[Pirated OS] System Check malware

From OTM: Total Files Cleaned = 1,418.00 mb. This is way too many unneeded files to be on the system. Please set up a regular maintenance schedule and follow it.
------------------------------------------
OTL Custom Scan Fixes

• Run OTL
• Copy the contents of the Code box and paste in the Custom Scans/Fixes box at the bottom:
  
  Code:

  :OTL
  PRC - C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe (Spigot, Inc.)
  FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll File not found
  [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
  [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
  [1 C:\*.tmp files -> C:\*.tmp -> ]
  O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
  O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
  O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
  O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
  [2012/03/25 10:11:04 | 000,000,000 | -HSD | C] -- C:\found.000
  [2012/03/29 16:59:09 | 000,127,547 | ---- | M] () -- C:\Documents and Settings\TimH\Desktop\setup_av_free.exe
  [2012/03/26 19:12:52 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\TimH\Desktop\h94rnms4.exe
  [2012/03/23 18:30:56 | 000,000,264 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~1gKeUlddAhu4pq
  [2012/03/23 18:30:56 | 000,000,176 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~1gKeUlddAhu4pqr
  [2012/03/23 18:17:46 | 000,000,853 | ---- | M] () -- C:\Documents and Settings\TimH\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
  [2012/03/23 18:17:46 | 000,000,835 | ---- | M] () -- C:\Documents and Settings\TimH\Desktop\System Check.lnk
  [2012/03/23 18:17:37 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1gKeUlddAhu4pq
  [2012/03/15 19:56:46 | 000,488,848 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
  [2012/03/15 19:56:45 | 000,089,732 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
  [2012/03/31 11:06:44 | 000,000,853 | ---- | C] () -- C:\Documents and Settings\TimH\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
  [2012/03/29 16:59:23 | 000,127,547 | ---- | C] () -- C:\Documents and Settings\TimH\Desktop\setup_av_free.exe
  [2012/03/26 19:12:52 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\TimH\Desktop\h94rnms4.exe
  [2012/03/23 18:30:56 | 000,000,264 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~1gKeUlddAhu4pq
  [2012/03/23 18:30:56 | 000,000,176 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~1gKeUlddAhu4pqr
  [2012/03/23 18:17:46 | 000,000,835 | ---- | C] () -- C:\Documents and Settings\TimH\Desktop\System Check.lnk
  [2012/03/23 18:17:37 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1gKeUlddAhu4pq
  [2009/08/30 09:14:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TimH\Application Data\Viewpoint
  [2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Documents and Settings\Administrator\Local Settings\temp\RarSFX2\h\explorer.exe
  [2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Documents and Settings\Administrator\Local Settings\temp\RarSFX3\h\explorer.exe
  [2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Documents and Settings\Administrator\Local Settings\temp\RarSFX6\h\explorer.exe
  [2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Documents and Settings\Administrator\Local Settings\temp\RarSFX7\h\explorer.exe
  [2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Documents and Settings\TimH\Local Settings\temp\RarSFX1\h\explorer.exe
  :Reg
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
  "HijackThis" 
  :Files
  C:\Documents and Settings\All Users\Application Data\1gKeUlddAhu4pq.exe 
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [emptyjava]
  [resethosts]
  [CreateRestorePoint]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run uninterrupted, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

===================================================
If you have updated Java as instructed and run Java Ra, open each browser> Tools> Manage Addons> in the Extensions, plugins and Java Console sections, highlight and remove ALL Java except for Java v6u31.
==================================================
There are entries now in the Recycler that need to be removed:

Although Mbam says it deleted these entries, it cannot actually delete the Recycler folder contents- that has to be done manually
Note in the above: This is the identification number (SID) of the account with the entries to be removed:

S-1-5-21-1482476501-1606980848-725345543-1003
-----------------------------------
The Recycler folder is a hidden folder where the files you delete are stored, until you empty the Recycle Bin on NTFS partition.

The Recycler folder contains a Recycle Bin for each user that logs on to the computer, sorted by their security identifier (SID).Example: S-1-5-21-330564415-2671475969-752554860-1006

Note: The Reycle Bin on the Desktop must be empty. Close any running programs

1.Clear the Recycler using Command Prompt

1. Click on Start> Run> type in cmd> (OS version dependent)> enter
2. Right-click cmd.exe> click Run as administrater> Continue
3. At the elevated command prompt type> rd /s /q c:\recycler
   Note: If C is not the Hard Drive letter, change the c in the entry to the Drive letter.
4. Windows will create a new recycler for the drive when the computer is rebooted.

