Yahoo Searches Redirect [Closed]

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

2 Pages

1 2 >

Yahoo Searches Redirect [Closed]

Options

jaysee View Member Profile	Jun 15 2009, 02:45 PM Post #1
Member Posts: 25 OS: XP Pro	So just recently my Yahoo.com searches, once clicked, started redirecting to different sites (spam, malicious). I keep running Malwarebytes and Superantispyware, and they aren't really picking up anything anymore. Last night my computer shut off and restarted, and upon restart my background had been changed saying that my computer was infected, and a fake scan occurred. I restarted my computer into safe mode. AVG8.5 detected the junk that caused the background to change, and removed it. Ran CCleaner a couple times since this has started, ran Malwarebytes and Superantispyware again in safe mode, and it 'appears' to be clean. I restarted my computer, and I don't have the junk pretending to be anti-malware anymore, but Yahoo searches still end up causing redirected links to spam. This is happening in both Firefox and Explorer, and it's ONLY Yahoo. Google and other search engines work fine, and when I do a search via the AVG Yahoo Search bar, search links are okay. It only happens if I go directly to yahoo.com. Needless to say, after the computer restarted and had the fake anti-virus stuff pop up and replace my background desktop image, I'm worried and would like to get this infection removed. This may just be a coincidence, but this seemed to start happening after I tried installing and using ZoneAlarm. I didn't care for it, and had it uninstalled. Windows Firewall is active, and I am connected to the internet through a Netgear router. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:57:33, on 6/15/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\TVersity\Media Server\MediaServer.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\explorer.exe C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O1 - Hosts: 195.245.119.131 browser-security.microsoft.com O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O17 - HKLM\System\CS1\Services\Tcpip\..\{017659A2-AA14-4D5D-B1EF-FCFB3CABBA94}: NameServer = 192.168.1.1,192.168.1.2 O17 - HKLM\System\CS2\Services\Tcpip\..\{017659A2-AA14-4D5D-B1EF-FCFB3CABBA94}: NameServer = 192.168.1.1,192.168.1.2 O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing) O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 8006 bytes This post has been edited by jaysee: Jun 15 2009, 02:58 PM

Transience View Member Profile	Jun 15 2009, 02:49 PM Post #2
Unofficial Music Guru Posts: 2,354 From: Massachusetts, USA OS: Vista	Hello jaysee and welcome to Geeks to Go! I'm Dave and I'll be helping you to clean your computer. While HJT was once the preferred log to take a look at to begin with, it's fallen significantly behind the times, so we've updated our initial procedures. The first thing I need you to do is go to this page and follow the instructions there: Malware Cleaning Guide - Please Read Before Starting a New Topic. These are the steps that we need you to perform before attempting a removal of malware from your computer. If you're still experiencing problems after following all the steps in that thread, then please post the following logs here for me to take a look at: Malwarebytes' Anti-Malware log OTListIt.txt and Extras.txt, located in the same directory as the OTL program. Rooter log located at C:\Rooter.txt Once you've posted those logs for me I'll take a look at them and see where we need to go from there . Cheers, Dave

Transience View Member Profile	Jun 15 2009, 07:23 PM Post #4
Unofficial Music Guru Posts: 2,354 From: Massachusetts, USA OS: Vista	Hi jaysee - I see you're using or have in the past used p2p software such as uTorrent. Although p2p programs are not usually malware in their own right, oftentimes malware is installed alongside them. Even if the program is clean, people often upload infected files to be shared using these programs, and it is very easy to end up compromising your PC. It's your decision about whether or not you use p2p programs, you don't have to remove them to be deemed clean and I'll still give you help if you want to keep them. It's just important that you're aware of the risks. If you want to continue using p2p programs that's fine with me, all I ask is that you not download anything from them until you're clean so we aren't taking steps backwards here. To remove p2p programs if you wish to do so, uninstall them from the Add/Remove Programs (it's Programs and Features in Vista) menu of your Control Panel. Please go to Add/Remove Programs in your Control Panel (Programs and Features if you are a Vista user). Select and remove the following if present, don't worry if they aren't: Viewpoint Media Player - Viewpoint is an annoying media player that installs alongside many different things without your permission, not a good idea to keep it on your computer. Next OTL Fixes Please double click on OTL to run it Under the Custom Scans/Fixes box at the bottom, paste in the following CODE :OTL PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20090123.1 FF - prefs.js..extensions.enabledItems: {3414F358-CBBD-4215-8320-ABAECC12AC25}:1.0 O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2007/07/28 21:42:25 \| 00,000,000 \| ---- \| M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O33 - MountPoints2\{aa9a245e-2b88-11de-9032-00142a7c704f}\Shell - "" = AutoRun O33 - MountPoints2\{aa9a245e-2b88-11de-9032-00142a7c704f}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{aa9a245e-2b88-11de-9032-00142a7c704f}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found O33 - MountPoints2\{b6b3b553-3d36-11dc-a3af-806d6172696f}\Shell - "" = AutoRun O33 - MountPoints2\{b6b3b553-3d36-11dc-a3af-806d6172696f}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{b6b3b553-3d36-11dc-a3af-806d6172696f}\Shell\AutoRun\command - "" = E:\FrameworkCheck.exe -- File not found O33 - MountPoints2\G\Shell - "" = AutoRun O33 - MountPoints2\G\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found :Files C:\DOCUMENTS AND SETTINGS\JOHN CHRISTIAN\LOCAL SETTINGS\APPLICATION DATA\{3414F358-CBBD-4215-8320-ABAECC12AC25} C:\Documents and Settings\John Christian\Application Data\mozilla\Firefox\Profiles\0c457zba.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781} C:\WINDOWS\System32\tupigovi C:\Documents and Settings\All Users\Application Data\93338746.ini C:\Documents and Settings\All Users\Application Data\93338746 C:\Documents and Settings\All Users\Application Data\13328754 C:\WINDOWS\System32\d3d9caps.dat C:\WINDOWS\System32\d3d8caps.dat C:\WINDOWS\SxsCaPendDel :Commands [purity] [emptytemp] [Reboot] Then click the Run Fix button at the top Let the program run unhindered, reboot the PC when it is done Then post a new OTL2 log. Just need the fresh OTL log in your next reply.

