Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

file window lacks OPEN so can't upload attachment [Solved]

Started by cinbar , Jul 04 2012 12:03 PM

This topic is locked

#1
cinbar

Posted 04 July 2012 - 12:03 PM

Member

Member
45 posts

First an update
Back in late May Josh helped me get rid of the Google redirect virus. On my old Dell with Windows XP I now have Windows Firewall (had to uninstall the Zone Alarm firewall b/c it really slowed the computer down), Avast antivirus, Malware Bytes Antimalware, and SpyBlaster. (I downloaded Spybot, but it also slowed down the computer, so uninstalled it). I run scans regularly and they have so far come back clean.

I also update Java and Adobe Reader and Flash Player.

Instead of continuing to use IE, I followed Josh's suggestion and downloaded Firefox and Chrome. I have been using Firefox and it works well.

When I looked at Chrome the first page was all beige and had some babylon search box (which I now know is bad). I left the Chrome on my desktop, but didn't open it. When I found out later that it was not part of Chrome, I realized that I had downloaded a corrupted version and so I uninstalled Chrome. I searched for files with chrome and babylon and deleted them one by one. Several were evidently sandboxed by Avast and the window said they could not be opened or deleted. That's the update.

Now the current problems
1.After several unsuccessful tries on different days I realized that I could not upload attachments in my yahoo email. I can send emails without attachments and open emails that I've received (and also open their attachments).

In yahoo when I click on attach files the window that drops down has at the top the usual "attach this file to mail....". But at the bottom, instead of white boxes that are OPEN and CANCEL, the two boxes are SAVE and CANCEL, the same choices you get when working within a file. This happens whether the file I want to attach is on my flashdrive or in any other location.

When I clicked on save just to see what would happen the file's name appears in light blue and a circle spins endlessly, but it never attaches.

2.The computer is back to being slow. It takes forever to go from one URL to a different one.

I appreciate any help you can give me.

Thank you,
cinbar

#2
cinbar

Posted 12 July 2012 - 12:48 PM

Member

Topic Starter
Member
45 posts

My computer is still way too slow and I can't attach a file to Yahoo email, as described in my original posting.

Thanks for your help, cinbar

Here is the OTL log

OTL logfile created on: 7/12/2012 2:26:32 PM - Run 1
OTL by OldTimer - Version 3.2.53.1 Folder = C:\Documents and Settings\user\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.51 Mb Total Physical Memory | 305.54 Mb Available Physical Memory | 59.97% Memory free
1.22 Gb Paging File | 0.87 Gb Available in Paging File | 71.78% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.64 Gb Total Space | 9.46 Gb Free Space | 50.77% Space Free | Partition Type: NTFS
Drive D: | 53.63 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 491.01 Mb Total Space | 113.38 Mb Free Space | 23.09% Space Free | Partition Type: FAT32

Computer Name: BOURBON-160D789 | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/07/10 20:01:01 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\My Documents\Downloads\OTL(1).exe
PRC - [2012/07/03 12:21:30 | 004,273,976 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2012/07/03 12:21:29 | 000,044,808 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2012/03/26 17:08:12 | 000,931,200 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2011/01/17 19:37:40 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2011/01/17 19:37:40 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/16 04:09:40 | 000,429,480 | ---- | M] (Faronics Corporation) -- C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe

========== Modules (No Company Name) ==========

MOD - [2012/07/12 03:46:18 | 001,782,272 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\12071200\algo.dll
MOD - [2012/07/11 14:53:34 | 001,782,272 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\12071102\algo.dll
MOD - [2011/02/28 09:53:06 | 000,985,088 | ---- | M] () -- C:\Program Files\OpenOffice.org 3\program\libxml2.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2012/07/11 19:13:03 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/07/03 12:21:29 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2012/06/19 17:25:05 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2008/01/16 04:09:40 | 000,429,480 | ---- | M] (Faronics Corporation) [Auto | Running] -- C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe -- (DF5Serv)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\npf.sys -- (NPF)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\bcmwlhigh5.sys -- (BCMH43XX)
DRV - [2012/07/03 12:21:54 | 000,054,232 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2012/07/03 12:21:53 | 000,721,000 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2012/07/03 12:21:53 | 000,353,688 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2012/07/03 12:21:53 | 000,097,608 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2012/07/03 12:21:53 | 000,035,928 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (AswRdr)
DRV - [2012/07/03 12:21:53 | 000,021,256 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2012/07/03 12:21:52 | 000,025,256 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2010/09/30 20:15:00 | 001,759,584 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athuw.sys -- (AR9271)
DRV - [2004/08/03 18:29:50 | 000,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wVchNTxx.sys -- (iAimFP4)
DRV - [2004/08/03 18:29:48 | 000,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wSiINTxx.sys -- (iAimFP3)
DRV - [2004/08/03 18:29:46 | 000,025,471 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV10nt.sys -- (iAimTV5)
DRV - [2004/08/03 18:29:46 | 000,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wCh7xxNT.sys -- (iAimTV4)
DRV - [2004/08/03 18:29:46 | 000,022,271 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV06nt.sys -- (iAimTV6)
DRV - [2004/08/03 18:29:44 | 000,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV04nt.sys -- (iAimTV3)
DRV - [2004/08/03 18:29:44 | 000,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV02NT.sys -- (iAimTV1)
DRV - [2004/08/03 18:29:42 | 000,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV01nt.sys -- (iAimTV0)
DRV - [2004/08/03 18:29:42 | 000,011,871 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV09NT.sys -- (iAimFP7)
DRV - [2004/08/03 18:29:40 | 000,011,807 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV07nt.sys -- (iAimFP5)
DRV - [2004/08/03 18:29:40 | 000,011,295 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV08NT.sys -- (iAimFP6)
DRV - [2004/08/03 18:29:38 | 000,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\i81xnt5.sys -- (i81x)
DRV - [2004/08/03 18:29:38 | 000,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV01nt.sys -- (iAimFP0)
DRV - [2004/08/03 18:29:38 | 000,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV02NT.sys -- (iAimFP1)
DRV - [2004/08/03 18:29:38 | 000,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV05NT.sys -- (iAimFP2)
DRV - [2001/08/17 08:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {75ABDE28-AA4B-4F6F-9AA2-30F832CB1166}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{75ABDE28-AA4B-4F6F-9AA2-30F832CB1166}: "URL" = http://www.google.co...g}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/
IE - HKCU\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylo...000e0469a0245e5
IE - HKCU\..\SearchScopes\{75ABDE28-AA4B-4F6F-9AA2-30F832CB1166}: "URL" = http://www.google.co...1I7ADRA_enUS487
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: ""
FF - prefs.js..browser.startup.homepage: "http://www.msnbc.com"
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_3_300_265.dll ()
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_33: C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\AVAST Software\Avast\WebRep\FF [2012/07/10 23:45:17 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/19 17:25:08 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2012/06/05 12:51:23 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Extensions
[2012/07/01 13:38:49 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gaab9dmo.default\extensions
[2012/07/03 11:06:08 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/07/03 11:06:09 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}
[2012/07/10 23:45:17 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
[2012/06/19 17:25:08 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/06/01 11:39:16 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/06/01 11:39:16 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/06/15 19:24:16 | 000,442,832 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 15216 more lines...
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O2 - BHO: (PricePeep) - {FD6D90C0-E6EE-4BC6-B9F7-9ED319698007} - C:\Program Files\PricePeep\pricepeep.dll (PricePeep)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No CLSID value found.
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\user\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableLockWorkstation = 1
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1298581213742 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5CD6C295-B387-457F-BF36-D52485551C8A}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/15 13:44:30 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/02/21 20:43:08 | 000,358,248 | R--- | M] (NETGEAR Inc.) - D:\Autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2006/05/29 04:27:40 | 000,000,047 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O32 - AutoRun File - [2011/06/28 22:25:00 | 000,016,384 | ---- | M] () - E:\AutoWeek query 6-29-11.doc -- [ FAT32 ]
O32 - AutoRun File - [2011/08/12 01:40:10 | 000,015,872 | ---- | M] () - E:\AutoWeek query 8-12-11sunroof,,Xmas decor.doc -- [ FAT32 ]
O32 - AutoRun File - [2012/06/27 23:26:14 | 000,013,824 | ---- | M] () - E:\AutoWeek query NASCAR tracks 6-29-12.doc -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk /k:C *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/07/03 11:04:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2012/06/18 09:18:51 | 001,759,584 | ---- | C] (Atheros Communications, Inc.) -- C:\WINDOWS\System32\drivers\athuw.sys
[2012/06/18 09:18:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\InstallShield
[2012/06/17 09:57:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Apple Computer
[2012/06/16 21:48:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\CheckPoint
[2012/06/16 21:41:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\CheckPoint
[2012/06/15 19:12:27 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2012/06/15 19:12:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2012/06/12 17:23:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/06/12 17:22:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBlaster
[2012/06/12 17:19:21 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster

========== Files - Modified Within 30 Days ==========

[2012/07/12 14:12:02 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/07/12 14:12:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/07/12 11:52:19 | 000,000,316 | -H-- | M] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2012/07/12 07:19:07 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/07/12 07:18:54 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/07/12 07:18:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/07/10 23:47:59 | 000,002,625 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2012/07/03 12:21:54 | 000,054,232 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2012/07/03 12:21:53 | 000,721,000 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2012/07/03 12:21:53 | 000,353,688 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2012/07/03 12:21:53 | 000,097,608 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2012/07/03 12:21:53 | 000,089,624 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2012/07/03 12:21:53 | 000,035,928 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2012/07/03 12:21:53 | 000,021,256 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2012/07/03 12:21:52 | 000,025,256 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2012/07/03 12:21:32 | 000,041,224 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2012/07/03 12:21:28 | 000,227,648 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2012/06/18 09:22:42 | 000,311,604 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/06/18 09:22:42 | 000,039,992 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/06/17 12:04:03 | 000,238,352 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/06/16 21:47:14 | 000,001,616 | ---- | M] () -- C:\user.js
[2012/06/15 19:24:16 | 000,442,832 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/06/13 16:41:07 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/06/12 17:22:34 | 000,000,754 | ---- | M] () -- C:\Documents and Settings\user\Desktop\SpywareBlaster.lnk

========== Files Created - No Company Name ==========

[2012/07/10 23:48:02 | 000,000,316 | -H-- | C] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2012/06/12 17:22:33 | 000,000,754 | ---- | C] () -- C:\Documents and Settings\user\Desktop\SpywareBlaster.lnk
[2012/06/05 00:33:35 | 020,480,000 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\store-pp.jbs
[2012/02/15 10:03:34 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/02/28 13:34:55 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\user\ntuser.pol
[2008/04/17 12:16:42 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol

========== LOP Check ==========

[2012/06/11 19:23:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2012/06/16 21:41:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CheckPoint
[2009/10/12 10:38:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Renaissance Learning
[2012/06/23 11:22:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/06/16 21:48:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\CheckPoint
[2009/10/12 10:34:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Inspiration Software
[2011/02/28 09:57:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\OpenOffice.org
[2012/07/12 11:52:19 | 000,000,316 | -H-- | M] () -- C:\WINDOWS\Tasks\avast! Emergency Update.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >

#3
Dakeyras

Posted 13 July 2012 - 02:12 PM

Anti-Malware Mammoth

Expert
9,772 posts

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post the appropriate logs in the Malware Removal forum and wait for help.

Hi and welcome back to Geeks to Go.

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine!
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Refrain from running self fixes as this will hinder the malware removal process.
It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Mutiple Anti-Virus Advice:

It appears at present your machine has both Avast and Microsoft Security Essentials installed and active in system memory. This would go a long way to explain some of your current issues.

Having more than one Anti-Virus installed will create a myriad of problems all told and actually lesson overall online protection. So my friendly advice would be choose which you wish to keep and uninstall the other, either is fine to keep installed I will further add.

Security Application Check:

Please download and save SecurityCheck.exe to your Desktop from one of the links below.

Link 1
Link 2

Double-click SecurityCheck.exe then follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt
Please post the contents of that document in your next reply.

Re-scan with OTL:

Please delete your current version of OTL, all logs created by OTL if present and then empty the Recycle Bin.

Then download this updated version of OTL and save it to your Desktop.

Alternate downloads are here and here.

Double-click on OTL.exe to start OTL.
Under Output, ensure that Minimal Output is selected.
Under Extra Registry section, select Use SafeList.
Click the Scan All Users checkbox.
Click on Run Scan at the top left hand corner.
When done, two Notepad files will open.
- OTL.txt <-- Will be opened
- Extra.txt <-- Will be minimized
Please post the contents of these 2 Notepad files in your next reply.

When completed the above, please post back the following in the order asked for:

How is your computer performing now, any further symptoms and or problems encountered?
SecurityCheck Log.
Both OTL logs. <-- Post them individually please, IE: one Log per post/reply.

#4
cinbar

Posted 13 July 2012 - 06:24 PM

Member

Topic Starter
Member
45 posts

Dakeyras,

Thanks for helping me!

1.I uninstalled MSE (I had thought that turning it off would be sufficient) so now I have only Avast for the antivirus program. The computer is still slow. I checked in Yahoo email and when I click on attachment I still get the window with Save or Cancel not the correct Open or Cancel.

I'm still getting kicked off line or dropped connection. Firefox displaya a window with "the connection to the server was reset while the page was loading."

2. Here is the Security Check log. I will post each OTL log in a separate reply. I'm trying to send this before the connection drops.