OR
2.Clear the Recycler using Windows Explorer

1. Right click on Start> Explore> Computer> Local Drive
2. Go to Tools> Folder Options> View tab
3. Check 'show hidden files and folders
4. Uncheck 'hide protected systeem files (Recommended)
5. Click Yes to confirm
6. Double click C Drive> Scroll down to and double click on the Recycler
7. Highlight all the files> Hold shift and press the Delete key

Reset the Hidden files and folders

• Go back to Folder Options> View tab[/u]
  • Check 'do not show hidden files and folders'
  • Recheck 'hide proected systm files' (Recommended)
  • Click on OK> Apply> OK> Exit Windows Explorer.
  -------------------------------
  Do not be upset if emptying the Recycler doesn't work. Sometimes it won't even when everything it done right. The contents will eventually be overwritted.
  =====================================================
  Reboot the computer.
  ====================================================
  Let me know how the system is doing and what symptoms of the malware remain, if any.

OTL got stuck at (processing Registry data "Hijack This"....)
After an hour I shut the computer down. I retried but it then did it again. The computer did not freeze it just never got past the Hijack stage.

Boot into Safe Mode - just plain Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

---------------------------------
Using Windows key + E> open Windows Explorer> the do the following:

Show Hidden Folders/Files

• • Go to Tools > Folder Options.
  • Select the View tab.
  • Scroll down to Hidden files and folders.
  • Select Show hidden files and folders.
  • Uncheck Hide extensions of known file types.
  • Uncheck Hide protected operating system files (Recommended).
  • Click Yes when prompted.
  • Click OK.
  ---------------------------------------------------.
  Go to Documents & Settings for All users> Application Data> Look for each of the following and do a RIGHT click> Delete>
  C:\Documents and Settings\All Users\Application Data\~1gKeUlddAhu4pq
  C:\Documents and Settings\All Users\Application Data\~1gKeUlddAhu4pqr
  C:\Documents and Settings\All Users\Application Data\1gKeUlddAhu4pq
  
  Now go to Documents & Settings forTimH> Desktop> Find the following and do a RIGHT click> Delete>
  C:\Documents and Settings\TimH\Desktop\System Check.lnk
  
  Go back to Tools> Folder Options> View tab> Check 'don't show hidden files & folders'> Check 'Hide protected system files & folders (Recommended)'
  
  Close Windows Explorer. Reboot the computer into Normal Mode.
  =================================
  Let me know as clearly as possible what problems remain.

When I went to delete the files you listed:
C:\Documents and Settings\All Users\Application Data\~1gKeUlddAhu4pq
C:\Documents and Settings\All Users\Application Data\~1gKeUlddAhu4pqr
C:\Documents and Settings\All Users\Application Data\1gKeUlddAhu4pq
they where gone. I suspect that OLT ran long enough to dispose of them. I noticed that when I booted up in normal mode that the shortcuts on the desktop and toolbar were gone.
I then booted into normal mode and ran a quick OTL scan.
I then cleared the Recycler. The file you wanted me to delete would not. However it had disappeared after I restarted the computer.
I still have a google redirect virus. I can search google without a problem. However whan I click on a link it redirects me. It attempted to download something however IE asked if i wanted to download a program so I stopped it.

OTL logfile created on: 4/18/2012 6:22:16 PM - Run 2
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\TimH\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.96 Mb Total Physical Memory | 352.54 Mb Available Physical Memory | 39.39% Memory free
1.59 Gb Paging File | 1.10 Gb Available in Paging File | 69.47% Paging File free
Paging file location(s): C:\pagefile.sys 800 800 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.15 Gb Total Space | 40.04 Gb Free Space | 42.99% Space Free | Partition Type: NTFS

Computer Name: TOSHIBA_P35-S60 | User Name: TimH | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\TimH\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe (COMODO)
PRC - C:\Program Files\Comodo\COMODO Internet Security\cfp.exe (COMODO)
PRC - C:\Program Files\Comodo\COMODO GeekBuddy\CLPSLS.exe (COMODO)
PRC - C:\Program Files\Comodo\COMODO GeekBuddy\CLPS.exe (COMODO)
PRC - C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
PRC - C:\WINDOWS\system32\ntvdm.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Autodesk\Data Management Server 2008\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe (Autodesk)
PRC - C:\Program Files\Autodesk\Data Management Server 2008\Server\Webserver\Connectivity.EDMWS.Server.exe (Autodesk)
PRC - C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe (Linksys, a Division of Cisco Systems, Inc.)
PRC - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe (Diskeeper Corporation)
PRC - C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe (COMPAL ELECTRONIC INC.)
PRC - C:\Program Files\TOSHIBA\TouchPad\TPTray.exe (COMPAL ELECTRONIC INC.)
PRC - C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe (TOSHIBA)
PRC - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe (Adobe Systems Inc.)