jaysee View Member Profile	Jun 16 2009, 08:39 PM Post #5
Member Posts: 25 OS: XP Pro	Uninstalled utorrent, and also Viewpoint Media Player. I didn't know if I was suppose to try or not, but Yahoo.com searches are still being redirected to spam, or fake search engines. QUOTE OTL logfile created on: 6/16/2009 10:49:24 PM - Run 2 OTL by OldTimer - Version 2.1.1.0 Folder = C:\Documents and Settings\John Christian\Desktop\Misc Desktops\AntiVirusAd Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 \| Country: United States \| Language: ENU \| Date Format: M/d/yyyy 2.00 Gb Total Physical Memory \| 1.50 Gb Available Physical Memory \| 75.00% Memory free 3.85 Gb Paging File \| 3.48 Gb Available in Paging File \| 90.50% Paging File free Paging file location(s): D:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: \| %SystemRoot% = C:\WINDOWS \| %ProgramFiles% = C:\Program Files Drive C: \| 279.46 Gb Total Space \| 34.46 Gb Free Space \| 12.33% Space Free \| Partition Type: NTFS Drive D: \| 465.76 Gb Total Space \| 30.68 Gb Free Space \| 6.59% Space Free \| Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: JOHN Current User Name: John Christian Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Output = Minimal File Age = 30 Days Company Name Whitelist: On ========== Processes (SafeList) ========== PRC - C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.) PRC - C:\Program Files\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.) PRC - C:\Program Files\AVG\AVG8\avgnsx.exe (AVG Technologies CZ, s.r.o.) PRC - C:\Program Files\TVersity\Media Server\MediaServer.exe () PRC - C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation) PRC - C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation) PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation) PRC - C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation) PRC - C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.) PRC - C:\Documents and Settings\John Christian\Desktop\Misc Desktops\AntiVirusAd\OTL.exe (OldTimer Tools) ========== Win32 Services (SafeList) ========== SRV - (Adobe LM Service [On_Demand \| Stopped]) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (Adobe Systems) SRV - (aspnet_state [On_Demand \| Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation) SRV - (avg8wd [Auto \| Running]) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.) SRV - (clr_optimization_v2.0.50727_32 [On_Demand \| Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation) SRV - (FontCache3.0.0.0 [On_Demand \| Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation) SRV - (helpsvc [Auto \| Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation) SRV - (hpqcxs08 [Disabled \| Stopped]) -- C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll (Hewlett-Packard Co.) SRV - (hpqddsvc [Disabled \| Stopped]) -- C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll (Hewlett-Packard Co.) SRV - (HPSLPSVC [Disabled \| Stopped]) -- C:\Program Files\HP\Digital Imaging\bin\HPSLPSVC32.DLL (Hewlett-Packard Co.) SRV - (IDriverT [On_Demand \| Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation) SRV - (idsvc [Unknown \| Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation) SRV - (iPod Service [On_Demand \| Stopped]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.) SRV - (JavaQuickStarterService [Auto \| Stopped]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.) SRV - (Lavasoft Ad-Aware Service [Auto \| Stopped]) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft) SRV - (LVPrcSrv [Auto \| Stopped]) -- c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe (Logitech Inc.) SRV - (LVSrvLauncher [Auto \| Stopped]) -- C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe (Logitech Inc.) SRV - (Net Driver HPZ12 [Auto \| Running]) -- C:\WINDOWS\system32\HPZinw12.dll (Hewlett-Packard) SRV - (NetTcpPortSharing [Disabled \| Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation) SRV - (npggsvc [On_Demand \| Stopped]) -- C:\WINDOWS\system32\GameMon.des (INCA Internet Co., Ltd.) SRV - (nTuneService [Auto \| Stopped]) -- C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe (NVIDIA) SRV - (NVSvc [Auto \| Stopped]) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation) SRV - (Pml Driver HPZ12 [Auto \| Running]) -- C:\WINDOWS\system32\HPZipm12.dll (Hewlett-Packard) SRV - (PnkBstrA [Auto \| Stopped]) -- C:\WINDOWS\system32\PnkBstrA.exe () SRV - (PnkBstrB [Auto \| Stopped]) -- C:\WINDOWS\system32\PnkBstrB.exe () SRV - (ProtexisLicensing [Auto \| Stopped]) -- C:\WINDOWS\system32\PSIService.exe () SRV - (SABSVC [Auto \| Stopped]) -- C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE (SuperAdBlocker.com) SRV - (Symantec Core LC [On_Demand \| Stopped]) -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (Symantec Corporation) SRV - (TVersityMediaServer [Auto \| Running]) -- C:\Program Files\TVersity\Media Server\MediaServer.exe () SRV - (usnjsvc [On_Demand \| Stopped]) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe (Microsoft Corporation) SRV - (WLSetupSvc [On_Demand \| Stopped]) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation) SRV - (WMPNetworkSvc [Auto \| Running]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation) SRV - (ZuneBusEnum [Auto \| Stopped]) -- c:\WINDOWS\system32\ZuneBusEnum.exe (Microsoft Corporation) SRV - (ZuneNetworkSvc [Auto \| Stopped]) -- c:\Program Files\Zune\ZuneNss.exe (Microsoft Corporation) SRV - (ZuneWlanCfgSvc [On_Demand \| Stopped]) -- c:\WINDOWS\system32\ZuneWlanCfgSvc.exe (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV - (ALCXWDM [On_Demand \| Running]) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.) DRV - (atksgt [Auto \| Running]) -- C:\WINDOWS\system32\DRIVERS\atksgt.sys () DRV - (AvgLdx86 [System \| Running]) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.) DRV - (AvgMfx86 [System \| Running]) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.) DRV - (AvgTdiX [System \| Running]) -- C:\WINDOWS\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.) DRV - (ENTECH [On_Demand \| Stopped]) -- C:\WINDOWS\system32\DRIVERS\ENTECH.sys (EnTech Taiwan) DRV - (FETNDIS [On_Demand \| Stopped]) -- C:\WINDOWS\system32\DRIVERS\fetnd5.sys (VIA Technologies, Inc. ) DRV - (GEARAspiWDM [On_Demand \| Running]) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys (GEAR Software Inc.) DRV - (giveio [Boot \| Running]) -- C:\WINDOWS\system32\giveio.sys () DRV - (L8042Kbd [On_Demand \| Running]) -- C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys (Logitech, Inc.) DRV - (L8042mou [On_Demand \| Stopped]) -- C:\WINDOWS\System32\Drivers\L8042mou.sys (Logitech, Inc.) DRV - (Lbd [Boot \| Running]) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB) DRV - (LHidKe [On_Demand \| Running]) -- C:\WINDOWS\system32\DRIVERS\LHidKE.Sys (Logitech, Inc.) DRV - (LHidUsbK [On_Demand \| Running]) -- C:\WINDOWS\System32\Drivers\LHidUsbK.Sys (Logitech, Inc.) DRV - (lirsgt [Auto \| Running]) -- C:\WINDOWS\system32\DRIVERS\lirsgt.sys () DRV - (LMouKE [On_Demand \| Running]) -- C:\WINDOWS\System32\Drivers\LMouKE.sys (Logitech, Inc.) DRV - (LVcKap [On_Demand \| Stopped]) -- C:\WINDOWS\system32\DRIVERS\LVcKap.sys () DRV - (LVMVDrv [On_Demand \| Stopped]) -- C:\WINDOWS\system32\DRIVERS\LVMVDrv.sys (Logitech Inc.) DRV - (LVPr2Mon [On_Demand \| Running]) -- C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys () DRV - (nv [On_Demand \| Running]) -- C:\WINDOWS\system32\DRIVERS\nv4_mini.sys (NVIDIA Corporation) DRV - (NVR0Dev [On_Demand \| Running]) -- C:\WINDOWS\nvoclock.sys (NVidia Corp.) DRV - (pfc [On_Demand \| Running]) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.) DRV - (PhilCam8116 [On_Demand \| Stopped]) -- C:\WINDOWS\system32\DRIVERS\CamDrO21.sys (Microsoft Corporation) DRV - (ppsio2 [Auto \| Running]) -- C:\WINDOWS\System32\drivers\ppsio2.sys () DRV - (Ptilink [On_Demand \| Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.) DRV - (PxHelp20 [Boot \| Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions) DRV - (RivaTuner32 [On_Demand \| Stopped]) -- D:\Program Files\RivaTuner v2.08\RivaTuner32.sys () DRV - (RTL8023xp [On_Demand \| Running]) -- C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys (Realtek Semiconductor Corporation ) DRV - (rtl8139 [On_Demand \| Stopped]) -- C:\WINDOWS\system32\DRIVERS\RTL8139.SYS (Realtek Semiconductor Corporation) DRV - (SABDIFSV [System \| Stopped]) -- C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABDIFSV.SYS () DRV - (SABKUTIL [System \| Running]) -- C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys () DRV - (SABProcEnum [On_Demand \| Stopped]) -- C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABProcEnum.sys (SuperAdBlocker.com) DRV - (SASDIFSV [System \| Running]) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (SASENUM [On_Demand \| Stopped]) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (SASKUTIL [System \| Running]) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (Secdrv [On_Demand \| Stopped]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) DRV - (speedfan [Boot \| Running]) -- C:\WINDOWS\system32\speedfan.sys (Windows � 2000 DDK provider) DRV - (sptd [Boot \| Running]) -- C:\WINDOWS\System32\Drivers\sptd.sys () DRV - (StillCam [On_Demand \| Stopped]) -- C:\WINDOWS\system32\DRIVERS\serscan.sys (Microsoft Corporation) DRV - (Tcpip6 [System \| Running]) -- C:\WINDOWS\system32\DRIVERS\tcpip6.sys (Microsoft Corporation) DRV - (usbaudio [On_Demand \| Stopped]) -- C:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation) DRV - (VIAudio [On_Demand \| Stopped]) -- C:\WINDOWS\system32\drivers\vinyl97.sys (VIA Technologies, Inc.) DRV - (ViBus [Boot \| Running]) -- C:\WINDOWS\system32\DRIVERS\ViBus.sys (VIA Technologies, Inc.) DRV - (videX32 [Boot \| Running]) -- C:\WINDOWS\system32\DRIVERS\videX32.sys (VIA Technologies, Inc.) DRV - (ViPrt [Boot \| Running]) -- C:\WINDOWS\system32\DRIVERS\ViPrt.sys (VIA Technologies, Inc.) DRV - (WMDrive [Auto \| Running]) -- C:\WINDOWS\system32\drivers\WMDrive.sys () DRV - (X4HSX32 [Auto \| Running]) -- C:\Program Files\GameTap\bin\Release\X4HSX32.Sys (Exent Technologies Ltd.) DRV - (xnacc [On_Demand \| Stopped]) -- C:\WINDOWS\system32\DRIVERS\xnacc.sys (Microsoft Corporation) DRV - (zumbus [Auto \| Running]) -- C:\WINDOWS\system32\DRIVERS\zumbus.sys (Microsoft Corporation) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data] IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1 ========== FireFox ========== FF - prefs.js..browser.search.defaultenginename: "Yahoo" FF - prefs.js..browser.search.defaulturl: "http://search.yahoo.com/search?fr=ffsp1&p=" FF - prefs.js..browser.search.selectedEngine: "Yahoo" FF - prefs.js..browser.startup.homepage: "" FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5 FF - prefs.js..extensions.enabledItems: {1d5287d1-8a92-0001-1f31-1cec198018d8}:2.1.0.7 FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.10 FF - prefs.js..extensions.enabledItems: iaplayer@instantaction.com:0.3.4.0 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}:6.0.14 FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0 FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.0 FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.07061050 FF - prefs.js..extensions.enabledItems: {46868735-c3fa-47ce-8ce7-cce51a66aceb}:1.2 FF - prefs.js..extensions.enabledItems: {888d99e7-e8b5-46a3-851e-1ec45da1e644}:3.0.0 FF - prefs.js..extensions.enabledItems: en-US@dictionaries.addons.mozilla.org:3.0.3 FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.11 FF - HKLM\software\mozilla\Firefox\Extensions\\{3414F358-CBBD-4215-8320-ABAECC12AC25}: C:\DOCUMENTS AND SETTINGS\JOHN CHRISTIAN\LOCAL SETTINGS\APPLICATION DATA\{3414F358-CBBD-4215-8320-ABAECC12AC25}\ FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\PROGRAM FILES\AVG\AVG8\FIREFOX [2009/05/04 14:00:08 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Firefox\Extensions\\{1d5287d1-8a92-0001-1f31-1cec198018d8}: C:\PROGRAM FILES\AVG\AVG8\TOOLBARFF [2009/05/04 14:00:09 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION\ [2009/05/23 19:42:24 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/06/14 17:07:04 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/06/16 14:47:13 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/06/16 22:27:35 \| 00,000,000 \| ---D \| M] [2008/06/27 07:34:20 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\John Christian\Application Data\mozilla\Extensions [2008/06/27 07:34:20 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\John Christian\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} [2009/06/16 22:23:51 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\John Christian\Application Data\mozilla\Firefox\Profiles\0c457zba.default\extensions [2009/04/23 19:19:38 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\John Christian\Application Data\mozilla\Firefox\Profiles\0c457zba.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} [2008/06/27 08:11:12 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\John Christian\Application Data\mozilla\Firefox\Profiles\0c457zba.default\extensions\{46868735-c3fa-47ce-8ce7-cce51a66aceb} [2008/02/01 12:50:04 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\John Christian\Application Data\mozilla\Firefox\Profiles\0c457zba.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} [2007/08/07 01:12:54 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\John Christian\Application Data\mozilla\Firefox\Profiles\0c457zba.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232} [2008/06/30 10:35:48 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\John Christian\Application Data\mozilla\Firefox\Profiles\0c457zba.default\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644} [2008/06/27 07:48:28 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\John Christian\Application Data\mozilla\Firefox\Profiles\0c457zba.default\extensions\en-US@dictionaries.addons.mozilla.org [2008/01/31 20:30:48 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\John Christian\Application Data\mozilla\Firefox\Profiles\0c457zba.default\extensions\iaplayer@instantaction.com [2007/09/12 03:29:53 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\John Christian\Application Data\mozilla\Firefox\Profiles\0c457zba.default\extensions\moveplayer@movenetworks.com [2008/05/08 00:35:43 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\John Christian\Application Data\mozilla\Firefox\Profiles\sp82nxrc.JC01\extensions [2008/02/01 12:40:48 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\John Christian\Application Data\mozilla\Firefox\Profiles\sp82nxrc.JC01\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} [2008/05/08 00:35:43 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\John Christian\Application Data\mozilla\Firefox\Profiles\sp82nxrc.JC01\extensions\{991A772A-BA13-4c1d-A9EF-F897F31DEC7D} [2008/12/12 14:23:54 \| 00,002,158 \| ---- \| M] () -- C:\Documents and Settings\John Christian\Application Data\Mozilla\FireFox\Profiles\0c457zba.default\searchplugins\MySpace.xml [2009/06/16 14:57:25 \| 00,000,000 \| ---D \| M] -- C:\Program Files\mozilla firefox\extensions [2009/06/12 00:16:16 \| 00,000,000 \| ---D \| M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2007/11/04 18:06:45 \| 00,000,000 \| ---D \| M] -- C:\Program Files\mozilla firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED} [2009/06/14 17:07:44 \| 00,000,000 \| ---D \| M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [2009/06/12 00:16:10 \| 00,023,032 \| ---- \| M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll [2009/06/12 00:16:10 \| 00,134,648 \| ---- \| M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll [2004/05/07 15:31:40 \| 00,348,160 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\components\MSVCR71.DLL [2006/11/07 12:58:44 \| 00,139,264 \| ---- \| M] () -- C:\Program Files\mozilla firefox\components\SABFF20.DLL [2009/05/11 22:01:14 \| 00,001,394 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml [2009/05/11 22:01:14 \| 00,002,193 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml [2009/05/11 22:01:14 \| 00,001,534 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml [2009/05/11 22:01:14 \| 00,002,343 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml [2009/05/11 22:01:14 \| 00,001,706 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml [2009/05/11 22:01:14 \| 00,001,178 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml [2009/05/11 22:01:14 \| 00,000,792 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml O1 HOSTS File: (786 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.) O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.) O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation) O2 - BHO: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll (AVG Technologies CZ, s.r.o.) O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.) O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll (AVG Technologies CZ, s.r.o.) O3 - HKLM\..\Toolbar: (Super Ad Blocker Toolbar) - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll () O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.) O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - Reg Error: Key error. File not found O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll (AVG Technologies CZ, s.r.o.) O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.) O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft) O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.) O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation) O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation) O4 - HKLM..\Run: [nwiz] nwiz.exe /install File not found O4 - HKCU..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear (NVIDIA) O4 - Startup: C:\Documents and Settings\John Christian\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE () O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 157 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 File not found O9 - Extra Button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.) O9 - Extra Button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.) O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.) O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation) O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [NWLink IPX/SPX/NetBIOS Compatible Transport Protocol] - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation) O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone. O15 - HKCU\..Trusted Domains: 26 domain(s) and sub-domain(s) not assigned to a zone. O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14) O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.) O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.) O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\!SABWinLogon: DllName - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL (SuperAdBlocker.com) O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com) O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.) O24 - Desktop Components:0 (My Current Home Page) - About:Home O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000D7} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSEHB.DLL (SuperAdBlocker.com) O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com) O31 - SafeBoot: AlternateShell - cmd.exe O32 - HKLM CDRom: AutoRun - 1 O34 - HKLM BootExecute: (autocheck) - File not found O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation) O34 - HKLM BootExecute: () - [2009/06/15 18:35:15 \| 00,000,000 \| ---D \| M] O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe () ========== Files/Folders - Created Within 30 Days ========== [2009/06/16 22:18:50 \| 00,000,000 \| ---D \| C] -- C:\_OTL [2009/06/15 18:07:21 \| 00,000,000 \| ---D \| C] -- C:\Rooter$ [2009/06/15 17:12:01 \| 00,000,767 \| ---- \| C] () -- C:\Documents and Settings\John Christian\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk [2009/06/15 17:11:52 \| 00,000,000 \| ---D \| C] -- C:\Program Files\ERUNT [2009/06/15 16:40:15 \| 00,000,000 \| ---D \| C] -- C:\Program Files\Trend Micro [2009/06/15 16:29:12 \| 00,001,720 \| ---- \| C] () -- C:\WINDOWS\System32\tmp.reg [2009/06/15 16:28:21 \| 00,289,144 \| ---- \| C] (S!Ri) -- C:\WINDOWS\System32\VCCLSID.exe [2009/06/15 16:28:21 \| 00,288,417 \| ---- \| C] (S!Ri) -- C:\WINDOWS\System32\SrchSTS.exe [2009/06/15 16:28:21 \| 00,135,168 \| ---- \| C] (SteelWerX) -- C:\WINDOWS\System32\swreg.exe [2009/06/15 16:28:21 \| 00,087,552 \| ---- \| C] (S!Ri.URZ) -- C:\WINDOWS\System32\VACFix.exe [2009/06/15 16:28:21 \| 00,082,944 \| ---- \| C] (S!Ri.URZ) -- C:\WINDOWS\System32\IEDFix.exe [2009/06/15 16:28:21 \| 00,082,944 \| ---- \| C] (S!Ri.URZ) -- C:\WINDOWS\System32\IEDFix.C.exe [2009/06/15 16:28:21 \| 00,082,432 \| ---- \| C] (S!Ri.URZ) -- C:\WINDOWS\System32\404Fix.exe [2009/06/15 16:28:21 \| 00,080,384 \| ---- \| C] (S!Ri.URZ) -- C:\WINDOWS\System32\o4Patch.exe [2009/06/15 16:28:21 \| 00,079,360 \| ---- \| C] (SteelWerX) -- C:\WINDOWS\System32\swxcacls.exe [2009/06/15 16:28:21 \| 00,078,336 \| ---- \| C] (S!Ri.URZ) -- C:\WINDOWS\System32\Agent.OMZ.Fix.exe [2009/06/15 16:28:21 \| 00,075,776 \| ---- \| C] () -- C:\WINDOWS\System32\WS2Fix.exe [2009/06/15 16:28:21 \| 00,053,248 \| ---- \| C] (http://www.beyondlogic.org) -- C:\WINDOWS\System32\Process.exe [2009/06/15 16:28:21 \| 00,051,200 \| ---- \| C] () -- C:\WINDOWS\System32\dumphive.exe [2009/06/15 16:28:21 \| 00,040,960 \| ---- \| C] () -- C:\WINDOWS\System32\swsc.exe [2009/06/15 13:41:50 \| 00,981,586 \| ---- \| C] () -- C:\Documents and Settings\John Christian\My Documents\cc_20090615_134143.reg [2009/06/14 23:02:31 \| 01,615,732 \| ---- \| C] () -- C:\Documents and Settings\John Christian\Desktop\ProcessExplorer.zip [2009/06/14 20:42:02 \| 00,000,000 \| ---D \| C] -- C:\Program Files\ESET [2009/06/14 19:58:14 \| 00,212,480 \| ---- \| C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2009/06/14 19:58:14 \| 00,161,792 \| ---- \| C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2009/06/14 19:58:14 \| 00,155,136 \| ---- \| C] () -- C:\WINDOWS\PEV.exe [2009/06/14 19:58:14 \| 00,136,704 \| ---- \| C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2009/06/14 19:58:14 \| 00,098,816 \| ---- \| C] () -- C:\WINDOWS\sed.exe [2009/06/14 19:58:14 \| 00,080,412 \| ---- \| C] () -- C:\WINDOWS\grep.exe [2009/06/14 19:58:14 \| 00,068,096 \| ---- \| C] () -- C:\WINDOWS\zip.exe [2009/06/14 19:58:14 \| 00,031,232 \| ---- \| C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2009/06/14 19:57:32 \| 00,000,000 \| ---D \| C] -- C:\WINDOWS\ERDNT [2009/06/14 19:57:29 \| 00,000,000 \| --SD \| C] -- C:\ComboFix [2009/06/14 19:57:24 \| 00,389,120 \| ---- \| C] (Microsoft Corporation) -- C:\WINDOWS\System32\CF1521.exe [2009/06/14 19:56:19 \| 00,000,000 \| ---D \| C] -- C:\Qoobox [2009/06/14 17:06:22 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\All Users\Application Data\McAfee [2009/06/12 14:10:30 \| 04,613,370 \| ---- \| C] () -- C:\Documents and Settings\John Christian\Desktop\heartbeats.mp3 [2009/06/11 22:26:13 \| 00,215,383 \| ---- \| C] () -- C:\WINDOWS\System32\nvapps.xml [2009/06/11 22:26:11 \| 00,000,000 \| ---D \| C] -- C:\WINDOWS\nview [2009/06/11 16:59:32 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\John Christian\My Documents\Prototype [2009/06/11 04:14:24 \| 00,000,803 \| ---- \| C] () -- C:\Documents and Settings\All Users\Desktop\Prototype™.lnk [2009/06/10 03:01:00 \| 00,246,272 \| ---- \| C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieproxy.dll [2009/06/10 03:01:00 \| 00,012,800 \| ---- \| C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpshims.dll [2009/06/08 21:17:31 \| 03,099,494 \| ---- \| C] () -- C:\Documents and Settings\John Christian\Desktop\boss.bmp [2009/06/05 21:02:27 \| 00,000,000 \| ---D \| C] -- C:\Program Files\Realtek AC97 [2009/06/05 20:59:01 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters [2009/06/05 20:58:58 \| 00,000,000 \| ---D \| C] -- C:\Program Files\PC Drivers HeadQuarters [2009/06/05 17:30:08 \| 00,001,407 \| ---- \| C] () -- C:\Documents and Settings\John Christian\Desktop\i j j i.lnk [2009/06/05 17:30:03 \| 00,000,000 \| ---D \| C] -- C:\ijji [2009/06/05 17:30:03 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\John Christian\Application Data\ijjigame [2009/06/05 17:29:43 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\All Users\Application Data\ijjigame [2009/06/05 17:06:13 \| 00,710,064 \| ---- \| C] (NHN USA) -- C:\WINDOWS\System32\ijjiSetup.exe [2009/06/05 17:06:13 \| 00,157,152 \| ---- \| C] (NHN Corporation) -- C:\WINDOWS\System32\PubPlugin.dll [2009/06/05 17:06:13 \| 00,058,800 \| ---- \| C] (NHN USA Inc.) -- C:\WINDOWS\System32\ijjiProcessRestarter.exe [2009/06/05 17:06:13 \| 00,058,800 \| ---- \| C] (NHN USA Corp.) -- C:\WINDOWS\System32\ijjiPlugin2.dll [2009/06/05 17:06:13 \| 00,000,000 \| ---D \| C] -- C:\Program Files\NHN USA [2009/06/05 15:22:40 \| 00,001,341 \| ---- \| C] () -- C:\Documents and Settings\All Users\Desktop\Huxley Lite.lnk [2009/06/05 15:22:40 \| 00,000,000 \| ---D \| C] -- C:\Program Files\HuxleyLite [2009/06/05 03:17:47 \| 21,148,51485 \| ---- \| C] () -- C:\Documents and Settings\John Christian\Desktop\Huxley_Lite_Setup.zip [2009/06/03 23:48:43 \| 00,000,854 \| ---- \| C] () -- C:\Documents and Settings\John Christian\Desktop\The Sims 3.lnk [2009/06/03 23:26:41 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\All Users\Application Data\MailFrontier [2009/06/03 23:26:23 \| 00,004,212 \| -H-- \| C] () -- C:\WINDOWS\System32\zllictbl.dat [2009/06/03 23:25:34 \| 00,000,000 \| ---D \| C] -- C:\WINDOWS\System32\ZoneLabs [2009/05/25 18:27:25 \| 31,796,401 \| ---- \| C] () -- C:\Documents and Settings\John Christian\Desktop\169_sc2_cs_pc2_101108_hr.mp4 [2009/05/24 22:40:09 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\John Christian\Application Data\Games [2009/05/23 22:29:17 \| 00,000,000 \| ---D \| C] -- C:\Program Files\USArmy [2009/05/23 20:36:21 \| 01,089,593 \| ---- \| C] () -- C:\WINDOWS\System32\dllcache\ntprint.cat [2009/05/23 19:44:32 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\All Users\Application Data\AA3DeployClient [2009/05/23 19:44:26 \| 00,000,308 \| ---- \| C] () -- C:\Documents and Settings\John Christian\Desktop\AA3Deploy.appref-ms [2009/05/21 18:51:48 \| 00,041,808 \| ---- \| C] () -- C:\WINDOWS\System32\xfcodec.dll [2009/05/19 18:27:38 \| 00,000,000 \| ---D \| C] -- C:\Program Files\Microsoft WSE [2009/04/22 00:19:06 \| 00,172,173 \| ---- \| C] () -- C:\WINDOWS\System32\xlive.dll.cat [2009/03/27 10:03:00 \| 01,724,416 \| ---- \| C] () -- C:\WINDOWS\System32\nvwdmcpl.dll [2009/03/27 10:03:00 \| 01,503,232 \| ---- \| C] () -- C:\WINDOWS\System32\nview.dll [2009/03/27 10:03:00 \| 01,101,824 \| ---- \| C] () -- C:\WINDOWS\System32\nvwimg.dll [2009/03/27 10:03:00 \| 00,466,944 \| ---- \| C] () -- C:\WINDOWS\System32\nvshell.dll [2009/02/17 15:13:08 \| 00,037,376 \| ---- \| C] () -- C:\WINDOWS\System32\drivers\WMDrive.sys [2009/02/07 01:33:58 \| 00,000,547 \| ---- \| C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest [2008/12/19 02:52:42 \| 00,000,061 \| ---- \| C] () -- C:\WINDOWS\WININIT.INI [2008/11/10 02:26:10 \| 00,000,004 \| ---- \| C] () -- C:\WINDOWS\System32\microday08.dll [2008/11/10 02:26:07 \| 00,000,070 \| ---- \| C] () -- C:\WINDOWS\System32\mypath0079.dll [2008/11/10 02:26:07 \| 00,000,034 \| ---- \| C] () -- C:\WINDOWS\System32\MTX0CI.dll [2008/11/06 12:37:32 \| 03,596,288 \| ---- \| C] () -- C:\WINDOWS\System32\qt-dx331.dll [2008/11/06 12:34:00 \| 00,000,416 \| ---- \| C] () -- C:\WINDOWS\System32\dtu100.dll.manifest [2008/11/06 12:34:00 \| 00,000,416 \| ---- \| C] () -- C:\WINDOWS\System32\dpl100.dll.manifest [2008/11/06 12:33:02 \| 00,012,288 \| ---- \| C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll [2008/11/05 17:29:30 \| 00,003,972 \| ---- \| C] () -- C:\WINDOWS\System32\drivers\PciBus.sys [2008/10/07 10:13:22 \| 00,058,648 \| ---- \| C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll [2008/10/07 10:13:20 \| 00,058,648 \| ---- \| C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll [2008/10/07 10:13:20 \| 00,058,648 \| ---- \| C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll [2008/10/07 10:13:20 \| 00,058,648 \| ---- \| C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll [2008/10/07 10:13:20 \| 00,058,648 \| ---- \| C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll [2008/10/07 10:13:20 \| 00,058,648 \| ---- \| C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll [2008/10/07 10:13:20 \| 00,058,648 \| ---- \| C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll [2008/10/07 10:13:20 \| 00,058,648 \| ---- \| C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll [2008/10/07 10:13:20 \| 00,058,648 \| ---- \| C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll [2008/08/21 15:05:01 \| 00,000,056 \| ---- \| C] () -- C:\WINDOWS\kgt2k.INI [2008/07/03 19:57:29 \| 00,043,520 \| ---- \| C] () -- C:\WINDOWS\System32\CmdLineExt03.dll [2008/07/03 16:32:59 \| 00,021,840 \| ---- \| C] () -- C:\WINDOWS\System32\SIntfNT.dll [2008/07/03 16:32:59 \| 00,017,212 \| ---- \| C] () -- C:\WINDOWS\System32\SIntf32.dll [2008/07/03 16:32:59 \| 00,012,067 \| ---- \| C] () -- C:\WINDOWS\System32\SIntf16.dll [2008/06/05 08:58:26 \| 00,197,912 \| ---- \| C] () -- C:\WINDOWS\System32\physxcudart_20.dll [2008/04/10 12:52:08 \| 00,662,016 \| ---- \| C] () -- C:\WINDOWS\System32\xvidcore.dll [2008/04/10 12:52:06 \| 03,104,256 \| ---- \| C] () -- C:\WINDOWS\System32\libavcodec.dll [2008/04/10 12:52:06 \| 00,520,192 \| ---- \| C] () -- C:\WINDOWS\System32\ff_x264.dll [2008/04/10 12:52:06 \| 00,404,992 \| ---- \| C] () -- C:\WINDOWS\System32\libmplayer.dll [2008/04/10 12:52:06 \| 00,397,312 \| ---- \| C] () -- C:\WINDOWS\System32\ff_libfaad2.dll [2008/04/10 12:52:06 \| 00,188,416 \| ---- \| C] () -- C:\WINDOWS\System32\ff_theora.dll [2008/04/10 12:52:06 \| 00,167,936 \| ---- \| C] () -- C:\WINDOWS\System32\ff_libdts.dll [2008/04/10 12:52:06 \| 00,143,360 \| ---- \| C] () -- C:\WINDOWS\System32\ff_libmad.dll [2008/04/10 12:52:06 \| 00,135,168 \| ---- \| C] () -- C:\WINDOWS\System32\ff_samplerate.dll [2008/04/10 12:52:06 \| 00,122,880 \| ---- \| C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll [2008/04/10 12:52:06 \| 00,118,784 \| ---- \| C] () -- C:\WINDOWS\System32\ff_realaac.dll [2008/04/10 12:52:06 \| 00,102,912 \| ---- \| C] () -- C:\WINDOWS\System32\ff_tremor.dll [2008/04/10 12:52:06 \| 00,054,784 \| ---- \| C] () -- C:\WINDOWS\System32\ff_liba52.dll [2008/04/10 12:52:06 \| 00,038,400 \| ---- \| C] () -- C:\WINDOWS\System32\ff_unrar.dll [2008/04/10 12:52:06 \| 00,026,624 \| ---- \| C] () -- C:\WINDOWS\System32\ff_wmv9.dll [2008/04/10 12:50:40 \| 00,007,680 \| ---- \| C] () -- C:\WINDOWS\System32\ff_vfw.dll [2008/03/29 11:42:22 \| 00,245,248 \| ---- \| C] () -- C:\WINDOWS\System32\dxr.dll [2008/03/29 11:42:20 \| 00,159,744 \| ---- \| C] () -- C:\WINDOWS\System32\mmfinfo.dll [2008/03/29 11:42:14 \| 00,102,400 \| ---- \| C] () -- C:\WINDOWS\System32\avss.dll [2008/03/29 11:42:08 \| 00,148,992 \| ---- \| C] () -- C:\WINDOWS\System32\mkx.dll [2008/03/29 11:42:04 \| 00,141,312 \| ---- \| C] () -- C:\WINDOWS\System32\mp4.dll [2008/03/29 11:42:04 \| 00,108,032 \| ---- \| C] () -- C:\WINDOWS\System32\avi.dll [2008/03/29 11:42:02 \| 00,120,832 \| ---- \| C] () -- C:\WINDOWS\System32\ogm.dll [2008/03/29 11:42:00 \| 00,163,840 \| ---- \| C] () -- C:\WINDOWS\System32\ts.dll [2008/03/29 11:41:54 \| 00,097,280 \| ---- \| C] () -- C:\WINDOWS\System32\avs.dll [2008/03/29 11:41:52 \| 00,079,360 \| ---- \| C] () -- C:\WINDOWS\System32\mkzlib.dll [2008/03/29 11:41:52 \| 00,023,552 \| ---- \| C] () -- C:\WINDOWS\System32\mkunicode.dll [2008/03/14 02:53:39 \| 00,000,004 \| ---- \| C] () -- C:\WINDOWS\info147.sys [2008/01/23 02:39:12 \| 00,215,144 \| ---- \| C] () -- C:\WINDOWS\patchw32.dll [2007/12/31 20:00:00 \| 00,741,376 \| ---- \| C] () -- C:\WINDOWS\System32\audxlib.dll [2007/12/31 20:00:00 \| 00,204,800 \| ---- \| C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll [2007/12/31 20:00:00 \| 00,204,800 \| ---- \| C] () -- C:\WINDOWS\System32\ff_kernelDeint.dll [2007/12/08 04:28:38 \| 00,000,023 \| ---- \| C] () -- C:\WINDOWS\BlendSettings.ini [2007/12/01 01:40:08 \| 00,279,712 \| ---- \| C] () -- C:\WINDOWS\System32\drivers\atksgt.sys [2007/12/01 01:40:07 \| 00,025,888 \| ---- \| C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys [2007/11/18 22:56:06 \| 00,000,319 \| ---- \| C] () -- C:\WINDOWS\game.ini [2007/10/13 05:30:20 \| 00,000,137 \| ---- \| C] () -- C:\WINDOWS\System32\Registration.ini [2007/10/01 23:37:38 \| 00,032,768 \| ---- \| C] () -- C:\WINDOWS\System32\mf.dll [2007/10/01 20:25:17 \| 00,034,308 \| ---- \| C] () -- C:\WINDOWS\System32\bassmod.dll [2007/08/27 19:51:31 \| 00,000,077 \| ---- \| C] () -- C:\WINDOWS\mydebug.ini [2007/08/27 19:31:47 \| 00,023,200 \| ---- \| C] () -- C:\WINDOWS\System32\drivers\ppsio2.sys [2007/08/27 19:30:46 \| 00,001,020 \| ---- \| C] () -- C:\WINDOWS\MAXLINK.INI [2007/08/27 19:30:46 \| 00,000,090 \| ---- \| C] () -- C:\WINDOWS\calera.ini [2007/08/27 19:30:39 \| 00,269,312 \| ---- \| C] () -- C:\WINDOWS\System32\FPXIG.DLL [2007/08/27 19:30:39 \| 00,068,096 \| ---- \| C] () -- C:\WINDOWS\System32\IGFPX32P.DLL [2007/08/27 19:30:39 \| 00,065,024 \| ---- \| C] () -- C:\WINDOWS\System32\JPEGACC.DLL [2007/08/27 19:30:27 \| 00,101,376 \| ---- \| C] () -- C:\WINDOWS\System32\WELSOF32.DLL [2007/08/10 10:13:09 \| 00,138,920 \| ---- \| C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys [2007/08/03 00:09:08 \| 00,000,754 \| ---- \| C] () -- C:\WINDOWS\WORDPAD.INI [2007/07/29 17:43:52 \| 00,685,816 \| ---- \| C] () -- C:\WINDOWS\System32\drivers\sptd.sys [2007/07/28 22:58:45 \| 00,065,536 \| ---- \| C] () -- C:\WINDOWS\System32\YCRWin32.dll [2007/06/28 14:54:10 \| 00,180,224 \| ---- \| C] () -- C:\WINDOWS\System32\xvidvfw.dll [2007/03/12 12:01:30 \| 00,217,088 \| ---- \| C] () -- C:\WINDOWS\NVGfxOgl.dll [2007/02/06 17:45:04 \| 00,025,632 \| ---- \| C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys [2007/02/06 17:42:40 \| 01,691,808 \| ---- \| C] () -- C:\WINDOWS\System32\drivers\Lvckap.sys [2004/08/04 08:00:00 \| 00,000,651 \| ---- \| C] () -- C:\WINDOWS\win.ini [2004/08/04 08:00:00 \| 00,000,227 \| ---- \| C] () -- C:\WINDOWS\SYSTEM.INI [2003/04/05 13:47:42 \| 00,147,456 \| ---- \| C] () -- C:\WINDOWS\System32\RtlCPAPI.dll [2002/05/15 20:38:40 \| 00,091,136 \| ---- \| C] () -- C:\WINDOWS\System32\mp4fil32.dll [2002/05/04 10:19:00 \| 00,049,152 \| ---- \| C] () -- C:\WINDOWS\System32\avisynthEx.dll [1996/04/03 15:33:26 \| 00,005,248 \| ---- \| C] () -- C:\WINDOWS\System32\giveio.sys ========== Files - Modified Within 30 Days ========== [2009/06/16 22:47:56 \| 00,215,383 \| ---- \| M] () -- C:\WINDOWS\System32\nvapps.xml [2009/06/16 22:47:23 \| 00,002,206 \| ---- \| M] () -- C:\WINDOWS\System32\wpa.dbl [2009/06/16 22:47:11 \| 00,000,062 \| -HS- \| M] () -- C:\Documents and Settings\John Christian\Local Settings\desktop.ini [2009/06/16 22:46:58 \| 00,000,006 \| -H-- \| M] () -- C:\WINDOWS\tasks\SA.DAT [2009/06/16 22:46:53 \| 00,002,048 \| --S- \| M] () -- C:\WINDOWS\bootstat.dat [2009/06/16 22:27:57 \| 00,008,192 \| -HS- \| M] () -- C:\WINDOWS\Thumbs.db [2009/06/16 17:53:07 \| 37,160,237 \| ---- \| M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm [2009/06/16 17:53:07 \| 00,078,361 \| ---- \| M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg [2009/06/15 22:17:08 \| 00,000,472 \| ---- \| M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job [2009/06/15 20:00:00 \| 00,000,594 \| ---- \| M] () -- C:\WINDOWS\tasks\Norton Security Online - Run Full System Scan - John Christian.job [2009/06/15 17:56:48 \| 00,492,248 \| ---- \| M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2009/06/15 17:56:48 \| 00,435,260 \| ---- \| M] () -- C:\WINDOWS\System32\perfh009.dat [2009/06/15 17:56:48 \| 00,068,156 \| ---- \| M] () -- C:\WINDOWS\System32\perfc009.dat [2009/06/15 17:12:01 \| 00,000,767 \| ---- \| M] () -- C:\Documents and Settings\John Christian\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk [2009/06/15 16:31:44 \| 00,001,720 \| ---- \| M] () -- C:\WINDOWS\System32\tmp.reg [2009/06/15 13:42:29 \| 00,981,586 \| ---- \| M] () -- C:\Documents and Settings\John Christian\My Documents\cc_20090615_134143.reg [2009/06/15 13:37:06 \| 00,000,651 \| ---- \| M] () -- C:\WINDOWS\win.ini [2009/06/15 13:37:06 \| 00,000,227 \| ---- \| M] () -- C:\WINDOWS\SYSTEM.INI [2009/06/15 13:37:06 \| 00,000,211 \| -HS- \| M] () -- C:\boot.ini [2009/06/14 23:02:33 \| 01,615,732 \| ---- \| M] () -- C:\Documents and Settings\John Christian\Desktop\ProcessExplorer.zip [2009/06/14 19:56:38 \| 00,389,120 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\System32\CF1521.exe [2009/06/13 19:19:31 \| 00,001,407 \| ---- \| M] () -- C:\Documents and Settings\John Christian\Desktop\i j j i.lnk [2009/06/12 14:20:54 \| 04,613,370 \| ---- \| M] () -- C:\Documents and Settings\John Christian\Desktop\heartbeats.mp3 [2009/06/11 04:14:24 \| 00,000,803 \| ---- \| M] () -- C:\Documents and Settings\All Users\Desktop\Prototype™.lnk [2009/06/10 21:23:45 \| 00,386,888 \| ---- \| M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2009/06/08 21:17:32 \| 03,099,494 \| ---- \| M] () -- C:\Documents and Settings\John Christian\Desktop\boss.bmp [2009/06/08 08:10:10 \| 00,155,136 \| ---- \| M] () -- C:\WINDOWS\PEV.exe [2009/06/05 15:22:40 \| 00,001,341 \| ---- \| M] () -- C:\Documents and Settings\All Users\Desktop\Huxley Lite.lnk [2009/06/05 04:36:36 \| 21,148,51485 \| ---- \| M] () -- C:\Documents and Settings\John Christian\Desktop\Huxley_Lite_Setup.zip [2009/06/03 23:48:43 \| 00,000,854 \| ---- \| M] () -- C:\Documents and Settings\John Christian\Desktop\The Sims 3.lnk [2009/06/03 23:37:54 \| 00,004,212 \| -H-- \| M] () -- C:\WINDOWS\System32\zllictbl.dat [2009/06/02 11:17:27 \| 00,075,776 \| ---- \| M] () -- C:\WINDOWS\System32\WS2Fix.exe [2009/06/01 12:51:12 \| 23,635,392 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe [2009/05/31 22:17:35 \| 00,015,688 \| ---- \| M] () -- C:\WINDOWS\System32\lsdelete.exe [2009/05/26 17:31:26 \| 00,058,800 \| ---- \| M] (NHN USA Inc.) -- C:\WINDOWS\System32\ijjiProcessRestarter.exe [2009/05/26 13:20:08 \| 00,040,160 \| ---- \| M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2009/05/26 13:19:56 \| 00,019,096 \| ---- \| M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2009/05/25 18:30:24 \| 31,796,401 \| ---- \| M] () -- C:\Documents and Settings\John Christian\Desktop\169_sc2_cs_pc2_101108_hr.mp4 [2009/05/23 19:44:26 \| 00,000,308 \| ---- \| M] () -- C:\Documents and Settings\John Christian\Desktop\AA3Deploy.appref-ms [2009/05/21 18:51:48 \| 00,041,808 \| ---- \| M] () -- C:\WINDOWS\System32\xfcodec.dll ========== Alternate Data Streams ========== @Alternate Data Stream - 451 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:05EE1EEF @Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 < End of report > This post has been edited by jaysee: Jun 16 2009, 08:56 PM

