Solved Browser redirects from Google searches

Status
Not open for further replies.
D

Dzapper

System had a fake system integrity malware a few days ago got rid of it but now we have search results being redirected to junk web sites. Have had more malware and trojans pop up since I got rid of the fake system check but things look clean now except for the redirects. I could not get any logs from GMER as they were all empty but it did pop up an exception before when I ran it (Load Driver C:../../kxtdipog.sys error 0XC000010E cannot create a stable subkey under a volatile parent key) Here are my mbytes and dds logs:

Malwarebytes log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8302

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/4/2011 04:01:47
mbam-log-2011-12-04 (04-01-47).txt

Scan type: Quick scan
Objects scanned: 193424
Time elapsed: 1 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)


DDS:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Run by HALO at 5:01:16 on 2011-12-04
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3581.2774 [GMT 0:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{51fb15f4-ad27-43bc-ad4b-dd0354fb6bbd}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
Trusted Zone: watchitmove.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {C9101148-151A-470D-9CE5-C163C0361EAE} - hxxp://www.ipromote.com/assets/media/toolbars/ipromote_toolbar.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{11A44DF7-6A7D-4168-8DFF-573DB7F8E5EE} : NameServer = 204.117.214.10,199.2.252.10
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 wvauth
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\halo\application data\mozilla\firefox\profiles\akgs7kj7.default\
FF - plugin: c:\documents and settings\halo\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2010-7-30 24064]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsld7b1541a;MpKsld7b1541a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{28565789-cd0f-43f0-8336-8bca58bd244b}\mpksld7b1541a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{28565789-cd0f-43f0-8336-8bca58bd244b}\MpKsld7b1541a.sys [?]
R1 MpKsle55d2bba;MpKsle55d2bba;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{497950ba-2160-437f-8423-6478ff7dfbb5}\MpKsle55d2bba.sys [2011-12-4 29904]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2010-2-8 376688]
S1 MpKslcb6bd7e8;MpKslcb6bd7e8;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{be63d181-a450-415e-8e78-281938d2850b}\mpkslcb6bd7e8.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{be63d181-a450-415e-8e78-281938d2850b}\MpKslcb6bd7e8.sys [?]
S2 BackupService;BackupService;c:\documents and settings\halo\application data\hp simplesave application\uUACTokenSvc.exe [2011-7-3 83512]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-30 136176]
S3 ATMEPVCM;Microsoft Ethernet PVC;c:\windows\system32\drivers\atmepvc.sys [2008-4-25 31360]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-9-30 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 RegKernelHelp;RegKernelHelp;\??\c:\program files\safe returner\regkernelhelp.sys --> c:\program files\safe returner\RegKernelHelp.sys [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-12-04 04:33:32 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{497950ba-2160-437f-8423-6478ff7dfbb5}\MpKsle55d2bba.sys
2011-12-04 04:33:29 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{497950ba-2160-437f-8423-6478ff7dfbb5}\offreg.dll
2011-12-04 04:33:28 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{497950ba-2160-437f-8423-6478ff7dfbb5}\mpengine.dll
2011-12-03 23:32:04 -------- d-----w- C:\ComboFix
2011-12-03 04:29:00 -------- d-sha-r- C:\cmdcons
2011-12-03 04:20:11 98816 ----a-w- c:\windows\sed.exe
2011-12-03 04:20:11 518144 ----a-w- c:\windows\SWREG.exe
2011-12-03 04:20:11 256000 ----a-w- c:\windows\PEV.exe
2011-12-03 04:20:11 208896 ----a-w- c:\windows\MBR.exe
2011-12-03 01:42:51 -------- d-----w- c:\program files\ESET
2011-12-01 13:16:46 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-11-30 06:49:17 -------- d-----w- c:\documents and settings\halo\application data\QuickScan
2011-11-29 19:59:08 -------- d-----w- c:\program files\Microsoft Security Client
2011-11-28 20:43:26 187776 -c--a-w- c:\windows\system32\dllcache\acpi.sys
2011-11-28 20:43:26 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2011-11-28 20:42:29 -------- d--h--w- c:\documents and settings\halo\application data\892F1515
.
==================== Find3M ====================
.
2011-11-10 03:33:01 256104 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-11-10 03:33:01 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-11-03 16:23:02 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-13 03:37:14 256104 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 11:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 11:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 11:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-10 04:47:20 309320 ----a-w- c:\windows\system32\drivers\TrufosAlt.sys
2011-09-06 13:25:11 1867904 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 5:07:15.15 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 9/29/2010 19:44:50
System Uptime: 12/3/2011 22:17:57 (7 hours ago)
.
Motherboard: Dell Inc. | | 0D883F
Processor: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz | CPU1 | 1995/4800mhz
Processor: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz | CPU1 | 1995/4800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 432.301 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA
.
==== System Restore Points ===================
.
RP271: 9/5/2011 02:15:58 - System Checkpoint
RP272: 9/6/2011 03:16:35 - System Checkpoint
RP273: 9/7/2011 03:18:45 - System Checkpoint
RP274: 9/8/2011 05:48:20 - System Checkpoint
RP275: 9/9/2011 06:11:28 - System Checkpoint
RP276: 9/10/2011 06:55:52 - System Checkpoint
RP277: 9/11/2011 03:00:21 - Software Distribution Service 3.0
RP278: 9/12/2011 03:00:14 - Software Distribution Service 3.0
RP279: 9/13/2011 03:37:56 - System Checkpoint
RP280: 9/14/2011 03:00:30 - Software Distribution Service 3.0
RP281: 9/15/2011 03:24:52 - System Checkpoint
RP282: 9/16/2011 05:36:49 - System Checkpoint
RP283: 9/17/2011 06:28:04 - System Checkpoint
RP284: 9/18/2011 08:12:29 - System Checkpoint
RP285: 9/19/2011 10:35:07 - System Checkpoint
RP286: 9/20/2011 10:48:13 - System Checkpoint
RP287: 9/21/2011 11:24:54 - System Checkpoint
RP288: 9/22/2011 11:36:54 - System Checkpoint
RP289: 9/23/2011 12:15:38 - System Checkpoint
RP290: 9/24/2011 15:56:02 - System Checkpoint
RP291: 9/25/2011 17:21:28 - System Checkpoint
RP292: 9/26/2011 22:01:59 - System Checkpoint
RP293: 9/27/2011 22:21:45 - System Checkpoint
RP294: 9/28/2011 03:00:13 - Software Distribution Service 3.0
RP295: 9/29/2011 14:42:03 - System Checkpoint
RP296: 9/30/2011 15:36:33 - System Checkpoint
RP297: 10/1/2011 18:26:17 - System Checkpoint
RP298: 10/3/2011 13:34:52 - System Checkpoint
RP299: 10/4/2011 14:06:55 - System Checkpoint
RP300: 10/5/2011 16:03:05 - System Checkpoint
RP301: 10/6/2011 21:54:50 - System Checkpoint
RP302: 10/7/2011 22:09:59 - System Checkpoint
RP303: 10/8/2011 23:05:04 - System Checkpoint
RP304: 10/9/2011 23:06:05 - System Checkpoint
RP305: 10/11/2011 00:03:54 - System Checkpoint
RP306: 10/12/2011 00:04:06 - System Checkpoint
RP307: 10/13/2011 00:08:37 - System Checkpoint
RP308: 10/13/2011 03:00:14 - Software Distribution Service 3.0
RP309: 10/14/2011 04:55:23 - System Checkpoint
RP310: 10/15/2011 03:00:13 - Software Distribution Service 3.0
RP311: 10/16/2011 03:34:30 - System Checkpoint
RP312: 10/17/2011 05:28:40 - System Checkpoint
RP313: 10/18/2011 05:36:10 - System Checkpoint
RP314: 10/19/2011 06:16:43 - System Checkpoint
RP315: 10/20/2011 07:28:42 - System Checkpoint
RP316: 10/21/2011 13:51:58 - System Checkpoint
RP317: 10/22/2011 14:17:45 - System Checkpoint
RP318: 10/23/2011 17:20:17 - System Checkpoint
RP319: 10/24/2011 20:19:19 - System Checkpoint
RP320: 10/25/2011 21:38:18 - System Checkpoint
RP321: 10/26/2011 21:51:29 - System Checkpoint
RP322: 10/28/2011 00:22:42 - System Checkpoint
RP323: 10/29/2011 00:32:09 - System Checkpoint
RP324: 10/30/2011 01:42:21 - System Checkpoint
RP325: 10/31/2011 02:24:58 - System Checkpoint
RP326: 11/1/2011 03:19:44 - System Checkpoint
RP327: 11/2/2011 04:17:46 - System Checkpoint
RP328: 11/3/2011 06:14:58 - System Checkpoint
RP329: 11/4/2011 06:24:32 - System Checkpoint
RP330: 11/5/2011 06:27:07 - System Checkpoint
RP331: 11/6/2011 10:13:26 - System Checkpoint
RP332: 11/7/2011 11:21:28 - System Checkpoint
RP333: 11/8/2011 11:44:52 - System Checkpoint
RP334: 11/9/2011 03:00:13 - Software Distribution Service 3.0
RP335: 11/10/2011 05:33:33 - System Checkpoint
RP336: 11/11/2011 07:11:43 - System Checkpoint
RP337: 11/12/2011 03:00:14 - Software Distribution Service 3.0
RP338: 11/13/2011 03:07:03 - System Checkpoint
RP339: 11/14/2011 04:38:06 - System Checkpoint
RP340: 11/15/2011 05:47:54 - System Checkpoint
RP341: 11/16/2011 07:43:54 - System Checkpoint
RP342: 11/17/2011 08:19:16 - System Checkpoint
RP343: 11/18/2011 09:35:12 - System Checkpoint
RP344: 11/19/2011 10:19:31 - System Checkpoint
RP345: 11/20/2011 11:10:12 - System Checkpoint
RP346: 11/21/2011 12:09:29 - System Checkpoint
RP347: 11/22/2011 13:47:04 - System Checkpoint
RP348: 11/23/2011 14:49:18 - System Checkpoint
RP349: 11/24/2011 15:11:17 - System Checkpoint
RP350: 11/25/2011 15:44:49 - System Checkpoint
RP351: 11/26/2011 16:22:17 - System Checkpoint
RP352: 11/27/2011 18:02:49 - System Checkpoint
RP353: 11/28/2011 19:49:23 - System Checkpoint
RP354: 11/29/2011 17:59:56 - Removed Ad-Aware
RP355: 11/29/2011 19:55:53 - Removed Symantec AntiVirus
RP356: 11/29/2011 20:00:22 - Software Distribution Service 3.0
RP357: 12/1/2011 06:26:09 - System Checkpoint
RP358: 12/1/2011 13:16:12 - Software Distribution Service 3.0
RP359: 12/2/2011 13:34:26 - System Checkpoint
RP360: 12/2/2011 16:32:42 - Software Distribution Service 3.0
RP361: 12/3/2011 06:37:37 - Software Distribution Service 3.0
RP362: 12/4/2011 01:59:19 - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.4.2
Apple Application Support
Apple Software Update
AutoFind 6 Common
Autofind 6 Crystal Reports Runtime
BioAPI Framework
Broadcom NetXtreme-I Netlink Driver and Management Installer
Cisco Systems VPN Client 5.0.04.0300
DCP32MMWrapper
Dell Control Point
Dell ControlPoint Security Manager
Dell ControlPoint System Manager
Dell Embassy Trust Suite by Wave Systems
Dell Security Device Driver Pack
Document Manager Lite
EMBASSY Security Center
EMBASSY Security Setup
ESC Home Page Plugin
ESET Online Scanner v3
Gemalto
Google Chrome
Google Earth
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB954708)
Intel® Matrix Storage Manager
InterActual Player
J2SE Runtime Environment 5.0 Update 6
Java Auto Updater
Java(TM) 6 Update 24
Map AGenT Pro
MapInfo MapX 4.0 OCX
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Milestone XProtect Smart Client 5.0d
Mozilla Firefox 8.0.1 (x86 en-US)
MSN
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP3 Parser (KB973685)
MSXML 6.0 Parser (KB927977)
NTRU TCG Software Stack
NVIDIA Control Panel 267.17
NVIDIA Graphics Driver 267.17
NVIDIA Install Application
NVIDIA nView 135.64
NVIDIA nView Desktop Manager
OGA Notifier 2.0.0048.0
PowerDVD DX
Preboot Manager
Private Information Manager
QuickTime
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE 10.3
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553074)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2553073)
Security Update for Microsoft Office Groove 2007 (KB2552997)
Security Update for Microsoft Office InfoPath 2007 (KB2510061)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2183461)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2483614)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Security Wizards
SO32MMWrapper
SoundMAX
Trusted Drive Manager
Tweak UI
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Microsoft Windows (KB971513)
Update for Outlook 2007 Junk Email Filter (KB2596560)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB898461)
Update for Windows XP (KB961503)
Update for Windows XP (KB971029)
UPEK TouchChip Fingerprint Reader
VideoLAN VLC media player 0.8.6f
Wave Infrastructure Installer
Wave Support Software
WebFldrs XP
Windows Driver Package - Dell Inc. PBADRV System (09/11/2009 1.0.1.6)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
12/3/2011 05:18:14, error: PlugPlayManager [11] - The device Root\LEGACY_NPF\0000 disappeared from the system without first being prepared for removal.
12/3/2011 04:17:23, error: Service Control Manager [7034] - The BackupService service terminated unexpectedly. It has done this 1 time(s).
12/1/2011 16:27:17, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
12/1/2011 15:18:15, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
12/1/2011 14:04:12, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 3 time(s).
12/1/2011 14:01:10, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/1/2011 13:58:09, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/1/2011 06:10:44, error: Service Control Manager [7034] - The Windows Presentation Foundation Font Cache 3.0.0.0 service terminated unexpectedly. It has done this 2 time(s).
12/1/2011 05:59:31, error: Service Control Manager [7031] - The Windows Presentation Foundation Font Cache 3.0.0.0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
11/29/2011 15:48:35, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
11/29/2011 05:15:14, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl Fips intelppm SAVRT SAVRTPEL SYMTDI
11/29/2011 05:13:22, error: NetBT [4311] - Initialization failed because the driver device could not be created.
11/29/2011 04:54:55, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/29/2011 04:31:37, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SAVRT SAVRTPEL SYMTDI Tcpip
11/29/2011 04:31:37, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
11/29/2011 04:31:37, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/29/2011 04:31:37, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/29/2011 04:31:37, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
11/29/2011 03:00:51, error: System Error [1003] - Error code 10000050, parameter1 ad379000, parameter2 00000000, parameter3 80509973, parameter4 00000000.
.
==== End Of File ===========================
 
Welcome to TechSpot. I'll help with the malware.

My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
  • Please let me know if there is any change in the system.
If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
It appears that you have some left-over scanning programs. Although I will have you do the scans, I'd like you to uninstall Combofix and Eset and reload from my link.

Question: Tell me about the use of the following:
1. uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
2. Trusted Zone: watchitmove.com
3. Microsoft Internationalized Domain Names Mitigation APIs
===============================
Please update Java: Java Updates . After the update, uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

Be sure to check all download screens for any pre-check toolbars or BHO> if found, remove the check before the download..
===============================
There will be malware in the Java cache due to the outdated programs so it must be cleared:
To clear the Java Plug-in cache:

  • [1]. Click Start > Control Panel.
    [2]. Double-click the Java icon in the control panel.
    java.png
    The Java Control Panel appears.
    plugin_cache1.jpg

    [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
    plugin_cache2.jpg

    [4] Click Delete Files.The Delete Temporary Files dialog box appears.
    plugin_cache3.jpg

    [5]. Click OK on Delete Temporary Files window.
    Note: This deletes all the Downloaded Applications and Applets from the cache.
    [6]. Click Apply> OK on Temporary Files Settings window.
Images courtesy java.com
=======================================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once installed, you should see a blue screen prompt that says:
    The Recovery Console was successfully installed.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
================================
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESETOnlineScan
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    [o] Double click on the
    esetSmartInstallDesktopIcon.png
    on your desktop.
  • Check 'Yes I accept terms of use.'
  • Click Start button
  • Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  • Uncheck 'Remove found threats'
  • Check 'Scan archives/
  • Leave remaining settings as is.
  • Press the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  • When the scan completes, press List of found threats
  • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  • Push the Back button
  • Push Finish
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
 
Redirect looks to be gone

Regarding your three questions I have no idea about the uInternet Connection entry though it is installed no one uses Outlook on this computer. The watchitmove.com is where I "The Man" oppress the masses ;-) in other words that's supposed to be there. The Microsoft Internationalized Domain Names Mitigation APIs looks to me to be a valid Microsoft update unless you know something more about it.

ESET scan found no threats and did not produce a log.

Combofix log:


ComboFix 11-12-04.04 - HALO 12/05/2011 0:00.3.8 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3581.3019 [GMT 0:00]
Running from: c:\documents and settings\HALO\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2011-11-05 to 2011-12-05 )))))))))))))))))))))))))))))))
.
.
2011-12-04 06:06 . 2011-12-04 06:06 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{89C8AD8D-3FA1-45DA-8CEE-FB76F19B8211}\MpKslf0b64766.sys
2011-12-04 06:05 . 2011-12-04 06:05 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{89C8AD8D-3FA1-45DA-8CEE-FB76F19B8211}\offreg.dll
2011-12-04 06:05 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{89C8AD8D-3FA1-45DA-8CEE-FB76F19B8211}\mpengine.dll
2011-12-03 01:42 . 2011-12-03 01:42 -------- d-----w- c:\program files\ESET
2011-12-01 13:16 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-30 06:49 . 2011-12-04 00:38 -------- d-----w- c:\documents and settings\HALO\Application Data\QuickScan
2011-11-29 19:59 . 2011-11-29 19:59 -------- d-----w- c:\program files\Microsoft Security Client
2011-11-28 20:53 . 2011-11-28 20:53 -------- d-sh--w- c:\documents and settings\Guest\PrivacIE
2011-11-28 20:43 . 2008-04-14 00:06 187776 -c--a-w- c:\windows\system32\dllcache\acpi.sys
2011-11-28 20:43 . 2008-04-14 00:06 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2011-11-28 20:42 . 2011-11-28 20:44 -------- d--h--w- c:\documents and settings\HALO\Application Data\892F1515
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-04 06:05 . 2011-04-11 16:21 0 ----a-w- c:\documents and settings\HALO\Local Settings\Application Data\WavXMapDrive.bat
2011-11-28 20:50 . 2011-08-01 18:37 0 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\WavXMapDrive.bat
2011-11-03 16:23 . 2011-06-24 14:57 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2008-04-25 21:27 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 05:06 . 2010-07-30 04:32 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 02:37 . 2011-03-07 13:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-28 07:06 . 2008-04-25 16:16 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 11:41 . 2008-07-30 07:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 11:41 . 2008-04-25 16:16 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 11:41 . 2008-04-25 16:16 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-10 04:47 . 2011-09-10 04:47 309320 ----a-w- c:\windows\system32\drivers\TrufosAlt.sys
2011-09-06 13:25 . 2008-04-25 16:16 1867904 ----a-w- c:\windows\system32\win32k.sys
2011-11-21 04:04 . 2011-09-01 00:45 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-03_05.22.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-04 23:21 . 2011-12-04 23:21 16384 c:\windows\Temp\Perflib_Perfdata_690.dat
+ 2008-04-25 16:16 . 2011-12-04 06:09 718388 c:\windows\system32\perfh009.dat
+ 2008-04-25 16:16 . 2011-12-04 06:09 172834 c:\windows\system32\perfc009.dat
+ 2011-12-04 23:21 . 2011-10-03 05:06 157472 c:\windows\system32\javaws.exe
- 2011-03-07 14:13 . 2011-02-02 21:40 157472 c:\windows\system32\javaws.exe
+ 2011-12-04 23:21 . 2011-10-03 05:06 145184 c:\windows\system32\javaw.exe
- 2011-03-07 14:13 . 2011-02-02 21:40 145184 c:\windows\system32\javaw.exe
- 2011-03-07 14:13 . 2011-03-07 13:58 145184 c:\windows\system32\java.exe
+ 2011-12-04 23:21 . 2011-10-03 05:06 145184 c:\windows\system32\java.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2010-03-29 17:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2010-03-29 17:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2010-04-14 159616]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2010-01-08 1044480]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-01-26 1753192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-02-17 13879912]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2011-3-7 6144]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell ControlPoint System Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell ControlPoint System Manager.lnk
backup=c:\windows\pss\Dell ControlPoint System Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TdmNotify.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TdmNotify.lnk
backup=c:\windows\pss\TdmNotify.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 23:07 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 11:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 17:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2011-02-17 14:18 13879912 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2011-02-17 14:18 111208 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2009-12-29 21:35 140520 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2010-01-08 14:13 1044480 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 14:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [7/30/2010 07:14 24064]
R1 MpKslf0b64766;MpKslf0b64766;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{89C8AD8D-3FA1-45DA-8CEE-FB76F19B8211}\MpKslf0b64766.sys [12/4/2011 06:06 29904]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2/8/2010 21:20 376688]
S1 MpKslcb6bd7e8;MpKslcb6bd7e8;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BE63D181-A450-415E-8E78-281938D2850B}\MpKslcb6bd7e8.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BE63D181-A450-415E-8E78-281938D2850B}\MpKslcb6bd7e8.sys [?]
S2 BackupService;BackupService;c:\documents and settings\HALO\Application Data\HP SimpleSave Application\uUACTokenSvc.exe [7/3/2011 16:32 83512]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 19:16 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/30/2010 16:42 136176]
S3 ATMEPVCM;Microsoft Ethernet PVC;c:\windows\system32\drivers\atmepvc.sys [4/25/2008 16:16 31360]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/30/2010 16:42 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 RegKernelHelp;RegKernelHelp;\??\c:\program files\Safe Returner\RegKernelHelp.sys --> c:\program files\Safe Returner\RegKernelHelp.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/25/2008 16:16 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 19:16 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - JAVAQUICKSTARTERSERVICE
*NewlyCreated* - MPKSLF0B64766
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-30 16:41]
.
2011-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-30 16:41]
.
2011-12-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-886209288-1299174467-1129114233-1009Core.job
- c:\documents and settings\HALO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-09 23:55]
.
2011-12-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-886209288-1299174467-1129114233-1009UA.job
- c:\documents and settings\HALO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-09 23:55]
.
2011-12-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 15:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
Trusted Zone: watchitmove.com
TCP: Interfaces\{11A44DF7-6A7D-4168-8DFF-573DB7F8E5EE}: NameServer = 204.117.214.10,199.2.252.10
DPF: {C9101148-151A-470D-9CE5-C163C0361EAE} - hxxp://www.ipromote.com/assets/media/toolbars/ipromote_toolbar.cab
FF - ProfilePath - c:\documents and settings\HALO\Application Data\Mozilla\Firefox\Profiles\akgs7kj7.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-05 00:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1072)
c:\windows\System32\TdmNetworkProvider.dll
c:\windows\System32\WCR10.dll
.
- - - - - - - > 'lsass.exe'(1128)
c:\windows\system32\wvauth.dll
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1656)
c:\windows\system32\WININET.dll
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Microsoft Office\Office12\GrooveShellExtensions.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-12-05 00:46:42
ComboFix-quarantined-files.txt 2011-12-05 00:46
ComboFix2.txt 2011-12-04 00:25
ComboFix3.txt 2011-12-03 05:39
.
Pre-Run: 464,092,274,688 bytes free
Post-Run: 464,088,932,352 bytes free
.
- - End Of File - - 3B770A1D542B459805DAEBD7306A8307
 
Spoke too soon

Oops I spoke too soon the redirect is still occurring just far less often and not on a consistent basis.
 
"no one uses Outlook on this computer."> this is Outlook Express, not Outlook- big difference. I have never seen it as the internet connection. Will remove process.

"The watchitmove.com is where I "The Man" oppress the masses ;-) in other words that's supposed to be there."> as long as you understand that the Trusted Zone has lower security settings than the internet zone. The only time I think anything in the zone might be appropriate is if there is an intranet" set up.

"The Microsoft Internationalized Domain Names Mitigation APIs looks to me to be a valid Microsoft update unless you know something more about it.> I asked you about your use of the following- I didn't say it wasn't valid. This Microsoft update are DLLs for internationalized domain name support, Unicode normalization, and mitigation support for spoofing identity threats.

This is in Add/Remove Programs, not the update section.

Since it is specific, thus my question.
=========================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code: 
File::
c:\program files\safe returner\regkernelhelp.sys
c:\windows\system32\drivers\TrufosAlt.sys
c:\windows\system32\vsdatant.sys
Folder::
c:\documents and settings\HALO\Application Data\892F1515
DDS::
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {C9101148-151A-470D-9CE5-C163C0361EAE} - hxxp://www.ipromote.com/assets/media/toolbars/ipromote_toolbar.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
ClearJavaCache::

Driver::
RegKernelHelp
vsdatant

Reboot::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
=================================
I've removed an orphan process for the Zone Alarm Firewall (S3 ;vsdatant; [2007-11-14])
I've removed an orphan process for Bit Defender Anti Virus (c:\windows\system32\drivers\TrufosAlt.sys.
Please check and see if either of these are still installed. If so, please uninstall> then use Windows Explorer to access Computer> Local Drive> Programs> find folder for each and do a right click> Delete.

I've also remove Safe Returner (S3 RegKernelHelp;RegKernelHelp;\??\c:\program files\Safe Returner\RegKernelHelp.sys --> c:\program files\Safe Returner\RegKernelHelp.sys [?]S ) > "Safe Returner: Very poor detection of malware, very poor cleanup of detected malware. On one test system active malware disabled Safe Returner. User interface riddled with typos and poor grammar. Bad Web reputation."
====================================
Although you were asked to uninstall any previous entry for Combofix, you did not. It indicates that some malware might have been found and quarantined, although Eset didn't show "Qoobox" entries.
====================================
See if these removals make any difference in the redirects. It is possible that the connection through Outlook Express is causing the problem. Otherwise, there's really not much showing.
===================================
Go ahead and run the following after the script above:
First, set up a Directory for HijackThis as follows:
Right click Taskbar> Explore> My Computer> Local Drive (C)> File> New> Folder> Name folder HijackThis
Exit Explorer
You now have a folder C:\HijackThis
Please note: if you do not set up this directory, you will have to uninstall HJT, redownload and scan to do it correctly.
-----------------------------------------
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.
  • Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'
  • Extract it to the directory on your hard drive you created C:\HijackThis.
  • Then navigate to that directory and double-click on the hijackthis.exe file.
  • When started click on the Scan button and then the Save Log button to create a log of your information.
  • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste (Ctrl+V) the log in your next reply.
NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
=========================================
And this: Download Security Check by screen317 from one of these links:
Link1
Link 2
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
 
I think that might have gotten it

ComboFix 11-12-04.04 - HALO 12/07/2011 0:49.4.8 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3581.2887 [GMT 0:00]
Running from: c:\documents and settings\HALO\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HALO\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\program files\safe returner\regkernelhelp.sys"
"c:\windows\system32\drivers\TrufosAlt.sys"
"c:\windows\system32\vsdatant.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\HALO\Application Data\892F1515
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_REGKERNELHELP
-------\Legacy_VSDATANT
-------\Service_RegKernelHelp
-------\Service_vsdatant
.
.
((((((((((((((((((((((((( Files Created from 2011-11-07 to 2011-12-07 )))))))))))))))))))))))))))))))
.
.
2011-12-07 01:23 . 2011-12-07 01:23 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{ED62BB14-23EA-4914-9202-4A8ACC04862B}\offreg.dll
2011-12-06 06:09 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{ED62BB14-23EA-4914-9202-4A8ACC04862B}\mpengine.dll
2011-12-01 13:16 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-30 06:49 . 2011-12-04 00:38 -------- d-----w- c:\documents and settings\HALO\Application Data\QuickScan
2011-11-29 19:59 . 2011-11-29 19:59 -------- d-----w- c:\program files\Microsoft Security Client
2011-11-28 20:53 . 2011-11-28 20:53 -------- d-sh--w- c:\documents and settings\Guest\PrivacIE
2011-11-28 20:43 . 2008-04-14 00:06 187776 -c--a-w- c:\windows\system32\dllcache\acpi.sys
2011-11-28 20:43 . 2008-04-14 00:06 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-07 01:24 . 2011-04-11 16:21 0 ----a-w- c:\documents and settings\HALO\Local Settings\Application Data\WavXMapDrive.bat
2011-11-28 20:50 . 2011-08-01 18:37 0 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\WavXMapDrive.bat
2011-11-03 16:23 . 2011-06-24 14:57 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2008-04-25 21:27 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 05:06 . 2010-07-30 04:32 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 02:37 . 2011-03-07 13:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-28 07:06 . 2008-04-25 16:16 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 11:41 . 2008-07-30 07:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 11:41 . 2008-04-25 16:16 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 11:41 . 2008-04-25 16:16 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-10 04:47 . 2011-09-10 04:47 309320 ----a-w- c:\windows\system32\drivers\TrufosAlt.sys
2011-11-21 04:04 . 2011-09-01 00:45 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-03_05.22.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-07 01:24 . 2011-12-07 01:24 16384 c:\windows\Temp\Perflib_Perfdata_7c8.dat
+ 2008-04-25 16:16 . 2011-12-04 06:09 718388 c:\windows\system32\perfh009.dat
+ 2008-04-25 16:16 . 2011-12-04 06:09 172834 c:\windows\system32\perfc009.dat
+ 2011-12-04 23:21 . 2011-10-03 05:06 157472 c:\windows\system32\javaws.exe
- 2011-03-07 14:13 . 2011-02-02 21:40 157472 c:\windows\system32\javaws.exe
+ 2011-12-04 23:21 . 2011-10-03 05:06 145184 c:\windows\system32\javaw.exe
- 2011-03-07 14:13 . 2011-02-02 21:40 145184 c:\windows\system32\javaw.exe
- 2011-03-07 14:13 . 2011-03-07 13:58 145184 c:\windows\system32\java.exe
+ 2011-12-04 23:21 . 2011-10-03 05:06 145184 c:\windows\system32\java.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2010-03-29 17:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2010-03-29 17:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2010-04-14 159616]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2010-01-08 1044480]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-01-26 1753192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-02-17 13879912]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2011-3-7 6144]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell ControlPoint System Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell ControlPoint System Manager.lnk
backup=c:\windows\pss\Dell ControlPoint System Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TdmNotify.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TdmNotify.lnk
backup=c:\windows\pss\TdmNotify.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 23:07 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 11:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 17:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2011-02-17 14:18 13879912 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2011-02-17 14:18 111208 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2009-12-29 21:35 140520 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2010-01-08 14:13 1044480 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 14:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [7/30/2010 07:14 24064]
R2 BackupService;BackupService;c:\documents and settings\HALO\Application Data\HP SimpleSave Application\uUACTokenSvc.exe [7/3/2011 16:32 83512]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2/8/2010 21:20 376688]
S1 MpKsl212416e5;MpKsl212416e5;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{ED62BB14-23EA-4914-9202-4A8ACC04862B}\MpKsl212416e5.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{ED62BB14-23EA-4914-9202-4A8ACC04862B}\MpKsl212416e5.sys [?]
S1 MpKslcb6bd7e8;MpKslcb6bd7e8;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BE63D181-A450-415E-8E78-281938D2850B}\MpKslcb6bd7e8.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BE63D181-A450-415E-8E78-281938D2850B}\MpKslcb6bd7e8.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 19:16 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/30/2010 16:42 136176]
S3 ATMEPVCM;Microsoft Ethernet PVC;c:\windows\system32\drivers\atmepvc.sys [4/25/2008 16:16 31360]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/30/2010 16:42 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/25/2008 16:16 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 19:16 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-30 16:41]
.
2011-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-30 16:41]
.
2011-12-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-886209288-1299174467-1129114233-1009Core.job
- c:\documents and settings\HALO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-09 23:55]
.
2011-12-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-886209288-1299174467-1129114233-1009UA.job
- c:\documents and settings\HALO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-09 23:55]
.
2011-12-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 15:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
Trusted Zone: watchitmove.com
TCP: Interfaces\{11A44DF7-6A7D-4168-8DFF-573DB7F8E5EE}: NameServer = 204.117.214.10,199.2.252.10
FF - ProfilePath - c:\documents and settings\HALO\Application Data\Mozilla\Firefox\Profiles\akgs7kj7.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-07 01:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1080)
c:\windows\System32\TdmNetworkProvider.dll
c:\windows\System32\WCR10.dll
.
- - - - - - - > 'lsass.exe'(1136)
c:\windows\system32\wvauth.dll
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3612)
c:\windows\system32\WININET.dll
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Microsoft Office\Office12\GrooveShellExtensions.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2011-12-07 01:40:32 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-07 01:40
ComboFix2.txt 2011-12-05 00:46
ComboFix3.txt 2011-12-04 00:25
ComboFix4.txt 2011-12-03 05:39
.
Pre-Run: 463,892,738,048 bytes free
Post-Run: 464,149,905,408 bytes free
.
- - End Of File - - 3BCD143D50E55CDC317C65CB7BE8B94C

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 02:15:38, on 12/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Documents and Settings\HALO\Application Data\HP SimpleSave Application\uUACTokenSvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\HALO\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HALO\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HALO\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HALO\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USREL/1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.watchitmove.com
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{11A44DF7-6A7D-4168-8DFF-573DB7F8E5EE}: NameServer = 204.117.214.10,199.2.252.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{11A44DF7-6A7D-4168-8DFF-573DB7F8E5EE}: NameServer = 204.117.214.10,199.2.252.10
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: BackupService - ArcSoft, Inc. - C:\Documents and Settings\HALO\Application Data\HP SimpleSave Application\uUACTokenSvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Dell ControlPoint System Manager (dcpsysmgrsvc) - Dell Inc. - c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: NTRU TSS v1.2.1.29 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe

--
End of file - 7239 bytes


Results of screen317's Security Check version 0.99.28
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:
Java(TM) 6 Update 29
Adobe Flash Player 11.0.1.152
Adobe Reader 9 Adobe Reader out of date!
Mozilla Firefox (8.0.1)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
``````````End of Log````````````
 
Okay, these logs look clean!

Please update the Adobe Reader.Visit this Adobe Reader site Uninstall any earlier updates as they are vulnerabilities.
======================================
Since the redirects have been resolved, you can remove all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
-----
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Empty the Recycle Bin
=========================================
I'm going to leave you some suggestions for added security. Although the MVPs won't admit it, I do not think having MSE alone offers full protection. Some of these may not apply to you now, but keep the list handy:

Tips for added security and safer browsing: (Links are in Bold Blue)
  1. Browser Security
    [o] Safe Settings (Please ignore the suggestion to use the Registry Editor in this section "Creating a Custom Security Zone")
    [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
    [o] Replace the Host Files
    [o] Google Toolbar Pop Up Blocker
    [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
  2. Have layered Security:
    [o]Antivirus :(only one):Both of the following programs are free and known to be good:
    [o]Avira-AntiVir-Personal-Free-Antivirus
    [o]Avast-Free Antivirus
    [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
    [o]Comodo
    [o]Zone Alarm
  3. Antimalware: I recommend all of the following:
    [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
    [o]Spybot Search & Destroy
  4. Updates: Stay current:
    [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
    [o]Adobe Reader Install current, uninstall old.
    [o]Java Updates Install current, uninstall old.
  5. Tracking Cookies
    Reset Cookie:
    [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
    [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List
    [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
  6. Do regular Maintenance
    Clean the temporary internet files often:
    [o] Temporary File Cleaner]
    or
    [o] ATF Cleaner by Atribune
  7. Restore Points:
    [o]See System Restore Guide
  8. Safe Email Handling
    [o] Don't open email from anyone you don't know.
    [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
    [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
Please let me know if you find any bad link.

Let me know if you have any more questions.
 
Status
Not open for further replies.

Similar threads

A
Windows 10 Enterprise and Education editions will soon enter end of life status
Replies
12
Views
234
Lounds
L
uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
784
uber_beetle
uber_beetle
Daniel Sims
Microsoft confirms standalone Office 2024 is coming to Windows and Mac later this year
Replies
15
Views
288
Gezzer
G

Latest posts

Back