========== Modules (No Company Name) ==========

MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\db1d2470de43ffcb6f562277208d56e5\System.Web.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\56e433394df8d44e43690a855e403555\System.ServiceProcess.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d96906db18e87ffe2e08f6cda7e2be0f\System.Windows.Forms.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\8d886cdc2ca5f0ff97cd1afe8773bb6e\System.Drawing.ni.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Services\e9ba004858dcdb5958d86f26f043f85a\System.Web.Services.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\94a40f415bfa947e251888bbe88bb973\System.Configuration.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\77e1279cbf4eecfb0284b63316fe43fe\System.Xml.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\9e3803cd2a11f056291862e306a8e2b2\System.ni.dll ()
MOD - C:\Program Files\Comodo\COMODO Internet Security\scanners\smart.cav ()
MOD - C:\Program Files\Comodo\COMODO GeekBuddy\Components\Core\Socket\Adaptor.dll ()
MOD - C:\Program Files\Comodo\COMODO GeekBuddy\Components\Core\GuiListener\export.dll ()
MOD - C:\Program Files\Comodo\COMODO GeekBuddy\Components\Core\Socket\Export.dll ()
MOD - C:\Program Files\Comodo\COMODO GeekBuddy\Components\Core\RemoteDesktop\Export.dll ()
MOD - C:\Program Files\Comodo\COMODO GeekBuddy\Components\Core\RemoteDesktop\ShHook.dll ()
MOD - C:\Program Files\Comodo\COMODO GeekBuddy\Components\Core\CRF\export.dll ()
MOD - C:\Program Files\Comodo\COMODO GeekBuddy\Components\Core\EventMonitor\export.dll ()
MOD - C:\Program Files\Comodo\COMODO GeekBuddy\Components\Core\EventMonitor\EventMonitor.dll ()
MOD - C:\Program Files\Comodo\COMODO GeekBuddy\CLPS_RES.dll ()
MOD - C:\Program Files\Comodo\COMODO GeekBuddy\CLPSLANG.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()


========== Win32 Services (SafeList) ==========

SRV - (cmdAgent) -- C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe (COMODO)
SRV - (CLPSLS) -- C:\Program Files\Comodo\COMODO GeekBuddy\CLPSLS.exe (COMODO)
SRV - (Autodesk Licensing Service) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe (Autodesk)
SRV - (Autodesk Data Management Job Dispatch) -- C:\Program Files\Autodesk\Data Management Server 2008\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe (Autodesk)
SRV - (Autodesk EDM Server) -- C:\Program Files\Autodesk\Data Management Server 2008\Server\Webserver\Connectivity.EDMWS.Server.exe (Autodesk)
SRV - (Diskeeper) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe (Diskeeper Corporation)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (MRENDIS5) -- C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS File not found
DRV - (MREMPR5) -- C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\DOCUME~1\TimH\LOCALS~1\Temp\catchme.sys File not found
DRV - (cmdGuard) -- C:\WINDOWS\system32\drivers\cmdGuard.sys (COMODO)
DRV - (cmderd) -- C:\WINDOWS\system32\drivers\cmderd.sys (COMODO)
DRV - (dtsoftbus01) -- C:\WINDOWS\system32\drivers\dtsoftbus01.sys (DT Soft Ltd)
DRV - (BVRPMPR5) -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS (Avanquest Software)
DRV - (MRESP50) -- C:\Program Files\Common Files\Motive\MRESP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (MREMP50) -- C:\Program Files\Common Files\Motive\MREMP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (SIVDRIVER) -- C:\WINDOWS\system32\drivers\SIVX32.sys (Ray Hinchliffe)
DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys (Realtek Semiconductor Corporation )
DRV - (GoProto) -- C:\WINDOWS\system32\drivers\goprot51.sys (Gteko Ltd.)
DRV - (ser2plms) -- C:\WINDOWS\system32\drivers\ser2plms.sys (Prolific Technology Inc.)
DRV - (AR5211) -- C:\WINDOWS\system32\drivers\SHP5211.sys (Atheros Communications, Inc.)
DRV - (rtl8139) Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)
DRV - (SrvcSSIOMngr) -- C:\WINDOWS\system32\drivers\SSIOMngr.sys (COMPAL ELECTRONIC INC.)
DRV - (SrvcTPIOMngr) -- C:\WINDOWS\system32\drivers\TPIOMngr.sys (COMPAL ELECTRONIC INC.)
DRV - (SrvcEKIOMngr) -- C:\WINDOWS\system32\drivers\EKIOMngr.sys (COMPAL ELECTRONIC INC.)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (ESMCR) -- C:\WINDOWS\system32\drivers\ESM7SK.sys (ENE Technology Inc.)
DRV - (ESDCR) -- C:\WINDOWS\system32\drivers\ESD7SK.sys (ENE Technology Inc.)
DRV - (EMSCR) -- C:\WINDOWS\system32\drivers\EMS7SK.sys (ENE Technology Inc.)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
DRV - (SDDMI2) -- C:\WINDOWS\system32\DDMI2.sys (Gteko Ltd.)
DRV - (ApfiltrService) -- C:\WINDOWS\system32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (ALCXSENS) -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS (Sensaura)
DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems)
DRV - (caboagp) -- C:\WINDOWS\system32\drivers\atisgkaf.SYS (ATI Technologies Inc.)
DRV - (TBiosDrv) -- C:\WINDOWS\system32\drivers\tbiosdrv.sys ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\SearchScopes,DefaultScope = {93C88016-6213-460F-ADAF-5FD1532C0322}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKCU\..\SearchScopes\{93C88016-6213-460F-ADAF-5FD1532C0322}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "www.osu.edu"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:2.0.3
FF - prefs.js..extensions.enabledItems: addonssidebar@studio17.wordpress.com:3.8
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {37E4D8EA-8BDA-4831-8EA1-89053939A250}:3.0.0.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}:6.0.31
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.3: C:\Program Files\Yahoo!\Shared\npYState.dll File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.0.61118.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Alcatel-Lucent)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=1.1.8: C:\Program Files\VideoLAN\VLC\npvlc.dll (the VideoLAN Team)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\TimH\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\TimH\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.28\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/03/15 19:52:43 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.28\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/03/15 19:52:43 | 000,000,000 | ---D | M]

[2008/09/11 10:00:00 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\TimH\Application Data\Mozilla\Extensions
[2012/03/22 19:57:08 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\TimH\Application Data\Mozilla\Firefox\Profiles\ydi713l2.default\extensions
[2011/02/18 20:39:14 | 000,000,000 | ---D | M] (PDF Download) -- C:\Documents and Settings\TimH\Application Data\Mozilla\Firefox\Profiles\ydi713l2.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
[2012/01/06 17:57:07 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\TimH\Application Data\Mozilla\Firefox\Profiles\ydi713l2.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/11/16 19:02:33 | 000,000,000 | ---D | M] (Add-ons Sidebar) -- C:\Documents and Settings\TimH\Application Data\Mozilla\Firefox\Profiles\ydi713l2.default\extensions\addonssidebar@studio17.wordpress.com
[2010/09/28 14:03:16 | 000,001,820 | ---- | M] () -- C:\Documents and Settings\TimH\Application Data\Mozilla\Firefox\Profiles\ydi713l2.default\searchplugins\bing.xml
[2007/11/03 09:49:22 | 000,002,520 | ---- | M] () -- C:\Documents and Settings\TimH\Application Data\Mozilla\Firefox\Profiles\ydi713l2.default\searchplugins\mozilla-add-ons.xml
[2012/04/16 19:19:03 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/21 17:37:39 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/08/17 18:04:06 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/10/26 19:38:17 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/01/05 23:27:18 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/02/18 17:56:05 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/06/20 20:30:30 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2012/04/07 18:57:19 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
[2012/04/07 18:56:23 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2009/09/02 05:28:29 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2012/04/07 18:56:22 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{googleriginalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\TimH\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.162\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\TimH\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.162\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\TimH\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.162\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java(TM) Platform SE 6 U29 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: DivX Player Netscape Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\TimH\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Motive Plugin (Enabled) = C:\Program Files\Common Files\Motive\npMotive.dll
CHR - plugin: DivX Web Player (Enabled) = C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
CHR - plugin: VLC Multimedia Plug-in (Enabled) = C:\Program Files\VideoLAN\VLC\npvlc.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\5.0.61118.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin

O1 HOSTS File: ([2001/08/23 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O2 - BHO: (CPrintEnhancer Object) - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll (Hewlett-Packard Co.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKCU\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe (COMPAL ELECTRONIC INC.)
O4 - HKLM..\Run: [COMODO] C:\Program Files\Comodo\COMODO GeekBuddy\CLPSLA.exe (COMODO)
O4 - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
O4 - HKLM..\Run: [CPA] C:\Program Files\Comodo\COMODO GeekBuddy\VALA.exe (COMODO)
O4 - HKLM..\Run: [DiskeeperSystray] C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe (Diskeeper Corporation)
O4 - HKLM..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW File not found
O4 - HKLM..\Run: [OM2_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe (OLYMPUS IMAGING CORP.)
O4 - HKLM..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe (COMPAL ELECTRONIC INC.)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [EasyLinkAdvisor] C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe (Linksys, a Division of Cisco Systems, Inc.)
O4 - HKCU..\Run: [OM2_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe (OLYMPUS IMAGING CORP.)
O4 - HKCU..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe (TOSHIBA)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe (Adobe Systems Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Interface File.lnk = C:\EPICXL\Agcosi_eu.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165632870640 (WUWebControl Class)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E0FEE963-BB53-4215-81AD-B28C77384644} https://pattcw.att.motive.com/wizlet/DSLActivation/static/installer/ATTInternetInstaller.cab (WebBrowserType Class)
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\TimH\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\TimH\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/12/08 20:05:37 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{2b1ad084-60da-11df-a3ef-000fb084483e}\Shell - "" = AutoRun
O33 - MountPoints2\{2b1ad084-60da-11df-a3ef-000fb084483e}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{2b1ad084-60da-11df-a3ef-000fb084483e}\Shell\AutoRun\command - "" = E:\laucher.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/04/17 16:21:02 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/04/16 22:03:40 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\TimH\Recent
[2012/04/07 19:10:32 | 000,000,000 | ---D | C] -- C:\_OTM
[2012/04/07 19:09:44 | 000,523,264 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\TimH\Desktop\OTM.exe
[2012/04/07 19:06:39 | 000,400,384 | ---- | C] (The RaProducts Team: Paul McLain and Fred de Vries) -- C:\Documents and Settings\TimH\Desktop\JavaRa.exe
[2012/04/07 11:32:47 | 000,593,920 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\TimH\Desktop\OTL.exe
[2012/04/07 09:18:20 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/04/07 09:17:19 | 002,322,184 | ---- | C] (ESET) -- C:\Documents and Settings\TimH\Desktop\esetsmartinstaller_enu.exe
[2012/04/01 10:52:57 | 000,389,024 | ---- | C] (Bleeping Computer, LLC) -- C:\Documents and Settings\TimH\Desktop\unhide.exe
[2012/03/31 11:06:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
[2012/03/31 11:06:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG Free 9.0
[2012/03/31 10:54:45 | 000,000,000 | ---D | C] -- C:\VritualRoot
[2012/03/29 19:20:19 | 004,448,838 | R--- | C] (Swearware) -- C:\Documents and Settings\TimH\Desktop\ComboFix.exe
[2012/03/29 17:14:38 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/03/29 17:13:50 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW
[2012/03/29 17:12:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\CPA_VA
[2012/03/29 17:10:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\COMODO
[2012/03/29 17:06:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Comodo
[2012/03/29 17:05:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Comodo
[2012/03/29 17:05:34 | 000,000,000 | ---D | C] -- C:\Program Files\Comodo
[2012/03/29 16:07:02 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2012/03/27 21:11:07 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Pictures
[2012/03/27 19:43:06 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\TimH\Desktop\dds.exe
[2012/03/27 19:15:23 | 009,601,504 | ---- | C] (OPSWAT, Inc.) -- C:\Documents and Settings\TimH\Desktop\AppRemover.exe
[2012/03/23 18:17:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TimH\Start Menu\Programs\System Check