Results of screen317's Security Check version 0.99.42
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
avast! Antivirus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
MVPS Hosts File
SpywareBlaster 4.6
Malwarebytes Anti-Malware version 1.61.0.1400
Java™ 6 Update 22
Java™ 6 Update 33
Java™ 6 Update 3
Java version out of Date!
Adobe Flash Player 11.3.300.265
Adobe Reader X (10.1.3)
Mozilla Firefox (13.0.1)
````````Process Check: objlist.exe by Laurent````````
AVAST Software Avast AvastSvc.exe
AVAST Software Avast avastUI.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 9%
````````````````````End of Log``````````````````````

#5
cinbar

Posted 13 July 2012 - 06:52 PM

Member

Topic Starter
Member
45 posts

Here is the OTL.txt log

OTL logfile created on: 7/13/2012 8:29:07 PM - Run 2
OTL by OldTimer - Version 3.2.54.0 Folder = C:\Documents and Settings\user\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.51 Mb Total Physical Memory | 171.79 Mb Available Physical Memory | 33.72% Memory free
1.22 Gb Paging File | 0.80 Gb Available in Paging File | 65.73% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.64 Gb Total Space | 10.20 Gb Free Space | 54.74% Space Free | Partition Type: NTFS
Drive D: | 53.63 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: BOURBON-160D789 | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/07/13 20:11:15 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\My Documents\Downloads\OTL.exe
PRC - [2012/07/03 12:21:30 | 004,273,976 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2012/07/03 12:21:29 | 000,044,808 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2012/06/19 17:25:07 | 000,913,888 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/01/17 19:37:40 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2011/01/17 19:37:40 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/16 04:09:40 | 000,429,480 | ---- | M] (Faronics Corporation) -- C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe

========== Modules (No Company Name) ==========

MOD - [2012/07/13 15:27:34 | 001,783,296 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\12071301\algo.dll
MOD - [2012/06/19 17:25:04 | 002,042,848 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/02/28 09:53:06 | 000,985,088 | ---- | M] () -- C:\Program Files\OpenOffice.org 3\program\libxml2.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2012/07/11 19:13:03 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/07/03 12:21:29 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2012/06/19 17:25:05 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2008/01/16 04:09:40 | 000,429,480 | ---- | M] (Faronics Corporation) [Auto | Running] -- C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe -- (DF5Serv)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\npf.sys -- (NPF)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\bcmwlhigh5.sys -- (BCMH43XX)
DRV - [2012/07/03 12:21:54 | 000,054,232 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2012/07/03 12:21:53 | 000,721,000 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2012/07/03 12:21:53 | 000,353,688 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2012/07/03 12:21:53 | 000,097,608 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2012/07/03 12:21:53 | 000,035,928 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (AswRdr)
DRV - [2012/07/03 12:21:53 | 000,021,256 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2012/07/03 12:21:52 | 000,025,256 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2010/09/30 20:15:00 | 001,759,584 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athuw.sys -- (AR9271)
DRV - [2004/08/03 18:29:50 | 000,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wVchNTxx.sys -- (iAimFP4)
DRV - [2004/08/03 18:29:48 | 000,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wSiINTxx.sys -- (iAimFP3)
DRV - [2004/08/03 18:29:46 | 000,025,471 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV10nt.sys -- (iAimTV5)
DRV - [2004/08/03 18:29:46 | 000,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wCh7xxNT.sys -- (iAimTV4)
DRV - [2004/08/03 18:29:46 | 000,022,271 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV06nt.sys -- (iAimTV6)
DRV - [2004/08/03 18:29:44 | 000,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV04nt.sys -- (iAimTV3)
DRV - [2004/08/03 18:29:44 | 000,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV02NT.sys -- (iAimTV1)
DRV - [2004/08/03 18:29:42 | 000,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV01nt.sys -- (iAimTV0)
DRV - [2004/08/03 18:29:42 | 000,011,871 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV09NT.sys -- (iAimFP7)
DRV - [2004/08/03 18:29:40 | 000,011,807 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV07nt.sys -- (iAimFP5)
DRV - [2004/08/03 18:29:40 | 000,011,295 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV08NT.sys -- (iAimFP6)
DRV - [2004/08/03 18:29:38 | 000,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\i81xnt5.sys -- (i81x)
DRV - [2004/08/03 18:29:38 | 000,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV01nt.sys -- (iAimFP0)
DRV - [2004/08/03 18:29:38 | 000,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV02NT.sys -- (iAimFP1)
DRV - [2004/08/03 18:29:38 | 000,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV05NT.sys -- (iAimFP2)
DRV - [2001/08/17 08:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {75ABDE28-AA4B-4F6F-9AA2-30F832CB1166}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{75ABDE28-AA4B-4F6F-9AA2-30F832CB1166}: "URL" = http://www.google.co...g}&sourceid=ie7

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1660429669-1676308955-572944225-1089\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKU\S-1-5-21-1660429669-1676308955-572944225-1089\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1660429669-1676308955-572944225-1089\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-1660429669-1676308955-572944225-1089\..\SearchScopes,DefaultScope = {75ABDE28-AA4B-4F6F-9AA2-30F832CB1166}
IE - HKU\S-1-5-21-1660429669-1676308955-572944225-1089\..\SearchScopes\{75ABDE28-AA4B-4F6F-9AA2-30F832CB1166}: "URL" = http://www.google.co...utputEncoding?}
IE - HKU\S-1-5-21-1660429669-1676308955-572944225-1089\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-1660429669-1676308955-572944225-1089\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.bourbon.k12.ky.us;ketsmail.us;kossaonline.ecollege.com;10.38.96.13;bourbon.kyschools.us;<local>
IE - HKU\S-1-5-21-1660429669-1676308955-572944225-1089\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.38.16.14:8080

IE - HKU\S-1-5-21-1660429669-1676308955-572944225-8904\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKU\S-1-5-21-1660429669-1676308955-572944225-8904\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1660429669-1676308955-572944225-8904\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bourbon.k12.ky.us/boco/
IE - HKU\S-1-5-21-1660429669-1676308955-572944225-8904\..\SearchScopes,DefaultScope = {75ABDE28-AA4B-4F6F-9AA2-30F832CB1166}
IE - HKU\S-1-5-21-1660429669-1676308955-572944225-8904\..\SearchScopes\{75ABDE28-AA4B-4F6F-9AA2-30F832CB1166}: "URL" = http://www.google.co...utputEncoding?}
IE - HKU\S-1-5-21-1660429669-1676308955-572944225-8904\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-1660429669-1676308955-572944225-8904\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.bourbon.k12.ky.us;ketsmail.us;kossaonline.ecollege.com;10.38.96.13;bourbon.kyschools.us;<local>
IE - HKU\S-1-5-21-1660429669-1676308955-572944225-8904\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.38.16.14:8080

IE - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/
IE - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
IE - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylo...000e0469a0245e5
IE - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\..\SearchScopes\{75ABDE28-AA4B-4F6F-9AA2-30F832CB1166}: "URL" = http://www.google.co...1I7ADRA_enUS487
IE - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: ""
FF - prefs.js..browser.startup.homepage: "http://www.msnbc.com"
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_3_300_265.dll ()
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_33: C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\AVAST Software\Avast\WebRep\FF [2012/07/10 23:45:17 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/19 17:25:08 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2012/06/05 12:51:23 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Extensions
[2012/07/01 13:38:49 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gaab9dmo.default\extensions
[2012/07/03 11:06:08 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/07/03 11:06:09 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}
[2012/07/10 23:45:17 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
[2012/06/19 17:25:08 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/06/01 11:39:16 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/06/01 11:39:16 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/06/15 19:24:16 | 000,442,832 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 15216 more lines...
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O2 - BHO: (PricePeep) - {FD6D90C0-E6EE-4BC6-B9F7-9ED319698007} - C:\Program Files\PricePeep\pricepeep.dll (PricePeep)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\..\Toolbar\WebBrowser: (no name) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No CLSID value found.
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t File not found
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t File not found
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\tmills\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\user\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1660429669-1676308955-572944225-1089\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1660429669-1676308955-572944225-1089\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableLockWorkstation = 1
O7 - HKU\S-1-5-21-1660429669-1676308955-572944225-8904\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1660429669-1676308955-572944225-8904\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableLockWorkstation = 1
O7 - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableLockWorkstation = 1
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1298581213742 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5CD6C295-B387-457F-BF36-D52485551C8A}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/15 13:44:30 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/02/21 20:43:08 | 000,358,248 | R--- | M] (NETGEAR Inc.) - D:\Autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2006/05/29 04:27:40 | 000,000,047 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk /k:C *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/07/03 11:06:05 | 000,157,448 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2012/07/03 11:06:05 | 000,149,256 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2012/07/03 11:06:05 | 000,149,256 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2012/07/03 11:04:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2012/06/18 09:18:51 | 001,759,584 | ---- | C] (Atheros Communications, Inc.) -- C:\WINDOWS\System32\drivers\athuw.sys
[2012/06/18 09:18:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\InstallShield
[2012/06/17 09:57:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Apple Computer
[2012/06/16 21:48:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\CheckPoint
[2012/06/16 21:41:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\CheckPoint
[2012/06/15 19:12:27 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2012/06/15 19:12:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

========== Files - Modified Within 30 Days ==========

[2012/07/13 20:12:28 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/07/13 20:12:23 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/07/13 19:06:49 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2012/07/13 11:48:25 | 000,000,316 | -H-- | M] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2012/07/13 09:06:25 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/07/13 09:06:10 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/07/13 09:05:49 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/07/11 19:12:59 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/07/11 19:12:58 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/07/10 23:47:59 | 000,002,625 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2012/07/03 12:21:54 | 000,054,232 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2012/07/03 12:21:53 | 000,721,000 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2012/07/03 12:21:53 | 000,353,688 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2012/07/03 12:21:53 | 000,097,608 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2012/07/03 12:21:53 | 000,089,624 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2012/07/03 12:21:53 | 000,035,928 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2012/07/03 12:21:53 | 000,021,256 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2012/07/03 12:21:52 | 000,025,256 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2012/07/03 12:21:32 | 000,041,224 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2012/07/03 12:21:28 | 000,227,648 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2012/06/18 09:22:42 | 000,311,604 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/06/18 09:22:42 | 000,039,992 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/06/17 12:04:03 | 000,238,352 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/06/16 21:47:14 | 000,001,616 | ---- | M] () -- C:\user.js
[2012/06/15 19:24:16 | 000,442,832 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

========== Files Created - No Company Name ==========

[2012/07/10 23:48:02 | 000,000,316 | -H-- | C] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2012/06/05 00:33:35 | 020,480,000 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\store-pp.jbs
[2012/02/15 10:03:34 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/02/28 13:34:55 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\user\ntuser.pol
[2008/04/17 12:16:42 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol

========== Alternate Data Streams ==========

@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >

#6
cinbar

Posted 13 July 2012 - 07:22 PM

Member

Topic Starter
Member
45 posts

Here is the Extras/txt ;pg

OTL Extras logfile created on: 7/13/2012 8:29:07 PM - Run 2
OTL by OldTimer - Version 3.2.54.0 Folder = C:\Documents and Settings\user\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.51 Mb Total Physical Memory | 171.79 Mb Available Physical Memory | 33.72% Memory free
1.22 Gb Paging File | 0.80 Gb Available in Paging File | 65.73% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.64 Gb Total Space | 10.20 Gb Free Space | 54.74% Space Free | Partition Type: NTFS
Drive D: | 53.63 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: BOURBON-160D789 | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- C:\PROGRA~1\MICROS~2\Office\FRONTPG.EXE
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\AVAST Software\Avast\AvastUI.exe" = C:\Program Files\AVAST Software\Avast\AvastUI.exe:*:Enabled:avast! Free Antivirus -- (AVAST Software)
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" = C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:Malwarebytes Anti-Malware -- (Malwarebytes Corporation)
"C:\Program Files\Microsoft Security Client\msseces.exe" = C:\Program Files\Microsoft Security Client\msseces.exe:*:Enabled:Microsoft Security Essentials
"C:\Program Files\NETGEAR\WNA1100\WNA1100.exe" = C:\Program Files\NETGEAR\WNA1100\WNA1100.exe:*:Enabled:NETGEAR WNA1100 Smart Wizard
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Mozilla Firefox -- (Mozilla Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216022F0}" = Java™ 6 Update 22
"{26A24AE4-039D-4CA4-87B4-2F83216032FF}" = Java™ 6 Update 33
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E171899-0175-47CC-84C4-562ACDD4C021}" = OpenOffice.org 3.3
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3)
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"avast" = avast! Free Antivirus
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"Mozilla Firefox 13.0.1 (x86 en-US)" = Mozilla Firefox 13.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MSTTS" = Microsoft Text-to-Speech Engine 4.0 (English)
"PricePeep" = PricePeep
"SpywareBlaster_is1" = SpywareBlaster 4.6
"Tweak UI 2.10" = Tweak UI
"Windows XP Service Pack" = Windows XP Service Pack 3
"ZoneAlarm LTD Toolbar" = ZoneAlarm LTD Toolbar

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 5/24/2012 9:56:07 PM | Computer Name = BOURBON-160D789 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/25/2012 4:59:32 PM | Computer Name = BOURBON-160D789 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/25/2012 6:37:03 PM | Computer Name = BOURBON-160D789 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/27/2012 2:01:42 PM | Computer Name = BOURBON-160D789 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/27/2012 4:48:30 PM | Computer Name = BOURBON-160D789 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/27/2012 9:11:55 PM | Computer Name = BOURBON-160D789 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x00000000.

Error - 5/28/2012 8:49:54 AM | Computer Name = BOURBON-160D789 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/28/2012 10:06:46 AM | Computer Name = BOURBON-160D789 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/28/2012 12:21:35 PM | Computer Name = BOURBON-160D789 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/28/2012 5:36:24 PM | Computer Name = BOURBON-160D789 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 7/13/2012 5:06:34 PM | Computer Name = BOURBON-160D789 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the Dnscache service.

Error - 7/13/2012 5:07:12 PM | Computer Name = BOURBON-160D789 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the Dnscache service.

Error - 7/13/2012 5:07:52 PM | Computer Name = BOURBON-160D789 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the Dnscache service.

Error - 7/13/2012 5:09:14 PM | Computer Name = BOURBON-160D789 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the Dnscache service.

Error - 7/13/2012 5:10:03 PM | Computer Name = BOURBON-160D789 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the Dnscache service.

Error - 7/13/2012 5:12:45 PM | Computer Name = BOURBON-160D789 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the Dnscache service.

Error - 7/13/2012 6:35:54 PM | Computer Name = BOURBON-160D789 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the Dnscache service.

Error - 7/13/2012 6:36:26 PM | Computer Name = BOURBON-160D789 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the Dnscache service.

Error - 7/13/2012 6:37:03 PM | Computer Name = BOURBON-160D789 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the Dnscache service.

Error - 7/13/2012 8:21:46 PM | Computer Name = BOURBON-160D789 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the Dnscache service.

< End of report >

#7
Dakeyras

Posted 14 July 2012 - 05:40 AM

Anti-Malware Mammoth

Expert
9,772 posts

Hi.

Thanks for the update and you're most welcome also!

Random Access Memory Advice:

509.51 Mb Total Physical Memory | 171.79 Mb Available Physical Memory | 33.72% Memory free

Though Microsoft claims XP will run with a mere 128 MB installed in my humble opinion a bare minimum of 1 GB is far better.

If you wish to upgrade the installed memory, Crucial have a small scanner(CrucialScan.exe) which is perfectly safe to download and run. Which will advise if your system can support any upgraded memory modules. They cater for the US/UK and Europe.

Next:

Below are some preliminary steps I would like your good self to carry out please as follows...

Next:

Please move OTL.exe to the desktop, it is currently residing here:-

C:\Documents and Settings\user\My Documents\Downloads\OTL.exe

Then go to Start >> Control Panel >> Add/Remove Programs and remove the following (if present):

Java™ 6 Update 3 <-- We will update Java in due course.
Java™ 6 Update 22
Java™ 6 Update 33
PricePeep <-- Has undesirable characteristics.
SpywareBlaster 4.6 <-- Personally I think no need for this since you have Internet Explorer 8 installed. However your choice to uninstall or not.
ZoneAlarm LTD Toolbar

To do so, click once on each of the above in turn to highlight and then click on the Remove button.

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

Please go here and download ERUNT.
ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
Double-click on erunt-setup.exe to Install ERUNT by following the prompts.
Use the default install settings but say no to the portion that asks you to add ERUNT to the Start-Up folder.
Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
Make sure that at least the first two check boxes are selected.
Click on OK
Then click on YES to create the folder.

Note: If it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Reset SP3 Firewall:

Click on Start >> Run... and cut/paste in the following and click on OK

firewall.cpl

Click on the Advanced tab >> Restore Defaults >> At the prompt click on Yes >> OK

Now click on the General tab >> select On(recommended) >> OK.

Next:

Let myself know when completed the above...if any problems encountered etc and we will go from there, thank you.

#8
cinbar

Posted 14 July 2012 - 10:09 AM

Member

Topic Starter
Member
45 posts

Dakeyras,

OTL is on my desktop.

I did add/remove for the Javas, PricePeep. ZOneAlarmToolbar was not listed in add/remove (and I thought it was all gone b/c I had done the multi step uninstall for it). I found toolbar and three other ZA files listed when I checked via Search so I deleted each one and also checked so they're not in Recycle Bin.

I kept SpywareBlaster for the time being. GTG Josh said it blocks ActiveX controls and prevents their installation.

I installed ERUNT for registry backup. It didn't say no for startup folder, just gave different locations so I put it in accessories. Please tell me if I should put it somewhere else. (A later screen offered to run a backup every time I clicked on Start and I chose no to that.)

I reset the firewall.

New matter to mention and ask about:
After I click on Firefox to begin my default homepage is msnbc.com With news photos and videos to load it does have different files names quickly flashing by on the bottom tool bar. Most are msn or msnbc something and some are Google or ad network names.

I have noticed "waiting for ie slice" among the other file names. I see that another person has a new topic on GTG about removing ie slice. I sometimes get the "file error 404 document not found" page and I have sometimes landed on an "internet explorer cannot open the file" page even though I never opened IE and am using Firefox. Does this mean my computer has the ie slice malware buried somewhere?

Thanks,
cinbar

#9
Dakeyras

Posted 14 July 2012 - 01:44 PM

Anti-Malware Mammoth

Expert
9,772 posts

Hi.

I kept SpywareBlaster for the time being. GTG Josh said it blocks ActiveX controls and prevents their installation.

Fair play only reason I mentioned it...Is because Spyware Blaster essentially works by adding a large number of sites to the Restricted Sites in IE, so that when you land on one of the listed sites you have reduced browser functionality.

IE was never really designed to have that number of sites thus listed, and it can affect the performance of IE quite noticeably on some machines. You can get a similar type of protection using a Hosts file, which blocks access to bad sites rather than limit functionality, and does not cause the same kind of performance hits to IE. Plus overall Internet Explorer 8 when configured correctly will also provide similar protection as Spyware Blaster etc.

New matter to mention and ask about:
After I click on Firefox to begin my default homepage is msnbc.com With news photos and videos to load it does have different files names quickly flashing by on the bottom tool bar. Most are msn or msnbc something and some are Google or ad network names.

I have noticed "waiting for ie slice" among the other file names. I see that another person has a new topic on GTG about removing ie slice. I sometimes get the "file error 404 document not found" page and I have sometimes landed on an "internet explorer cannot open the file" page even though I never opened IE and am using Firefox. Does this mean my computer has the ie slice malware buried somewhere?

That we can address in due course.

Next:

Is this machine actually your property? Just wondering now because of these:-

Computer Name: BOURBON-160D789

IE - HKU\S-1-5-21-1660429669-1676308955-572944225-1089\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.bourbon.k12.ky.us;ketsmail.us;kossaonline.ecollege.com;10.38.96.13;bourbon.kyschools.us;<local>

IE - HKU\S-1-5-21-1660429669-1676308955-572944225-8904\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bourbon.k12.ky.us/boco/

Also did you purposely set this proxy with a open port?

IE - HKU\S-1-5-21-1660429669-1676308955-572944225-1089\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.38.16.14:8080

#10
cinbar

Posted 14 July 2012 - 02:35 PM

Member

Topic Starter
Member
45 posts

RE ie slice--I had a feeling we might have to get to addressing it. I appreciate your help b/c that's beyond my computer knowledge.

I have not used IE since GTG Josh suggested I change to either Firefox or Chrome. I think I will uninstall the spyblaster.

Yes, my computer. When a nearby school system upgraded they sold the computers being replaced to the public. I've noticed some things where I've been told I can't do something b/c I'm not the administrator, so I guess they forgot to change that before the sale, at least on my computer.

For the port setting, I have no idea how to do that, so if I changed anything it was by accident. I put a flashdrive in a USB port and that is about the extent of my (know how to) dealing with ports

Thanks,
cinbar

#11
Dakeyras

Posted 15 July 2012 - 07:55 AM

Anti-Malware Mammoth

Expert
9,772 posts

Hi.

I have not used IE since GTG Josh suggested I change to either Firefox or Chrome. I think I will uninstall the spyblaster.

Fair play re Spyware Blaster, that is at your own discretion as mentioned prior. As for Internet Explorer, earlier versions(as in 5, 6 & 7 for example) were more susceptible to becoming compromised but so is any browser actually even say Internet Explorer v9 that is currently the version to be used with Vista/Windows 7 based machines.

Overall regardless if any one browser is used on a machine if configured correctly and kept up-to date along with observing safe online practises goes a long way towards actually keeping a machine secure that has internet access for example.

Yes, my computer. When a nearby school system upgraded they sold the computers being replaced to the public. I've noticed some things where I've been told I can't do something b/c I'm not the administrator, so I guess they forgot to change that before the sale, at least on my computer.

OK and thank you for the clarification, the latter may be problematic but we can address that in due course.

For the port setting, I have no idea how to do that, so if I changed anything it was by accident. I put a flashdrive in a USB port and that is about the extent of my (know how to) dealing with ports

Not a problem, for interest sake by open port in this instance I was refereing to what is basically a incorrectly configured TCP/IP(transmission control protocol - internet protocol) port which a computer uses to communicate online etc be it intentional and or the consequence of malware for example. We will address this shortly.

We will also be resetting your machines current Host-File as it appears the immunisation feature(actually a pseudo Host-File) of the previously installed Spybot - Search & Destroy was used be it intentional or not. Normally this would be fine to leave as but since the application is no longer installed no point keeping it and I will advise the use of a stand alone custom Host -File when I give the all clear.

Also there appears to be a element of Faronics Deep Freeze installed, probably left on the machine by mistake when it was sold. Are you actually aware of this or not?

Anyway lets proceed as follows shall we, just take your time and all should go well...

Custom OTL Script:

Double-click OTL.exe to start the program.
Copy the lines from the quote-box(do not copy the word quote) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Commands
[CreateRestorePoint]

:OTL
IE - HKU\S-1-5-21-1660429669-1676308955-572944225-1089\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.bourbon.k12.ky.us;ketsmail.us;kossaonline.ecollege.com;10.38.96.13;bourbon.kyschools.us;<local>
IE - HKU\S-1-5-21-1660429669-1676308955-572944225-1089\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.38.16.14:8080
IE - HKU\S-1-5-21-1660429669-1676308955-572944225-8904\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKU\S-1-5-21-1660429669-1676308955-572944225-8904\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bourbon.k12.ky.us/boco/
IE - HKU\S-1-5-21-1660429669-1676308955-572944225-8904\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.bourbon.k12.ky.us;ketsmail.us;kossaonline.ecollege.com;10.38.96.13;bourbon.kyschools.us;<local>
IE - HKU\S-1-5-21-1660429669-1676308955-572944225-8904\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.38.16.14:8080
IE - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
IE - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylo...000e0469a0245e5
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_33: C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (PricePeep) - {FD6D90C0-E6EE-4BC6-B9F7-9ED319698007} - C:\Program Files\PricePeep\pricepeep.dll (PricePeep)
O3 - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\..\Toolbar\WebBrowser: (no name) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No CLSID value found.
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t File not found
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
[2012/07/03 11:04:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2012/06/16 21:48:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\CheckPoint
[2012/06/16 21:41:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\CheckPoint
[2012/06/15 19:12:27 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2012/06/15 19:12:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

:Files
ipconfig /flushdns /c
%systemroot%\prefetch\*.*
C:\Program Files\PricePeep

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm LTD Toolbar]

:Commands
[ResetHosts]
[EmptyTemp]
[Reboot]

Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
Then click the red Run Fix button.
Let the program run unhindered.
If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.

Note: The logfile can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.

Also there may be a slight/noticeable lag with your commonly used applications after running the above script because at this time I opted to actually flush your machines prefetch folder. Reason being the aforementioned has probably not been done in quite some time and no need for orphaned entries for software no longer installed etc.

Malwarebytes Anti-Malware:

Note: During the update procedure you should be prompted to actually update MBAM to version version 1.62.0.1300, reboot your machine if prompted to do so after the installtion and Check for Updates again prior to running the quick scan.

After updateing when the program re-loads...Decline the Malwarebytes' Anti-Malware Trial (You can activate this when we've finished, if you so wish)

Launch the application, Check for Updates >> Perform quick scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Scan with F-Secure Blacklight:

Click here to download Blacklight, save it to your Desktop.

Now click on Start >> Run..., copy in the following text, and press Enter:

"%userprofile%\desktop\fsbl.exe" /expert

Accept the license agreement.

Click on Scan, wait for it to finish, then click on Close.

There will be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers etc).

Copy and paste the contents of this log into your next reply.

When completed the above, please post back the following in the order asked for:

How is your computer performing now, any further symptoms and or problems encountered?
Answer to my Faronics Deep Freeze query.
OTL Log from the Custom Script.
Malwarebytes Anti-Malware Log.
Blacklight Log.

#12
cinbar

Posted 15 July 2012 - 11:32 AM

Member

Topic Starter
Member
45 posts

Dakeyras,

Thanks for your reply.

1.My computer is faster. I still sometimes get the "firefox can't find server" page when the internet connection is strong and I've clicked on a previous URL (so no typing error).

2.Yes, the Faronics Deep Freeze was left on. When I first got the computer about a year ago it would flash on very quickly sometimeduring my logon and going to first URL. A neighbor's grandson told me that Faronics was on the computers at his school, to prevent the students from installing programs. Since I download few programs and it appeared only occasionally I just left it there. (You've probably figured out that I use the computer for reading and research on the internet, writing, and email. I sometimes upload JPEGs, but I don't have video games or run programs with lots of graphics.)

3.Here is the OTL log. Two other logs to follow in next reply. Thanks for your help, cinbar

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
Unable to set value : HKU\S-1-5-21-1660429669-1676308955-572944225-1089\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E!
Unable to set value : HKU\S-1-5-21-1660429669-1676308955-572944225-1089\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E!
Unable to set value : HKU\S-1-5-21-1660429669-1676308955-572944225-8904\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Bar| /E!
Unable to set value : HKU\S-1-5-21-1660429669-1676308955-572944225-8904\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E!
Unable to set value : HKU\S-1-5-21-1660429669-1676308955-572944225-8904\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E!
Unable to set value : HKU\S-1-5-21-1660429669-1676308955-572944225-8904\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E!
HKEY_USERS\S-1-5-21-3690427229-769522622-1429544265-1003\Software\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-3690427229-769522622-1429544265-1003\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@checkpoint.com/FFApi\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_33\ deleted successfully.
C:\WINDOWS\system32\npdeployJava1.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@java.com/JavaPlugin\ not found.
File C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ not found.
File C:\Program Files\Java\jre6\bin\ssv.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}\ not found.
File C:\Program Files\PricePeep\pricepeep.dll not found.
Registry value HKEY_USERS\S-1-5-21-3690427229-769522622-1429544265-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
Registry value HKEY_USERS\S-1-5-21-3690427229-769522622-1429544265-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}\ not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\DWQueuedReporting deleted successfully.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\DWQueuedReporting not found.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
C:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\Common\MsiExec folder moved successfully.
C:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\Common folder moved successfully.
C:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS folder moved successfully.
C:\Documents and Settings\All Users\Application Data\McAfee folder moved successfully.
C:\Documents and Settings\user\Application Data\CheckPoint folder moved successfully.
C:\Documents and Settings\All Users\Application Data\CheckPoint folder moved successfully.
C:\Program Files\Spybot - Search & Destroy folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy folder moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\user\My Documents\Downloads\cmd.bat deleted successfully.
C:\Documents and Settings\user\My Documents\Downloads\cmd.txt deleted successfully.
C:\WINDOWS\prefetch\ACRORD32.EXE-19C3D96E.pf moved successfully.
C:\WINDOWS\prefetch\ADOBEARM.EXE-2D1B11BF.pf moved successfully.
C:\WINDOWS\prefetch\ALG.EXE-0F138680.pf moved successfully.
C:\WINDOWS\prefetch\AM_DELTA_PATCH_1.129.1016.0.E-09997908.pf moved successfully.
C:\WINDOWS\prefetch\AM_DELTA_PATCH_1.129.1082.0.E-3A99BA14.pf moved successfully.
C:\WINDOWS\prefetch\AM_DELTA_PATCH_1.129.1154.0.E-2CFEEF3C.pf moved successfully.
C:\WINDOWS\prefetch\AM_DELTA_PATCH_1.129.1224.0.E-0272AA12.pf moved successfully.
C:\WINDOWS\prefetch\AM_DELTA_PATCH_1.129.1298.0.E-31A15A84.pf moved successfully.
C:\WINDOWS\prefetch\AM_DELTA_PATCH_1.129.1411.0.E-1480B26A.pf moved successfully.
C:\WINDOWS\prefetch\AM_DELTA_PATCH_1.129.857.0.EX-385391A4.pf moved successfully.
C:\WINDOWS\prefetch\AM_DELTA_PATCH_1.129.952.0.EX-0891941A.pf moved successfully.
C:\WINDOWS\prefetch\ASWOFFERTOOL.EXE-1F51A021.pf moved successfully.
C:\WINDOWS\prefetch\AU_.EXE-34DF17FA.pf moved successfully.
C:\WINDOWS\prefetch\AVAST.SETUP-10F48C5B.pf moved successfully.
C:\WINDOWS\prefetch\AVASTEMUPDATE.EXE-033BD90D.pf moved successfully.
C:\WINDOWS\prefetch\AVASTUI.EXE-0B3C80E5.pf moved successfully.
C:\WINDOWS\prefetch\CMD.EXE-087B4001.pf moved successfully.
C:\WINDOWS\prefetch\CMDINFO.EXE-0711F2CF.pf moved successfully.
C:\WINDOWS\prefetch\CTFMON.EXE-0E17969B.pf moved successfully.
C:\WINDOWS\prefetch\DEFRAG.EXE-273F131E.pf moved successfully.
C:\WINDOWS\prefetch\DFRGNTFS.EXE-269967DF.pf moved successfully.
C:\WINDOWS\prefetch\DUMPREP.EXE-1B46F901.pf moved successfully.
C:\WINDOWS\prefetch\DW20.EXE-22C39A55.pf moved successfully.
C:\WINDOWS\prefetch\DWWIN.EXE-30875ADC.pf moved successfully.
C:\WINDOWS\prefetch\ERUNT-SETUP.EXE-057291DD.pf moved successfully.
C:\WINDOWS\prefetch\ERUNT.EXE-10F447C7.pf moved successfully.
C:\WINDOWS\prefetch\EVENTCREATE.EXE-28AF53E7.pf moved successfully.
C:\WINDOWS\prefetch\EXPLORER.EXE-082F38A9.pf moved successfully.
C:\WINDOWS\prefetch\FIND.EXE-0EC32F1E.pf moved successfully.
C:\WINDOWS\prefetch\FINDSTR.EXE-0CA6274B.pf moved successfully.
C:\WINDOWS\prefetch\FIREFOX.EXE-28641590.pf moved successfully.
C:\WINDOWS\prefetch\FLASHPLAYERINSTALLER.EXE-202A7CDB.pf moved successfully.
C:\WINDOWS\prefetch\FLASHPLAYERUPDATESERVICE.EXE-34BC5027.pf moved successfully.
C:\WINDOWS\prefetch\GOOGLECRASHHANDLER.EXE-2AD830DE.pf moved successfully.
C:\WINDOWS\prefetch\GOOGLETOOLBARMANAGER_F91D44FA-2888D10D.pf moved successfully.
C:\WINDOWS\prefetch\GOOGLETOOLBARNOTIFIER.EXE-3629C61D.pf moved successfully.
C:\WINDOWS\prefetch\GOOGLEUPDATE.EXE-1E123D86.pf moved successfully.
C:\WINDOWS\prefetch\GOOGLEUPDATEONDEMAND.EXE-0B619B04.pf moved successfully.
C:\WINDOWS\prefetch\GOOGLEUPDATERSERVICE.EXE-3AB369BE.pf moved successfully.
C:\WINDOWS\prefetch\HELPCTR.EXE-3862B6F5.pf moved successfully.
C:\WINDOWS\prefetch\HELPSVC.EXE-2878DDA2.pf moved successfully.
C:\WINDOWS\prefetch\IEXPLORE.EXE-27122324.pf moved successfully.
C:\WINDOWS\prefetch\IPCONFIG.EXE-2395F30B.pf moved successfully.
C:\WINDOWS\prefetch\IS-LVRBE.TMP-39B5E80A.pf moved successfully.
C:\WINDOWS\prefetch\JAUREG.EXE-009F59AE.pf moved successfully.
C:\WINDOWS\prefetch\JAVA.EXE-0C263507.pf moved successfully.
C:\WINDOWS\prefetch\JAVAW.EXE-0027F41D.pf moved successfully.
C:\WINDOWS\prefetch\JAVAW.EXE-2DC32ABC.pf moved successfully.
C:\WINDOWS\prefetch\JAVAWS.EXE-021AC9A9.pf moved successfully.
C:\WINDOWS\prefetch\JQS.EXE-1D781F77.pf moved successfully.
C:\WINDOWS\prefetch\JRE-6U33-WINDOWS-I586-IFTW.EX-0387469C.pf moved successfully.
C:\WINDOWS\prefetch\JUCHECK.EXE-1B0E4D0A.pf moved successfully.
C:\WINDOWS\prefetch\JUSCHED.EXE-0F4A509D.pf moved successfully.
C:\WINDOWS\prefetch\Layout.ini moved successfully.
C:\WINDOWS\prefetch\MBAM.EXE-0BEE0439.pf moved successfully.
C:\WINDOWS\prefetch\MPCMDRUN.EXE-1E628E9C.pf moved successfully.
C:\WINDOWS\prefetch\MPSIGSTUB.EXE-1D30D19B.pf moved successfully.
C:\WINDOWS\prefetch\MSHTA.EXE-331DF029.pf moved successfully.
C:\WINDOWS\prefetch\MSI2E.TMP-2FAE7E44.pf moved successfully.
C:\WINDOWS\prefetch\MSI33.TMP-23D29666.pf moved successfully.
C:\WINDOWS\prefetch\MSIA0.TMP-313A5F7A.pf moved successfully.
C:\WINDOWS\prefetch\MSIA2.TMP-06C1F2FF.pf moved successfully.
C:\WINDOWS\prefetch\MSIDC.TMP-09B79728.pf moved successfully.
C:\WINDOWS\prefetch\MSIE7.TMP-0A2F8F2C.pf moved successfully.
C:\WINDOWS\prefetch\MSIEXEC.EXE-2F8A8CAE.pf moved successfully.
C:\WINDOWS\prefetch\MSSECES.EXE-14257906.pf moved successfully.
C:\WINDOWS\prefetch\NETSH.EXE-085CFFDE.pf moved successfully.
C:\WINDOWS\prefetch\NIRCMDC.EXE-31E5482A.pf moved successfully.
C:\WINDOWS\prefetch\NOTEPAD.EXE-189578DA.pf moved successfully.
C:\WINDOWS\prefetch\NOTEPAD.EXE-336351A9.pf moved successfully.
C:\WINDOWS\prefetch\NTOSBOOT-B00DFAAD.pf moved successfully.
C:\WINDOWS\prefetch\OBJLIST.EXE-209B3C70.pf moved successfully.
C:\WINDOWS\prefetch\OTL.EXE-2C99CF82.pf moved successfully.
C:\WINDOWS\prefetch\PATCHJRE.EXE-36513358.pf moved successfully.
C:\WINDOWS\prefetch\PLUGIN-CONTAINER.EXE-15EDC9DD.pf moved successfully.
C:\WINDOWS\prefetch\QTTASK.EXE-342507FB.pf moved successfully.
C:\WINDOWS\prefetch\QUICKSTART.EXE-24C38DA1.pf moved successfully.
C:\WINDOWS\prefetch\READER_SL.EXE-3329220B.pf moved successfully.
C:\WINDOWS\prefetch\REGSVR32.EXE-25EEFE2F.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-27DDF29D.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-2C7B5C4A.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-2CD85FD3.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-2E8BF1B0.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-2EC34910.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-311943EE.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-3131E935.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-3D70E549.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-407A19B9.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-451FC2C0.pf moved successfully.
C:\WINDOWS\prefetch\SC.EXE-012262AF.pf moved successfully.
C:\WINDOWS\prefetch\SECURITYCHECK.EXE-2D57B52B.pf moved successfully.
C:\WINDOWS\prefetch\SED.EXE-39C2CBF3.pf moved successfully.
C:\WINDOWS\prefetch\SETUP.EXE-1B0B1E69.pf moved successfully.
C:\WINDOWS\prefetch\SETUP.EXE-2E4B4E8F.pf moved successfully.
C:\WINDOWS\prefetch\SF.BIN-05D03886.pf moved successfully.
C:\WINDOWS\prefetch\SF.BIN-0E36A3DB.pf moved successfully.
C:\WINDOWS\prefetch\SF.BIN-10E6C261.pf moved successfully.
C:\WINDOWS\prefetch\SF.BIN-249F3977.pf moved successfully.
C:\WINDOWS\prefetch\SF.BIN-33F5CCEF.pf moved successfully.
C:\WINDOWS\prefetch\SF.BIN-379896A1.pf moved successfully.
C:\WINDOWS\prefetch\SF.BIN-3A390E67.pf moved successfully.
C:\WINDOWS\prefetch\SOFFICE.BIN-01E25E9C.pf moved successfully.
C:\WINDOWS\prefetch\SOFFICE.EXE-358D937C.pf moved successfully.
C:\WINDOWS\prefetch\SWREG.EXE-07D9DDA9.pf moved successfully.
C:\WINDOWS\prefetch\SWRITER.EXE-38A9F6BD.pf moved successfully.
C:\WINDOWS\prefetch\UNINS000.EXE-1CFDBE67.pf moved successfully.
C:\WINDOWS\prefetch\UNINSTALL.EXE-0B7C012F.pf moved successfully.
C:\WINDOWS\prefetch\VERCLSID.EXE-3667BD89.pf moved successfully.
C:\WINDOWS\prefetch\WINHLP32.EXE-2C18E975.pf moved successfully.
C:\WINDOWS\prefetch\WMIAPSRV.EXE-1E2270A5.pf moved successfully.
C:\WINDOWS\prefetch\WMIC.EXE-3B772CC6.pf moved successfully.
C:\WINDOWS\prefetch\WMIPRVSE.EXE-28F301A9.pf moved successfully.
C:\WINDOWS\prefetch\WORDPAD.EXE-24533991.pf moved successfully.
C:\WINDOWS\prefetch\WSCNTFY.EXE-1B24F5EB.pf moved successfully.
C:\WINDOWS\prefetch\WUAUCLT.EXE-399A8E72.pf moved successfully.
C:\WINDOWS\prefetch\_IU14D2N.TMP-1796BE13.pf moved successfully.
C:\WINDOWS\prefetch\~TMP.EXE-036870DC.pf moved successfully.
File\Folder C:\Program Files\PricePeep not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm LTD Toolbar\ not found.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: jcrossfi

