:25 | 000,000,042 | ---- | C] () -- C:\WINDOWS\System32\AK083E209605E394C.lie
[2011/02/17 23:24:56 | 000,001,631 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/02/17 23:24:56 | 000,001,613 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/12/01 03:15:09 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/09/06 15:36:06 | 000,458,016 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/08/07 04:26:30 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/08/07 04:26:30 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/08/07 04:26:30 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/08/07 04:26:30 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/08/07 04:26:30 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/22 13:08:35 | 000,000,138 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
[2010/04/20 13:30:06 | 000,214,720 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrB.exe
[2010/04/16 04:22:18 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDevice.Dll
[2010/04/16 04:22:18 | 000,036,608 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDisk.Sys
[2010/03/09 16:48:42 | 000,000,466 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2010/02/18 02:55:50 | 000,015,498 | ---- | C] () -- C:\WINDOWS\VX3000.ini
[2010/01/30 21:43:00 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/01/28 12:51:56 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\prvlcl.dat
[2010/01/27 06:31:38 | 000,000,139 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\fusioncache.dat
[2009/12/29 13:07:39 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Application Data\$_hpcst$.hpc
[2009/12/08 19:56:17 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/09/07 20:53:43 | 000,000,615 | ---- | C] () -- C:\WINDOWS\tlknw5.ini
[2009/09/07 20:44:36 | 000,000,610 | ---- | C] () -- C:\WINDOWS\tlknw18.ini
[2009/08/27 20:21:26 | 000,035,190 | ---- | C] () -- C:\WINDOWS\scunin.dat
[2009/08/04 13:35:34 | 000,321,940 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Application Data\vso_ts_preview.xml
[2009/08/04 13:35:01 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Application Data\pcouffin.cat
[2009/08/04 13:35:01 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Application Data\pcouffin.inf
[2009/07/17 15:39:20 | 000,000,669 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2009/05/16 12:00:55 | 000,049,664 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/26 10:29:43 | 000,000,056 | ---- | C] () -- C:\WINDOWS\voqktj.dll
[2008/12/29 16:43:08 | 000,000,427 | ---- | C] () -- C:\WINDOWS\ULEAD32.INI
[2008/12/13 14:11:04 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/06/27 16:18:04 | 000,262,216 | ---- | C] () -- C:\WINDOWS\System32\IPTests.dll
[2008/04/28 14:36:08 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2008/03/08 15:26:03 | 000,000,305 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\addr_file.html
[2008/02/01 06:16:24 | 000,000,033 | ---- | C] () -- C:\WINDOWS\Multimedia manager.INI
[2007/10/25 16:26:10 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2007/08/21 13:01:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\pcfriend.INI
[2007/04/25 22:17:12 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LauncherAccess.dt
[2007/02/22 09:01:02 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/09/07 10:25:08 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/09/07 10:04:52 | 000,028,848 | ---- | C] () -- C:\WINDOWS\System32\drivers\USBkey.sys
[2006/09/07 09:59:27 | 000,118,842 | R--- | C] () -- C:\WINDOWS\HPCPCUninstaller-6.3.2.116-9972322.exe
[2006/09/07 09:58:41 | 000,014,315 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2006/09/07 09:58:36 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2006/09/07 09:55:36 | 000,000,031 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2006/09/07 09:43:15 | 000,000,157 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/09/07 09:42:35 | 000,045,929 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.EXE
[2006/09/07 09:42:35 | 000,000,698 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.ini
[2006/09/07 09:37:44 | 000,095,822 | ---- | C] () -- C:\WINDOWS\hpqins69.dat
[2006/09/07 09:33:47 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/09/07 09:33:47 | 001,519,616 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2006/09/07 09:33:47 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/09/07 09:33:47 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2006/09/07 09:33:47 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/09/07 09:33:47 | 000,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/09/07 09:33:47 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/09/07 09:33:47 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/09/07 09:33:46 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2006/09/07 09:33:46 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2006/09/07 09:33:46 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/09/07 09:32:15 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2006/09/07 09:10:43 | 000,323,584 | ---- | C] () -- C:\WINDOWS\System32\pythoncom22.dll
[2006/09/07 09:10:43 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\pywintypes22.dll
[2006/09/07 09:10:20 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2006/06/16 13:58:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/10/14 05:56:50 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/10/14 05:56:50 | 000,921,600 | ---- | C] () -- C:\WINDOWS\System32\VorbisEnc.dll
[2005/10/14 05:56:50 | 000,778,240 | ---- | C] () -- C:\WINDOWS\System32\DivXsm.exe
[2005/10/14 05:56:50 | 000,761,856 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2005/10/14 05:56:50 | 000,344,064 | ---- | C] () -- C:\WINDOWS\System32\xvid.dll
[2005/10/14 05:56:50 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2005/10/14 05:56:50 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2005/10/14 05:56:50 | 000,155,136 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2005/10/14 05:56:50 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll
[2005/08/30 23:17:40 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/08/30 23:07:46 | 000,445,700 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2005/08/30 23:07:46 | 000,072,780 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2005/08/30 23:05:30 | 002,176,448 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/08/30 23:01:42 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/08/30 22:58:02 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/08/05 23:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/08/03 01:19:16 | 000,050,176 | ---- | C] () -- C:\WINDOWS\armcex.dll
[2004/09/16 22:24:26 | 003,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
[2004/08/10 06:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/09 23:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/09 23:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/09 23:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/09 23:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/09 23:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/09 23:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/09 23:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/07/26 09:51:38 | 000,000,560 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/04/18 15:43:46 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2004/04/18 15:43:44 | 000,651,264 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2001/08/23 10:12:28 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 10:11:02 | 000,004,490 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat

========== Alternate Data Streams ==========

@Alternate Data Stream - 508 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:05EE1EEF
@Alternate Data Stream - 161 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 148 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 144 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8

< End of report >
JoeC
Active Member
 
Posts: 6
Joined: March 9th, 2011, 5:34 pm

Re: Redirect Malware

Unread postby deltalima » March 12th, 2011, 6:20 am

Hi JoeC,

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code: Select all
    :processes
    killallprocesses
    :otl
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:33440
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:33440
    IE - HKU\S-1-5-21-704905762-12611631-4051743828-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=14196&l=dis
    @Alternate Data Stream - 508 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:05EE1EEF
    @Alternate Data Stream - 161 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
    @Alternate Data Stream - 148 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
    @Alternate Data Stream - 144 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
    @Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
    "DisableMonitoring" = 0
    :commands
    [EMPTYTEMP]
    [EMPTYFLASH]
    [RESETHOSTS]
    [REBOOT]
    
  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

ESET online scannner

  • Please go Here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Please let me know how the computer is running now.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Redirect Malware

Unread postby JoeC » March 12th, 2011, 7:22 pm

Things are running much better, I'm not getting redirected anymore and the boot up process is much faster. Here are the logs

All processes killed
========== PROCESSES ==========
========== OTL ==========
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
HKU\S-1-5-21-704905762-12611631-4051743828-1007\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
ADS C:\Documents and Settings\All Users\Application Data\TEMP:05EE1EEF deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8 deleted successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\\"DisableMonitoring" | 0 /E : value set successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: HP_Administrator
->Temp folder emptied: 79 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 44350329 bytes
->Flash cache emptied: 456 bytes

User: HP_Administrator.JOE
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 16786 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 2302 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1610 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 42.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: HP_Administrator
->Flash cache emptied: 0 bytes

User: HP_Administrator.JOE
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.22.3 log created on 03122011_125157

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP480\A0186160.exe a variant of Win32/PerfectUninstaller application
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP480\A0186178.exe a variant of Win32/PerfectUninstaller application
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP480\A0186472.exe probably a variant of Win32/Agent.FGHQVIS trojan
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP480\A0187854.exe a variant of Win32/PerfectUninstaller application
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP484\A0189281.exe probably a variant of Win32/Agent.KFMXVWA trojan
D:\I386\APPS\APP31786\src\CompaqPresario_Spring06.exe a variant of Win32/AdInstaller application
D:\I386\APPS\APP31786\src\HPPavillion_Spring06.exe a variant of Win32/AdInstaller application
JoeC
Active Member
 
Posts: 6
Joined: March 9th, 2011, 5:34 pm

Re: Redirect Malware

Unread postby deltalima » March 12th, 2011, 7:31 pm

Hi JoeC,

Now that you are clean, please follow these steps in order to keep your computer clean and secure.

Update Adobe Reader

  • You should Download and Install the newest version of Adobe Reader for reading pdf files.
  • Older versions may have vulnerabilities that malware can use to infect your system.
  • Go Here to download and install Adobe Reader X (10.0.1).
  • Note: remember to Uncheck Free McAfee® Security Scan Plus (optional)

Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 24.
  • Download the latest version of Java Runtime Environment (JRE) 6 Here
  • Scroll down to where it says "JDK 6 Update 24 (JDK or JRE)"
  • Click the orange Download JRE button to the right
  • Select the Windows platform from the dropdown menu
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
  • Click on the link to download Windows Offline Installation & save the file to your desktop
  • Close any programs you may have running - especially your web browser
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions
  • Reboot your computer once all Java components are removed
  • Then from your desktop double-click on jre-6u24-windows-i586-p.exe to install the newest version

Uninstall ComboFix

  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK

Clean up with OTL

  • Double-click OTL.exe to start the program. This will remove all the tools we used to clean your pc.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CleanUp! button
  • Say Yes to the prompt and then allow the program to reboot your computer.


Create a new, clean System Restore point which you can use in case of future system problems:
  • Press Start >> All Programs >> Accessories >>System Tools >> System Restore
  • Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close
  • Now remove old, infected System Restore points:
  • Next click Start >> Run and type cleanmgr in the box and press OK
  • Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
  • Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
  • Press OK and Yes to confirm

Update your AntiVirus Software and keep your other programs up-to-date
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

You need to upgrade Internet Explorer to version 8
Security Updates for Windows, Internet Explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety


Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Redirect Malware

Unread postby Carolyn » March 13th, 2011, 11:40 am

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 303 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware