[cinbar]

Dakeyras,

I moved ComboFix to Desktop this morning (I thought), but evidently I only created a shortcut/icon. (And I now have two more such icons as I tried to comply with your request.)

In the ComboFix instructions there is a SaveAs screen, but my computer showed only the Save screen. I went back and moved it to Desktop (I thought), but obviously it didn't get moved there.

Tonight I tried two ways to move the CF exe file to Desktop. I used Start--Search--and selected the name, then clicked on File.My computer's uses Send To and it offers only Zip File, Desktop(create shortcut) [the eact way it appears], mail recipient and my documents. There is no Desktop without the create shortcut.

Then I went to My Documents and clicked on Downloads (Firefox has a drop down window showing the latest downloads and I thought that was just a convenience. I didn't realize that Downloads is an actual folder of files.) Again I tried by selecting/highlighting and the send to to move this CF exe to Desktop.

Some of the software you've had me download put itself into Desktop and some of it offered me the choice to put it there as it was installing. Some I went back and (I thought) moved to Desktop (the icons are there on my screen), but evidently they remained in downloads.

1.Is there another way for me to move CF exe to Desktop or shall I run it where it is?

2.Possibly of interest: while I was in the My Documents/Downloads folder I saw the hyggee6i.exe file there. The pqkdeuds file was not there though.

Thanks,
cinbar

[Advertisements]

Hi.

Possibly of interest: while I was in the My Documents/Downloads folder I saw the hyggee6i.exe file there

That will be removed via the custom ComboFix script.

OK please delete all versions of ComboFix you may have and since if I recall you are using FireFox to download with lets merely change the actual download destination/location to the desktop.

You can change this back if you so wish when we have completed the malware removal process...

Change Firefox Download File Location

Then download a new version of ComboFix from here.

Also to make things a tad easier I have attached the custom ComboFix script for you in turn to download etc.

Then just follow my prior instructions in my last post for running the actual custom ComboFix script.

[Dakeyras]

Hi.

Possibly of interest: while I was in the My Documents/Downloads folder I saw the hyggee6i.exe file there

That will be removed via the custom ComboFix script.

OK please delete all versions of ComboFix you may have and since if I recall you are using FireFox to download with lets merely change the actual download destination/location to the desktop.

You can change this back if you so wish when we have completed the malware removal process...

Change Firefox Download File Location

Then download a new version of ComboFix from here.

Also to make things a tad easier I have attached the custom ComboFix script for you in turn to download etc.

Then just follow my prior instructions in my last post for running the actual custom ComboFix script.

[cinbar]

Dakeyras,

My computer is running faster and moving straight from the home page to other URLs most of the time. I still get some redirects to ieonline/ieslice.

I deleted the old ComboFix versions and changed the Firefox download file location to desktop. I downloaded the new ComboFix, disabled avast. The new CFScript.txt downloaded and dragged into Combo Fix perfectly.

ComboFix went through its scan fine. When I returned the screen said preparing log. Nobody touched the mouse or any part of the computer. When I left and returned again, instead of the finished Notepad log the screen had the window that says "Windows detected a serious problem. Send error report or don't send."

Just in case this was some type of late stage stall, I opened the Task Manager and carefully checked the names of everything listed in Processes. There was no findstr, find, sed or swreg.

Should I rerun the ComboFix with the dragged-in custom script (or does it work only one time)?

Here is a Malwayebytes log on the chance that it might give you some useful information. Thanks,cinbar

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.24.12

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
user :: BOURBON-160D789 [administrator]

7/24/2012 4:56:49 PM
mbam-log-2012-07-24 (16-56-49).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 227290
Time elapsed: 14 minute(s), 14 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

[Dakeyras]

Hi.

I still get some redirects to ieonline/ieslice.

Is occurring with just FireFox or with Internet Explorer also?

ComboFix went through its scan fine. When I returned the screen said preparing log. Nobody touched the mouse or any part of the computer. When I left and returned again, instead of the finished Notepad log the screen had the window that says "Windows detected a serious problem. Send error report or don't send."

Hmm unexpected but if ComboFix had got to this stage unlikely it is the cause and possibly a unrelated issue. Any computer can do such for a myriad of reasons but I think we will check this out in due course to err on the side of caution.

Should I rerun the ComboFix with the dragged-in custom script (or does it work only one time)?

No need to rerun ComboFix again at this time with the actual custom script. Do however check for myself if the new log is available as follows:-

Click on Start >> My Computer >> C: >> and check if this log is present:- ComboFix2.txt

[cinbar]

Dakeyras,

The occasional redirects to ieonline/ieslice occur when I am using Firefox. I haven't used IE at all.

I think what follows is the correct ComboFix log. It is named ComboFix.txt, no 2 in the name, but the date and time I ran it match.