User: LocalService
->Temp folder emptied: 2053560 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 2513138 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: tmills
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: user
->Temp folder emptied: 130683660 bytes
->Temporary Internet Files folder emptied: 16402135 bytes
->Java cache emptied: 22750 bytes
->FireFox cache emptied: 58321933 bytes
->Flash cache emptied: 4334 bytes

User: wtipton2
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 6012313 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 102162 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 206.00 mb

OTL by OldTimer - Version 3.2.54.0 log created on 07152012_125803

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files...
[2012/07/15 13:12:12 | 000,000,000 | ---- | M] () C:\WINDOWS\temp\_avast_\Webshlock.txt : Unable to obtain MD5

Registry entries deleted on Reboot...

#13
cinbar

Posted 15 July 2012 - 12:35 PM

Member

Topic Starter
Member
45 posts

4. Here is the Malware bytes log. It found only a PUP Bundleoff.
QUESTION: I remember checking ON for PUP (in Avast or Malwarebytes sometime ago. Why wouldn't that have stopped this PUP Bundleoff?

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.15.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
user :: BOURBON-160D789 [administrator]

7/15/2012 1:44:16 PM
mbam-log-2012-07-15 (13-44-16).txt

5.Here is the FSB Log

After the Windows cautionary tan window ("This is an exe file do you want to save it?") opened and I clicked on save it went directly to the license agreement. I had no place to copy in "%userprofile.../expert"

Also it never gave me a screen to choose to save the file in desktop, so I found the log file by search box. Do I need to move these files to Desktop?

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 246575
Time elapsed: 7 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\tmills\Desktop\FreeFileViewer2011Setup.exe (PUP.BundleOffers.IIQ) -> Quarantined and deleted successfully.

(end)

#14
Dakeyras

Posted 16 July 2012 - 05:00 AM

Anti-Malware Mammoth

Expert
9,772 posts

Hi.

I still sometimes get the "firefox can't find server" page when the internet connection is strong and I've clicked on a previous URL (so no typing error).

OK please check for myself if the same occurs with Internet Explorer.

I remember checking ON for PUP (in Avast or Malwarebytes sometime ago. Why wouldn't that have stopped this PUP Bundleoff?

Any one security related scanning application will only detect what is in its current database. That is why always prudent to keep them updated, I will explain more about this when I give the all clear.

Yes, the Faronics Deep Freeze was left on. When I first got the computer about a year ago it would flash on very quickly sometimeduring my logon and going to first URL. A neighbor's grandson told me that Faronics was on the computers at his school, to prevent the students from installing programs. Since I download few programs and it appeared only occasionally I just left it there

We will leave that be then as according to my research you would require a password to actually fully remove. If in the event it does cause any issues with the malware removal process we will then address that. Though might be a idea to inquire yourself from were you purchased the machine. For interest sake is there actually a icon for the software in the taskbar at all?

Do I need to move these files to Desktop?

Yes do so please, as in move fsbl.exe the executable for Blacklight to the Desktop.

Then run it per my prior instructions. Any problems just let myself know.

#15
cinbar

Posted 16 July 2012 - 10:51 AM

Member

Topic Starter
Member
45 posts

Dakeyras,

1.I moved the fsbl exe to desktop, but when I tried to open it to run it and so create a new log it wouldn't open, even though the icon is on an adobe file background.

So I went back to your reply before the last one, downloaded fsbl again. When I clicked on it, it asked if I wanted to run this exe file. When I confirmed run it went immediately to the license acceptance. As with the first time on Sunday there was no place to paste in your "%userprofile.."

When the scan finished I clicked Close, but it never opened a log and there is no log file on my desktop or found when I checked via START> SEARCH (just to be sure).

So I ran the fsbl exe again and repeated the scan, but again no log was produced.

2.I will check to see if IE fails to find URLs when the address is correct and the internet connection is on and let you know.

Thanks,
cinbar