jaysee View Member Profile	Jun 16 2009, 08:53 PM Post #6
Member Posts: 25 OS: XP Pro	*OTL added

Transience View Member Profile	Jun 17 2009, 07:07 AM Post #7
Unofficial Music Guru Posts: 2,354 From: Massachusetts, USA OS: Vista	Let's give this a try: Please download GooredFix from one of the locations below and save it to your Desktop Download Mirror #1 Download Mirror #2 Double-click GooredFix.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt). Note: Do not run Option #2 yet. - Dave This post has been edited by Transience: Jun 17 2009, 07:08 AM

jaysee View Member Profile	Jun 17 2009, 12:23 PM Post #8
Member Posts: 25 OS: XP Pro	Noticed that when I try to pick a link after a Yahoo.com search, first it gives me a long address with my related search topic, where it starts off with a site like "affiliatesite.com" or "nanna.org", and then it has a "Redirect", finally bringing me to the spam/fake page, like that of Toseeka (which I see is a common page that these take you to). So if I look in the back/forward button arrow tab on Firefox, it goes through something like the following after clicking a link QUOTE test - Yahoo! Search Results ==> affiliatesite.com/result?blahblahblah ==> Redirect ==> Spam site Here's the Goored log: QUOTE GooredFix v1.92 by jpshortstuff Log created at 14:22 on 17/06/2009 running Option #1 (John Christian) Firefox version 3.0.11 (en-US) =====Suspect Goored Entries===== =====Dumping Registry Values===== [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.11\extensions] "Plugins"="C:\Program Files\Mozilla Firefox\plugins" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.11\extensions] "Components"="C:\Program Files\Mozilla Firefox\components" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "{3414F358-CBBD-4215-8320-ABAECC12AC25}"="C:\Documents and Settings\John Christian\Local Settings\Application Data\{3414F358-CBBD-4215-8320-ABAECC12AC25}\" (Folder Missing) This post has been edited by jaysee: Jun 17 2009, 02:01 PM

Transience View Member Profile	Jun 18 2009, 08:17 AM Post #9
Unofficial Music Guru Posts: 2,354 From: Massachusetts, USA OS: Vista	1. OTMoveIt3 Please download the OTMoveIt3 by OldTimer. Save it to your desktop. Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator). Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): CODE :Processes explorer.exe :Reg [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "{3414F358-CBBD-4215-8320-ABAECC12AC25}"=- :Commands [Purity] [EmptyTemp] [Start Explorer] [Reboot] Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste. Click the red Moveit! button. Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. Then: Please click on any of the links below to download Combofix. When you are asked to select the location of the file, please change the name of the file from ComboFix.exe to Combo-Fix.exe, and then save it to your desktop. Link 1 Link 2 Link 3 Notes: Before running ComboFix, you should disable all Antivirus, Anti-Spyware, and Firewall applications so they don't interfere with its running. You can often do this just by right-clicking on the system tray icon and clicking "Disable" or similar. If you need further instructions for how to disable your program specifically, look here. ComboFix will temporarily disconnect your machine from the internet and change your clock settings, this is normal and both will be restored before the program terminates. Do not attempt to run any programs or click on ComboFix's window while it is running, just allow it to proceed uninterrupted aside from okaying any prompts. It may appear to be doing nothing at times, this is normal, don't worry. Next: Double click on ComboFix.exe and follow the prompts. As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Recovery Console, and when prompted, agree to the End-User License Agreement to install it. * Note: If the Recovery Console is already installed on your computer, ComboFix will ignore the installation routines and continue its malware removal procedures. Once the Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning. The program will then scan for malware and perform various fixes. You may be asked to reboot, okay the prompt and allow your computer to reboot. Log in as normal and allow ComboFix to complete its run without doing anything else. When it's finished, the program's log will appear in notepad as well as saving itself to C:\ComboFix.txt. Please include the full contents of the log in your next reply. Close OTMoveIt3 Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, navigate to the open C:\_OTMoveIt\MovedFiles folder. Open the newest .log file present in notepad and post its contents in your next reply. Just need the logs from OTMI and CF in your next reply. Cheers, Dave