Thanks, cinbar

ComboFix 12-07-25.04 - user 07/24/2012 15:41:30.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.224 [GMT -4:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"C:\Documents and Settings\user\My Documents\Downloads\hyggee6i.exe"


((((((((((((((((((((((((( Files Created from 2012-06-24 to 2012-07-24 )))))))))))))))))))))))))))))))


2012-07-20 20:57:41 . 2012-07-20 20:57:41 -------- d-----w- C:\Documents and Settings\user\Application Data\WinPatrol
2012-07-20 02:59:28 . 2012-07-14 00:17:47 136672 ----a-w- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
2012-07-19 00:46:32 . 2012-07-19 00:46:32 -------- d-----w- C:\Documents and Settings\user\Local Settings\Application Data\Sun
2012-07-18 21:20:09 . 2012-07-18 21:20:09 -------- d-----w- C:\Program Files\Common Files\Java
2012-07-18 21:02:28 . 2012-07-18 21:00:22 143872 ----a-w- C:\WINDOWS\system32\javacpl.cpl
2012-07-18 21:02:26 . 2012-07-18 21:00:19 772592 ----a-w- C:\WINDOWS\system32\npDeployJava1.dll
2012-07-17 21:33:28 . 2012-07-17 21:33:28 -------- d-----w- C:\Program Files\ESET
2012-07-15 16:58:03 . 2012-07-15 16:58:03 -------- d-----w- C:\_OTL
2012-07-14 15:43:28 . 2012-07-14 15:44:47 -------- d-----w- C:\Program Files\ERUNT
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2012-07-18 21:00:19 . 2011-02-24 20:41:50 687600 ----a-w- C:\WINDOWS\system32\deployJava1.dll
2012-07-11 23:12:59 . 2012-06-05 04:18:41 426184 ----a-w- C:\WINDOWS\system32\FlashPlayerApp.exe
2012-07-11 23:12:58 . 2012-03-09 13:07:41 70344 ----a-w- C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2012-07-03 17:46:44 . 2012-05-29 23:44:13 22344 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2012-07-03 16:21:54 . 2012-06-11 23:28:36 54232 ----a-w- C:\WINDOWS\system32\drivers\aswTdi.sys
2012-07-03 16:21:53 . 2012-06-11 23:28:43 353688 ----a-w- C:\WINDOWS\system32\drivers\aswSP.sys
2012-07-03 16:21:53 . 2012-06-11 23:28:43 21256 ----a-w- C:\WINDOWS\system32\drivers\aswFsBlk.sys
2012-07-03 16:21:53 . 2012-06-11 23:28:37 35928 ----a-w- C:\WINDOWS\system32\drivers\aswRdr.sys
2012-07-03 16:21:53 . 2012-06-11 23:28:35 721000 ----a-w- C:\WINDOWS\system32\drivers\aswSnx.sys
2012-07-03 16:21:53 . 2012-06-11 23:28:34 97608 ----a-w- C:\WINDOWS\system32\drivers\aswmon2.sys
2012-07-03 16:21:53 . 2012-06-11 23:28:34 89624 ----a-w- C:\WINDOWS\system32\drivers\aswmon.sys
2012-07-03 16:21:52 . 2012-06-11 23:28:33 25256 ----a-w- C:\WINDOWS\system32\drivers\aavmker4.sys
2012-07-03 16:21:32 . 2012-06-11 23:25:22 41224 ----a-w- C:\WINDOWS\avastSS.scr
2012-07-03 16:21:28 . 2012-06-11 23:25:15 227648 ----a-w- C:\WINDOWS\system32\aswBoot.exe
2012-06-02 19:19:44 . 2008-04-17 16:39:23 22040 ----a-w- C:\WINDOWS\system32\wucltui.dll.mui
2012-06-02 19:19:38 . 2008-04-17 16:39:22 15384 ----a-w- C:\WINDOWS\system32\wuaucpl.cpl.mui
2012-06-02 19:19:38 . 2008-04-15 17:40:59 329240 ----a-w- C:\WINDOWS\system32\wucltui.dll
2012-06-02 19:19:38 . 2008-04-15 17:40:59 210968 ----a-w- C:\WINDOWS\system32\wuweb.dll
2012-06-02 19:19:38 . 2008-04-15 17:40:58 219160 ----a-w- C:\WINDOWS\system32\wuaucpl.cpl
2012-06-02 19:19:34 . 2011-02-24 21:00:56 15384 ----a-w- C:\WINDOWS\system32\wuapi.dll.mui
2012-06-02 19:19:34 . 2008-04-17 16:39:23 45080 ----a-w- C:\WINDOWS\system32\wups2.dll
2012-06-02 19:19:34 . 2008-04-15 17:40:58 53784 ----a-w- C:\WINDOWS\system32\wuauclt.exe
2012-06-02 19:19:34 . 2008-04-15 17:40:58 35864 ----a-w- C:\WINDOWS\system32\wups.dll
2012-06-02 19:19:34 . 2006-02-28 12:00:00 97304 ----a-w- C:\WINDOWS\system32\cdm.dll
2012-06-02 19:19:30 . 2008-04-17 16:39:22 17944 ----a-w- C:\WINDOWS\system32\wuaueng.dll.mui
2012-06-02 19:19:24 . 2008-04-15 17:40:58 577048 ----a-w- C:\WINDOWS\system32\wuapi.dll
2012-06-02 19:19:18 . 2008-04-15 17:40:58 1933848 ----a-w- C:\WINDOWS\system32\wuaueng.dll
2012-06-02 19:18:58 . 2012-01-15 20:09:29 275696 ----a-w- C:\WINDOWS\system32\mucltui.dll
2012-06-02 19:18:58 . 2012-01-15 20:09:29 214256 ----a-w- C:\WINDOWS\system32\muweb.dll
2012-06-02 19:18:58 . 2012-01-15 20:09:29 17136 ----a-w- C:\WINDOWS\system32\mucltui.dll.mui
2012-05-31 13:22:09 . 2006-02-28 12:00:00 599040 ----a-w- C:\WINDOWS\system32\crypt32.dll
2012-05-16 15:08:26 . 2006-02-28 12:00:00 916992 ----a-w- C:\WINDOWS\system32\wininet.dll
2012-05-15 13:20:33 . 2006-02-28 12:00:00 1863168 ----a-w- C:\WINDOWS\system32\win32k.sys
2012-05-11 14:42:33 . 2006-02-28 12:00:00 43520 ----a-w- C:\WINDOWS\system32\licmgr10.dll
2012-05-11 14:42:33 . 2006-02-28 12:00:00 1469440 ------w- C:\WINDOWS\system32\inetcpl.cpl
2012-05-11 11:38:02 . 2006-02-28 12:00:00 385024 ----a-w- C:\WINDOWS\system32\html.iec
2012-05-04 13:12:30 . 2006-02-28 12:00:00 2192640 ----a-w- C:\WINDOWS\system32\ntoskrnl.exe
2012-05-04 12:32:19 . 2004-08-03 22:59:00 2069120 ----a-w- C:\WINDOWS\system32\ntkrnlpa.exe
2012-05-02 13:46:36 . 2008-04-15 17:38:19 139656 ----a-w- C:\WINDOWS\system32\drivers\rdpwd.sys
2012-07-14 00:17:47 . 2012-07-20 02:59:28 136672 ----a-w- C:\Program Files\mozilla firefox\components\browsercomps.dll


((((((((((((((((((((((((((((( SnapShot@2012-07-23_12.47.35 )))))))))))))))))))))))))))))))))))))))))

+ 2012-07-24 19:59:36 . 2012-07-24 19:59:36 16384 C:\WINDOWS\Temp\Perflib_Perfdata_190.dat
+ 2012-07-24 20:05:58 . 2012-07-24 20:06:06 729885 C:\WINDOWS\Temp\_asw_aisI.tm~a01720\sig.bin

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-07-03 16:21:21 121528 ----a-w- C:\Program Files\AVAST Software\Avast\ashShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-06-05 04:02:10 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2009-09-05 05:54:42 417792]
"avast"="C:\Program Files\AVAST Software\Avast\avastUI.exe" [2012-07-03 16:21:30 4273976]
"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 15:07:54 252296]

C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - C:\Program Files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]

C:\Documents and Settings\tmills\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - C:\Program Files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]

C:\Documents and Settings\user\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - C:\Program Files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - C:\Program Files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:C *

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1660429669-1676308955-572944225-1089\Scripts\Logon\0\0]
"Script"=loginlog.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1660429669-1676308955-572944225-2360\Scripts\Logon\0\0]
"Script"=loginlog.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1660429669-1676308955-572944225-8904\Scripts\Logon\0\0]
"Script"=loginlog.bat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSnx;aswSnx;C:\WINDOWS\system32\drivers\aswSnx.sys [6/11/2012 7:28:35 PM 721000]
R1 aswSP;aswSP;C:\WINDOWS\system32\drivers\aswSP.sys [6/11/2012 7:28:43 PM 353688]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\drivers\aswFsBlk.sys [6/11/2012 7:28:43 PM 21256]
R3 AR9271;Atheros AR9271 Wireless Network Adapter Service;C:\WINDOWS\system32\drivers\athuw.sys [6/18/2012 9:18:51 AM 1759584]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe [6/5/2012 12:18:52 AM 250056]
S3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcmwlhigh5.sys --> C:\WINDOWS\system32\DRIVERS\bcmwlhigh5.sys [?]

Contents of the 'Scheduled Tasks' folder

2012-07-24 C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-05 04:18:52 . 2012-07-11 23:13:03]

2012-07-24 C:\WINDOWS\Tasks\avast! Emergency Update.job
- C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2012-07-11 03:44:29 . 2012-07-03 16:21:29]

2012-07-24 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2012-06-05 04:01:46 . 2012-06-05 04:01:19]

2012-07-24 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2012-06-05 04:01:46 . 2012-06-05 04:01:19]

[Dakeyras]

Hi.

The occasional redirects to ieonline/ieslice occur when I am using Firefox. I haven't used IE at all.

OK.

I think what follows is the correct ComboFix log. It is named ComboFix.txt, no 2 in the name, but the date and time I ran it match.

It does indeed appear to be, however it is incomplete but I am surmising that is because your machine encountered the error you mentioned.

Anyway lets proceed as follows shall we...

OTL has recently been updated again, so please delete that and any logs still present(OTL.txt & Extras.txt) and then empty the Recycle Bin.

Re-scan with OTL:

Please download the updated version of OTL and save it to your Desktop.

Alternate downloads are here and here.

• Double-click OTL.exe to start OTL.
• Under Output, ensure that Standard Output is selected.
• Under Extra Registry section, select Use SafeList.
• Click the Scan All Users checkbox.
• Click on Run Scan at the top left hand corner.
• When done, two Notepad files will open.
  
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Please post the contents of these 2 Notepad files in your next reply.

[cinbar]

Dakeyras,

The computer is moving quickly from home page to other URLs today. I haven't seen any ieonline/ie slice 's flash by or had redirects.

Thanks, cinbar



Here is the OTL.Txt

OTL logfile created on: 7/25/2012 3:43:33 PM - Run 5
OTL by OldTimer - Version 3.2.54.1 Folder = C:\Documents and Settings\user\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.51 Mb Total Physical Memory | 173.17 Mb Available Physical Memory | 33.99% Memory free
1.22 Gb Paging File | 0.86 Gb Available in Paging File | 70.25% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.64 Gb Total Space | 10.38 Gb Free Space | 55.69% Space Free | Partition Type: NTFS
Drive D: | 53.63 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: BOURBON-160D789 | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/07/25 15:41:39 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
PRC - [2012/07/18 17:00:26 | 000,161,776 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2012/07/13 20:17:11 | 000,913,888 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/07/03 12:21:30 | 004,273,976 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2012/07/03 12:21:29 | 000,044,808 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2011/01/17 19:37:40 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2011/01/17 19:37:40 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/16 04:09:40 | 000,429,480 | ---- | M] (Faronics Corporation) -- C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe


========== Modules (No Company Name) ==========

MOD - [2012/07/25 02:01:37 | 001,787,904 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\12072500\algo.dll
MOD - [2012/07/13 20:17:14 | 002,003,424 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/02/28 09:53:06 | 000,985,088 | ---- | M] () -- C:\Program Files\OpenOffice.org 3\program\libxml2.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2012/07/18 17:00:26 | 000,161,776 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2012/07/13 20:17:12 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/07/11 19:13:03 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/07/03 12:21:29 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2008/01/16 04:09:40 | 000,429,480 | ---- | M] (Faronics Corporation) [Auto | Running] -- C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe -- (DF5Serv)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\user\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\bcmwlhigh5.sys -- (BCMH43XX)
DRV - [2012/07/03 12:21:54 | 000,054,232 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2012/07/03 12:21:53 | 000,721,000 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2012/07/03 12:21:53 | 000,353,688 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2012/07/03 12:21:53 | 000,097,608 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2012/07/03 12:21:53 | 000,035,928 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (AswRdr)
DRV - [2012/07/03 12:21:53 | 000,021,256 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2012/07/03 12:21:52 | 000,025,256 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2010/09/30 20:15:00 | 001,759,584 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athuw.sys -- (AR9271)
DRV - [2004/08/03 18:29:50 | 000,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wVchNTxx.sys -- (iAimFP4)
DRV - [2004/08/03 18:29:48 | 000,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wSiINTxx.sys -- (iAimFP3)
DRV - [2004/08/03 18:29:46 | 000,025,471 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV10nt.sys -- (iAimTV5)
DRV - [2004/08/03 18:29:46 | 000,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wCh7xxNT.sys -- (iAimTV4)
DRV - [2004/08/03 18:29:46 | 000,022,271 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV06nt.sys -- (iAimTV6)
DRV - [2004/08/03 18:29:44 | 000,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV04nt.sys -- (iAimTV3)
DRV - [2004/08/03 18:29:44 | 000,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV02NT.sys -- (iAimTV1)
DRV - [2004/08/03 18:29:42 | 000,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV01nt.sys -- (iAimTV0)
DRV - [2004/08/03 18:29:42 | 000,011,871 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV09NT.sys -- (iAimFP7)
DRV - [2004/08/03 18:29:40 | 000,011,807 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV07nt.sys -- (iAimFP5)
DRV - [2004/08/03 18:29:40 | 000,011,295 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV08NT.sys -- (iAimFP6)
DRV - [2004/08/03 18:29:38 | 000,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\i81xnt5.sys -- (i81x)
DRV - [2004/08/03 18:29:38 | 000,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV01nt.sys -- (iAimFP0)
DRV - [2004/08/03 18:29:38 | 000,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV02NT.sys -- (iAimFP1)
DRV - [2004/08/03 18:29:38 | 000,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV05NT.sys -- (iAimFP2)
DRV - [2001/08/17 08:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {75ABDE28-AA4B-4F6F-9AA2-30F832CB1166}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{75ABDE28-AA4B-4F6F-9AA2-30F832CB1166}: "URL" = http://www.google.co...g}&sourceid=ie7


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/
IE - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\..\SearchScopes,DefaultScope = {75ABDE28-AA4B-4F6F-9AA2-30F832CB1166}
IE - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\..\SearchScopes\{75ABDE28-AA4B-4F6F-9AA2-30F832CB1166}: "URL" = http://www.google.co...1I7ADRA_enUS487
IE - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: ""
FF - prefs.js..browser.startup.homepage: "http://www.msnbc.com"
FF - prefs.js..network.proxy.type: 0


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_3_300_265.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.0: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.0: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\AVAST Software\Avast\WebRep\FF [2012/07/10 23:45:17 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/07/19 22:59:28 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2012/06/05 12:51:23 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Extensions
[2012/07/01 13:38:49 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gaab9dmo.default\extensions
[2012/07/19 22:59:28 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/07/10 23:45:17 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
[2012/07/13 20:17:47 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/07/13 20:16:36 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/07/13 20:16:36 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/07/24 15:59:46 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll File not found
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\tmills\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\user\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableLockWorkstation = 1
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1298581213742 (WUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5CD6C295-B387-457F-BF36-D52485551C8A}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/15 13:44:30 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/02/21 20:43:08 | 000,358,248 | R--- | M] (NETGEAR Inc.) - D:\Autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2006/05/29 04:27:40 | 000,000,047 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk /k:C *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/07/25 15:41:05 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
[2012/07/24 16:16:56 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/07/24 16:11:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2012/07/24 15:32:29 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/07/24 13:44:26 | 004,584,441 | R--- | C] (Swearware) -- C:\Documents and Settings\user\Desktop\ComboFix.exe
[2012/07/23 08:13:34 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/07/23 08:10:18 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/07/23 08:10:18 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/07/23 08:10:18 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/07/23 08:10:18 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/07/23 08:09:55 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/07/23 08:09:45 | 000,000,000 | R--D | C] -- C:\Documents and Settings\user\My Documents\My Videos
[2012/07/23 08:09:45 | 000,000,000 | R--D | C] -- C:\Documents and Settings\user\Start Menu\Programs\Administrative Tools
[2012/07/22 22:05:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Desktop\FixPolicies
[2012/07/22 18:39:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Desktop\GooredFix Backups
[2012/07/22 17:59:17 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2012/07/22 11:10:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Desktop\HostsXpert
[2012/07/21 12:46:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Desktop\RK_Quarantine
[2012/07/20 16:57:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\WinPatrol
[2012/07/18 20:46:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\Sun
[2012/07/18 17:20:09 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/07/18 17:02:28 | 000,143,872 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2012/07/18 17:02:26 | 000,772,592 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\npDeployJava1.dll
[2012/07/18 17:02:26 | 000,227,824 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2012/07/18 17:01:31 | 000,174,064 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2012/07/18 17:01:30 | 000,174,064 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2012/07/17 17:33:28 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/07/15 12:58:03 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/07/14 11:47:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/07/14 11:43:28 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT

========== Files - Modified Within 30 Days ==========

[2012/07/25 15:41:39 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
[2012/07/25 15:17:42 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/07/25 15:12:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/07/25 10:23:05 | 000,000,316 | -H-- | M] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2012/07/25 09:13:54 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/07/25 09:13:38 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/07/25 09:13:22 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/07/24 15:59:46 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/07/24 13:45:15 | 004,584,441 | R--- | M] (Swearware) -- C:\Documents and Settings\user\Desktop\ComboFix.exe
[2012/07/23 08:13:45 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/07/22 19:01:18 | 000,000,781 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Shortcut to SystemLook.lnk
[2012/07/22 18:35:52 | 000,000,776 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Shortcut to GooredFix.lnk
[2012/07/21 22:23:25 | 000,002,625 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2012/07/21 12:45:47 | 000,000,786 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Shortcut to RogueKiller.lnk
[2012/07/19 23:00:03 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/07/19 23:00:03 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2012/07/18 17:00:23 | 000,227,824 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2012/07/18 17:00:23 | 000,174,064 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2012/07/18 17:00:22 | 000,174,064 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2012/07/18 17:00:22 | 000,143,872 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2012/07/18 17:00:19 | 000,772,592 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\npDeployJava1.dll
[2012/07/18 17:00:19 | 000,687,600 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\deployJava1.dll
[2012/07/18 16:57:59 | 000,000,831 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Shortcut to jre-7u5-windows-i586.lnk
[2012/07/17 16:59:30 | 000,000,883 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Shortcut to TFC[1].EXE-05ED5B58.lnk
[2012/07/16 11:18:48 | 000,000,873 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Shortcut to FSBL.EXE-0406D462.lnk
[2012/07/16 10:46:45 | 000,000,873 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Shortcut to FSBL.EXE-0406D462.pf.lnk
[2012/07/15 13:39:49 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/07/14 11:43:30 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\user\Desktop\NTREGOPT.lnk
[2012/07/14 11:43:30 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\user\Desktop\ERUNT.lnk
[2012/07/13 19:06:49 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2012/07/11 19:12:59 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/07/11 19:12:58 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/07/03 12:21:54 | 000,054,232 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2012/07/03 12:21:53 | 000,721,000 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2012/07/03 12:21:53 | 000,353,688 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2012/07/03 12:21:53 | 000,097,608 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2012/07/03 12:21:53 | 000,089,624 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2012/07/03 12:21:53 | 000,035,928 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2012/07/03 12:21:53 | 000,021,256 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2012/07/03 12:21:52 | 000,025,256 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2012/07/03 12:21:32 | 000,041,224 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2012/07/03 12:21:28 | 000,227,648 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe

========== Files Created - No Company Name ==========

[2012/07/23 08:13:44 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/07/23 08:13:40 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/07/23 08:10:18 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/07/23 08:10:18 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/07/23 08:10:18 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/07/23 08:10:18 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/07/23 08:10:18 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/07/22 19:01:18 | 000,000,781 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Shortcut to SystemLook.lnk
[2012/07/22 18:35:52 | 000,000,776 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Shortcut to GooredFix.lnk
[2012/07/21 12:45:47 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Shortcut to RogueKiller.lnk
[2012/07/18 16:57:59 | 000,000,831 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Shortcut to jre-7u5-windows-i586.lnk
[2012/07/17 16:59:30 | 000,000,883 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Shortcut to TFC[1].EXE-05ED5B58.lnk
[2012/07/16 11:18:48 | 000,000,873 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Shortcut to FSBL.EXE-0406D462.lnk
[2012/07/16 10:46:45 | 000,000,873 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Shortcut to FSBL.EXE-0406D462.pf.lnk
[2012/07/14 11:43:30 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\user\Desktop\NTREGOPT.lnk
[2012/07/14 11:43:30 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\user\Desktop\ERUNT.lnk
[2012/07/10 23:48:02 | 000,000,316 | -H-- | C] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2012/06/05 00:33:35 | 020,480,000 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\store-pp.jbs
[2012/02/15 10:03:34 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/02/28 13:34:55 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\user\ntuser.pol
[2008/04/17 12:16:42 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol

< End of report >


Here is the Extras.Txt

OTL Extras logfile created on: 7/25/2012 3:43:33 PM - Run 5
OTL by OldTimer - Version 3.2.54.1 Folder = C:\Documents and Settings\user\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.51 Mb Total Physical Memory | 173.17 Mb Available Physical Memory | 33.99% Memory free
1.22 Gb Paging File | 0.86 Gb Available in Paging File | 70.25% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.64 Gb Total Space | 10.38 Gb Free Space | 55.69% Space Free | Partition Type: NTFS
Drive D: | 53.63 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: BOURBON-160D789 | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-3690427229-769522622-1429544265-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- C:\PROGRA~1\MICROS~2\Office\FRONTPG.EXE
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83217005FF}" = Java™ 7 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E171899-0175-47CC-84C4-562ACDD4C021}" = OpenOffice.org 3.3
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"avast" = avast! Free Antivirus
"ERUNT_is1" = ERUNT 1.1j
"ESET Online Scanner" = ESET Online Scanner v3
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
"Mozilla Firefox 14.0.1 (x86 en-US)" = Mozilla Firefox 14.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MSTTS" = Microsoft Text-to-Speech Engine 4.0 (English)
"Tweak UI 2.10" = Tweak UI
"Windows XP Service Pack" = Windows XP Service Pack 3

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 5/25/2012 6:37:03 PM | Computer Name = BOURBON-160D789 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/27/2012 2:01:42 PM | Computer Name = BOURBON-160D789 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/27/2012 4:48:30 PM | Computer Name = BOURBON-160D789 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/27/2012 9:11:55 PM | Computer Name = BOURBON-160D789 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x00000000.

Error - 5/28/2012 8:49:54 AM | Computer Name = BOURBON-160D789 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/28/2012 10:06:46 AM | Computer Name = BOURBON-160D789 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/28/2012 12:21:35 PM | Computer Name = BOURBON-160D789 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/28/2012 5:36:24 PM | Computer Name = BOURBON-160D789 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/29/2012 9:20:58 AM | Computer Name = BOURBON-160D789 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/11/2012 7:53:09 PM | Computer Name = BOURBON-160D789 | Source = MPSampleSubmission | ID = 5000
Description =

[ System Events ]
Error - 7/24/2012 4:42:16 PM | Computer Name = BOURBON-160D789 | Source = ACPI | ID = 327684
Description = AMLI: ACPI BIOS is attempting to read from an illegal IO port address
(0x71), which lies in the 0x70 - 0x71 protected address range. This could lead to
system instability. Please contact your system vendor for technical assistance.

Error - 7/24/2012 7:00:56 PM | Computer Name = BOURBON-160D789 | Source = ACPI | ID = 327685
Description = AMLI: ACPI BIOS is attempting to write to an illegal IO port address
(0x70), which lies in the 0x70 - 0x71 protected address range. This could lead to
system instability. Please contact your system vendor for technical assistance.

Error - 7/24/2012 7:00:56 PM | Computer Name = BOURBON-160D789 | Source = ACPI | ID = 327684
Description = AMLI: ACPI BIOS is attempting to read from an illegal IO port address
(0x71), which lies in the 0x70 - 0x71 protected address range. This could lead to
system instability. Please contact your system vendor for technical assistance.

Error - 7/24/2012 7:47:04 PM | Computer Name = BOURBON-160D789 | Source = ACPI | ID = 327685
Description = AMLI: ACPI BIOS is attempting to write to an illegal IO port address
(0x70), which lies in the 0x70 - 0x71 protected address range. This could lead to
system instability. Please contact your system vendor for technical assistance.

Error - 7/24/2012 7:47:04 PM | Computer Name = BOURBON-160D789 | Source = ACPI | ID = 327684
Description = AMLI: ACPI BIOS is attempting to read from an illegal IO port address
(0x71), which lies in the 0x70 - 0x71 protected address range. This could lead to
system instability. Please contact your system vendor for technical assistance.

Error - 7/24/2012 8:59:05 PM | Computer Name = BOURBON-160D789 | Source = ACPI | ID = 327685
Description = AMLI: ACPI BIOS is attempting to write to an illegal IO port address
(0x70), which lies in the 0x70 - 0x71 protected address range. This could lead to
system instability. Please contact your system vendor for technical assistance.

Error - 7/24/2012 8:59:05 PM | Computer Name = BOURBON-160D789 | Source = ACPI | ID = 327684
Description = AMLI: ACPI BIOS is attempting to read from an illegal IO port address
(0x71), which lies in the 0x70 - 0x71 protected address range. This could lead to
system instability. Please contact your system vendor for technical assistance.

Error - 7/25/2012 9:13:36 AM | Computer Name = BOURBON-160D789 | Source = ACPI | ID = 327685
Description = AMLI: ACPI BIOS is attempting to write to an illegal IO port address
(0x70), which lies in the 0x70 - 0x71 protected address range. This could lead to
system instability. Please contact your system vendor for technical assistance.

Error - 7/25/2012 9:13:36 AM | Computer Name = BOURBON-160D789 | Source = ACPI | ID = 327684
Description = AMLI: ACPI BIOS is attempting to read from an illegal IO port address
(0x71), which lies in the 0x70 - 0x71 protected address range. This could lead to
system instability. Please contact your system vendor for technical assistance.

Error - 7/25/2012 1:31:21 PM | Computer Name = BOURBON-160D789 | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address E0469A0245E5. The following
error occurred: %%1223. Your computer will continue to try and obtain an address
on its own from the network address (DHCP) server.


< End of report >

[Dakeyras]

Hi.

The computer is moving quickly from home page to other URLs today. I haven't seen any ieonline/ie slice 's flash by or had redirects.

Good, lets see how it goes for a few days shall we.

Your machine does have a few system errors that may account for the recent issue with ComboFix:-

Error - 7/25/2012 9:13:36 AM | Computer Name = BOURBON-160D789 | Source = ACPI | ID = 327685
Description = AMLI: ACPI BIOS is attempting to write to an illegal IO port address
(0x70), which lies in the 0x70 - 0x71 protected address range. This could lead to
system instability. Please contact your system vendor for technical assistance.

Not a lot I can advise about that to be honest as primarily I only provide Anti-Malware support. It may just be a hold over from the fact your machine used to be used as workstation for example. If continued system crashes/problems in the future my best advice would be to seek assistance in this part of the forum:-

Windows XP™, 2000, 2003, NT

Now this one we can deal with even though you do not use Internet Explorer much/if at all, it would be prudent to do so:-

Error - 5/25/2012 6:37:03 PM | Computer Name = BOURBON-160D789 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Reset IE8:

• Please download this Microsoft FixIt and save it to the desktop.
• Double click on MicrosoftFixit50195.exe select I Agree and click on Next.
• Follow the on-screen prompts.
• You may delete MicrosoftFixit50195.exe when finished and or keep it if any problems in the future with IE8.
• Next time IE8 is launched you will be prompted to reapply settings again, this is normal.

Note: Any add-ons will require to be reapplied after the above reset.

New Adobe Reader Installation:

• Go here and click on AdbeRdr1013_en_US.exe to download the latest version of Adobe Reader.
• Save this file to your desktop and run it to install the latest version of Adobe Reader.
• After the new Reader is installed, Open Adobe Reader X.
• OK the license.
• Click on Edit and select Preferences.
• On the Left, click on the Javascript category and Uncheck Enable Acrobat Javascript.
• Click on the Security (Enhanced) category and Uncheck Automatically trust sites from my Win OS security zones.
• Click on the Trust Manager category and Uncheck Allow opening of non-PDF file attachments with external applications.
• Click the OK button

Next:

As mentioned, lets give it a few days and see how your computer fairs and if no obvious malware related issues we will then in turn clean up all tools used etc OK.

[cinbar]

Dakeyras,

I will download the Adobe Reader and do the IE reset and report back to you on Sunday or maybe before.

Thanks for your help!!

cinbar

[Dakeyras]

OK.

[cinbar]

Dakeyras,

I downloaded Adobe Reader and installed it with the three unchecks you designated.

I downloaded Microsoft Fixit It. The installation went along okay until two windows appeared that overlapped each other.

The first window said Please Wait--but nothing happened--and the Back Next and Close at the bottom were faded out so I couldn't click on any of them.

This window blocked the second, the Are you Sure You Want to Rest window so I couldn't click on its choices to keep the process moving.

I tried to drag the windows apart, but they wouldn't separate. So I closed everything and tried to install again, but got the same result.

Update on how the computer is working: It's generally fast. I have seen the ieonline/ieslice flash by as the home page loads, mixed in with the waiting for google ads and I got redirected to an ie ad site once. Several times I've been sent to the tan "Firefox can't find this server" page when the URL for the webpage I'm trying to access is correct and the internet connection is strong.

Thanks for your help,
cinbar

[Dakeyras]

Hi.

Can you confirm for myself please if you are actually using a Router?

The first window said Please Wait--but nothing happened--and the Back Next and Close at the bottom were faded out so I couldn't click on any of them.

This window blocked the second, the Are you Sure You Want to Rest window so I couldn't click on its choices to keep the process moving.

I tried to drag the windows apart, but they wouldn't separate. So I closed everything and tried to install again, but got the same result.

OK, we merely try the Microsoft FixIt with your machine running in Safe mode then:-

How to boot into Safe Mode:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should come up where you will be given the option to enter Safe Mode, do so.

If any problems refer to this tutorial.

Next:

Re-run the Microsoft FixIt again as per post #53

Reboot your machine afterwards back into normal mode. If any actual problems sill running the aforementioned application, still reboot etc carry on with the below instructions and merely inform myself in your next reply there was a problem.

Next:

I have seen the ieonline/ieslice flash by as the home page loads, mixed in with the waiting for google ads and I got redirected to an ie ad site once. Several times I've been sent to the tan "Firefox can't find this server" page when the URL for the webpage I'm trying to access is correct and the internet connection is strong.

I think it prudent to run a different type of scan to try and pinpoint the problems.

Scan with AdwCleaner:

Please download adwcleaner from here and save to your desktop.

• Double click on adwcleaner.exe to launch the application.
• Now click on the Search tab.
• Please post the contents of the logfile created in your next post.

Note: The log can also be located at C: >> AdwCleaner[XX].txt >> XX <-- denotes the number of times the application has been ran, so in this case may be something like R1.

[cinbar]

Dakeyras,

I am on a neighbor's computer. When I tried to access the GTG site, one time I got a "database connection error" and the other times I got "SQL error or driver server error" and "There appears to be a problem with our database."

Remembering when the GTG database was down around July 4, I came to this computer, thinking I would probably get the same database error window.

I will go back to my computer and let you know if I can access the GTG site. I have had no problems going to other websites. I wanted to be sure you heard from me, though, because I had to let more time than usual go by before I was free to do the steps you requested and send a report, and I didn't want the topic to close.

1.I am using an adapter, not a router.

2.I successfully put my computer in Safe Mode, but when I tried to run the Microsoft Fixit.exe I got "system administrator has set policies to prevent installation of MF," a remnant from when the computer was owned by the school system. So I returned my computer to regular "Start Windows Normally" mode.

3.I will keep trying to see if my computer will let me upload the log you requested and will let you know from a different computer if I can't gain access to do so.

Thanks for your help,
cinbar

[cinbar]

Dakeyras,

I was able to access GTG from my computer. Here is the log from AdWCleaner

AdwCleaner v1.608 - Logfile created 08/01/2012 at 16:21:02
# Updated 27/05/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : user - BOURBON-160D789
# Running from : C:\Documents and Settings\user\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Found : HKCU\Software\Cr_Installer
Key Found : HKLM\SOFTWARE\Babylon
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow [*.crossrider.com]

***** [Registre - GUID] *****

Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E2E2DD38-D088-4134-82B7-F2BA38496583}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v14.0.1 (en-US)

Profile name : default
File : C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gaab9dmo.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2251 octets] - [01/08/2012 16:21:02]

########## EOF - C:\AdwCleaner[R1].txt - [2379 octets] ##########

Something odd happened with the computer last night which I never encountered before. I copied most of what I saw b/c I thought it might be related to the malware. As soon as I logged on a full page screen appeared saying "Windows has been shut down to minimize danger to your computer"

DRIVER - IRL - NOT LESS OR EQUAL

If this is the first time you have seen this screen restart your computer (I turned it off then and didn't turn it back on until the next morning.)

If it appears again [It has not.] check new hardware or software is properly installed.
Disable or remove any newly installed software ( Adobe Reader and Microsoft Fixit are the latest installatins I put on the computer.) Disable BIOS memory options such as caching and shadow

Then it tells how to go into Safe Mode

Stop: Ox000000Dl (Ox 80020267, Ox0000000D, OxF848lD23)

Atapi.sys - Address F848lD23 base at F847C000
DaleStasp 4802539d

Beginning dump of physical memory
---------------

The computer seems to be working okay today, just a few "Firefox can't access the website b/c the connection was reset during the download" screens. I did see the ieonline/ieslice once.
Thanks for your help,
cinbar

[cinbar]

Dakeyras,

This evening as my home page was loading, I saw the waiting for ieonline/ieslice again and something I had not seen before;

www.microsoft.com redir.dll.asapi something something...hotmail It may have been atapi instead of asapi and atapi was part of the page I described in the reply I sent you earlier today, the page about Windows shutting down the system.

I'm sure it ended in hotmail and I have never used that email service.

Yahoo mail was the first URL I clicked to go to and I got the Firefox can't find the server screen, yet the connection was strong.

Thanks,
cinbar