jaysee View Member Profile	Jun 21 2009, 07:15 PM Post #10
Member Posts: 25 OS: XP Pro	I can't download OTMoveit3. It gives me a "404 Not Found" error page when I try. This post has been edited by jaysee: Jun 21 2009, 07:16 PM

Transience View Member Profile	Jun 22 2009, 08:27 AM Post #11
Unofficial Music Guru Posts: 2,354 From: Massachusetts, USA OS: Vista	That's my fault, link is outdated, sorry about that. Let's do it this way instead: 1. Registry Fixes We're going to use a registry file to make the some changes to your registry. Please copy the complete contents of the box below to a new notepad file (Start > Programs > Accessories > Notepad). Ensure that the code in notepad looks exactly as it does in the box, with no blank lines before the first line of text. Please click on File > Save. In the Save as type: box click the drop-down menu and change the save as type to All files. Then please save the file to your desktop, naming it fix.reg (this name is important and should not be changed). CODE REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "{3414F358-CBBD-4215-8320-ABAECC12AC25}"=- Then run ComboFix per these instructions: 2. ComboFix Please download and save ComboFix from one of these locations: Link 1 \| Link 2 \| Link 3 * It is very important that ComboFix is saved directly to your desktop. Notes: Before running ComboFix, you should disable all Antivirus and Antispyware applications so they don't interfere. You can often do this just by right-clicking on the system tray icon and clicking "Disable" or similar. If you need further instructions for how to disable your programs, look here. ComboFix will temporarily disconnect your machine from the internet and change your clock settings, this is normal and both will be restored before the program terminates. Do not attempt to run any programs or click on ComboFix's window while it is running, just allow it to run uninterrupted aside from okaying any prompts. It may appear to be doing nothing at times, this is normal, don't worry. Next: Double click on ComboFix.exe and follow the prompts. As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a serious problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Recovery Console, and when prompted, agree to the End-User License Agreement to install it. * Note: If the Recovery Console is already installed on your computer, ComboFix will ignore the installation routines and continue its malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. The program will scan for malware and then perform various fixes. You may be asked to reboot, okay the prompt and allow your computer to reboot. Log in as normal and allow ComboFix to complete its run without doing anything else. When it's finished, the program's log will appear in notepad and save itself to C:\ComboFix.txt. Please include the full contents of the log in your next reply. Cheers, Dave

Transience View Member Profile	Jun 23 2009, 04:49 AM Post #13
Unofficial Music Guru Posts: 2,354 From: Massachusetts, USA OS: Vista	Glad the redirects are gone . QUOTE 1. The unsecapp.exe process. Just out of curiousity, what causes it to start running? I've looked it up, and everyone says it's fine, but I've never had it running in my processes before until fairly recently (although long before this infection, as far as I'm aware). It's hard to say, it's a windows process, most likely one that wasn't used before but now one of your program needs it. QUOTE 2. Should I go ahead and change all my passwords to be on the safe side (email, general accounts, etc)? That's a good safety measure to take, but it's best to wait until we're positive you're clean (almost there ). Please go to Add/Remove Programs in your Control Panel (Programs and Features if you are a Vista user). Select and remove the following if present, don't worry if they aren't: Viewpoint Media Player (and anything else that says "Viewpoint") - Viewpoint is an annoying media player that installs alongside many different things without your permission, not a good idea to keep it on your computer. One last script to get a couple minor things: 1. Run a ComboFix script Copy the entire contents of the code box below to notepad (Start > Programs > Accessories > Notepad). Click on File > Save and name the file CFScript.txt. This name is important and must not be changed. Change the Save as Type to All Files. Save it directly on your desktop. CODE KillAll:: Folder:: c:\windows\system32\config\systemprofile\PrivacIE FCOPY:: c:\windows\ServicePackFiles\i386\termsrv.dll \| c:\windows\system32\termsrv.dll Extra:: SysRst:: Note: If you are not the topic starter, DO NOT download or run this script as it could cause irreversible damage to your computer. Please note that the same procedure applies to running ComboFix this time as before - disable your protection programs beforehand, close all other programs, don't interrupt it for any reason etc. Once the script is saved, refering to the picture above, drag CFScript.txt into ComboFix.exe. This will cause ComboFix to start again. Allow it to complete running, following any prompts. Once the program has completed the log should appear automatically, if it doesn't it can be found at C:\ComboFix.txt. Please post the contents of that log in your next reply. This post has been edited by Transience: Jun 23 2009, 04:52 AM

Transience View Member Profile	Jun 24 2009, 09:20 AM Post #15
Unofficial Music Guru Posts: 2,354 From: Massachusetts, USA OS: Vista	Those AVG detections are just system restore backups nothing to worry about. The Firefox page problem doesn't sound like a malware redirect to me, but let me know if you get any more. CF log looks in good shape, so let's run some final checks. Sorry you have to run MBAM again, but I really do want to make sure I get a look at a log of a full scan, not just the quick scan. First we'll clean out your unnecessary temp files to speed up the scans: TFC Please download TFC to your desktop. Save any work, then close all open windows. Double-click TFC to run it, and allow the program to complete its run, which should not take more than a couple minutes. You may or may not be prompted to reboot, if you are click "Yes" and allow the computer to reboot. Close TFC when it has completed. Malwarebytes' Anti-Malware Please download Malwarebytes' Anti-Malware from here. Doubleclick mbam-setup.exe to install the program. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware at the end of setup, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select Perform Full Scan, then click Scan. The scan is different from the quick scan and will take a fairly long time to finish (you can leave it to run and go do something else), please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to restart. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab. Copy & Paste the entire report in your next reply. Kaspersky Online Scan Kaspersky online scanner uses Java technology to perform the scan. Because your Java is out of date, we need to update it first so that the scan will run without issues. Update Java Please download JavaRa to your desktop and unzip it to its own folder Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions. Accept any prompts. A log will appear (JavaRa.log), DO NOT post this log, I have no need for it. Open JavaRa.exe again and select Search For Updates. Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer. Scan Follow this link to the Kaspersky WebScanner Read through the requirements and privacy statement and click on Accept button. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run. When the downloads have finished, click on Settings. Make sure the following is checked. Spyware, Adware, Dialers, and other potentially dangerous programs Archives Mail databases Click on My Computer under Scan. Once the scan is complete, it will display the results. Click on View Scan Report. You will see a list of infected items there. Click on Save Report As.... Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Please post this log in your next reply. So post back with the logs from MBAM and Kaspersky when you have them and give me an update on how the PC is running, and we should have you on your way . - Dave

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

2 Pages

1 2 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal Yahoo-Google Redirect [Closed]	5 / 214	23rd May 2009 - 12:10 PM talent80 started - last by Rorschach112
Virus, Spyware and Trojan Removal Google/Yahoo/Bing Redirect Virus? [Closed]	9 / 165	23rd August 2009 - 03:50 AM MasaCheez started - last by Rorschach112
Virus, Spyware and Trojan Removal Google searches redirect me to advertisements [Closed] 12	19 / 185	18th October 2009 - 08:26 AM Watkinsbt started - last by Rorschach112
Virus, Spyware and Trojan Removal Search Redirect Virus, google, yahoo, bing etc [Closed]	2 / 152	26th October 2009 - 04:54 PM deema1 started - last by Rorschach112