========== Files - Modified Within 30 Days ==========

[2012/04/18 18:23:01 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-1606980848-725345543-1003UA.job
[2012/04/18 18:21:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/04/18 18:20:45 | 000,129,873 | ---- | M] () -- C:\WINDOWS\System32\drivers\sfi.dat
[2012/04/18 16:23:03 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-1606980848-725345543-1003Core.job
[2012/04/17 20:34:43 | 000,077,824 | ---- | M] () -- C:\Documents and Settings\TimH\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/04/17 17:41:49 | 000,002,501 | ---- | M] () -- C:\Documents and Settings\TimH\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Word.lnk
[2012/04/15 21:29:02 | 000,002,277 | ---- | M] () -- C:\Documents and Settings\TimH\Desktop\Google Chrome.lnk
[2012/04/14 09:28:24 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/04/13 17:27:49 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/04/11 20:15:10 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/04/10 19:51:38 | 000,002,449 | ---- | M] () -- C:\Documents and Settings\TimH\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Streets & Trips 2007 with GPS Locator.lnk
[2012/04/07 19:09:49 | 000,523,264 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\TimH\Desktop\OTM.exe
[2012/04/07 19:05:54 | 000,160,350 | ---- | M] () -- C:\Documents and Settings\TimH\Desktop\JavaRa.zip
[2012/04/07 11:32:51 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\TimH\Desktop\OTL.exe
[2012/04/07 09:17:28 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\TimH\Desktop\esetsmartinstaller_enu.exe
[2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/04/03 17:26:55 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/04/01 11:07:51 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\TimH\Desktop\iExplore.exe
[2012/04/01 10:52:59 | 000,389,024 | ---- | M] (Bleeping Computer, LLC) -- C:\Documents and Settings\TimH\Desktop\unhide.exe
[2012/03/31 12:12:02 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2012/03/29 19:20:19 | 004,448,838 | R--- | M] (Swearware) -- C:\Documents and Settings\TimH\Desktop\ComboFix.exe
[2012/03/29 17:06:47 | 000,001,653 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\COMODO Antivirus.lnk
[2012/03/29 17:06:03 | 000,000,917 | ---- | M] () -- C:\Documents and Settings\TimH\Application Data\Microsoft\Internet Explorer\Quick Launch\COMODO GeekBuddy.lnk
[2012/03/29 17:06:03 | 000,000,899 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\COMODO GeekBuddy.lnk
[2012/03/29 17:05:42 | 000,000,763 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Comodo Dragon.lnk
[2012/03/27 19:44:08 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\TimH\Desktop\dds.exe
[2012/03/27 19:15:23 | 009,601,504 | ---- | M] (OPSWAT, Inc.) -- C:\Documents and Settings\TimH\Desktop\AppRemover.exe

========== Files Created - No Company Name ==========

[2012/04/14 09:28:24 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/04/07 19:06:39 | 000,309,308 | ---- | C] () -- C:\Documents and Settings\TimH\Desktop\JavaRa.def
[2012/04/07 19:06:39 | 000,003,127 | ---- | C] () -- C:\Documents and Settings\TimH\Desktop\Nederlands.lng
[2012/04/07 19:06:39 | 000,003,027 | ---- | C] () -- C:\Documents and Settings\TimH\Desktop\Français.lng
[2012/04/07 19:06:39 | 000,002,946 | ---- | C] () -- C:\Documents and Settings\TimH\Desktop\Español.lng
[2012/04/07 19:06:39 | 000,002,920 | ---- | C] () -- C:\Documents and Settings\TimH\Desktop\Italiano.lng
[2012/04/07 19:06:39 | 000,002,699 | ---- | C] () -- C:\Documents and Settings\TimH\Desktop\Deutsch.lng
[2012/04/07 19:06:39 | 000,002,553 | ---- | C] () -- C:\Documents and Settings\TimH\Desktop\Suomi.lng
[2012/04/07 19:05:53 | 000,160,350 | ---- | C] () -- C:\Documents and Settings\TimH\Desktop\JavaRa.zip
[2012/04/01 11:07:47 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\TimH\Desktop\iExplore.exe
[2012/03/31 11:30:20 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/03/29 17:10:41 | 000,129,873 | ---- | C] () -- C:\WINDOWS\System32\drivers\sfi.dat
[2012/03/29 17:06:47 | 000,001,653 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\COMODO Antivirus.lnk
[2012/03/29 17:06:03 | 000,000,917 | ---- | C] () -- C:\Documents and Settings\TimH\Application Data\Microsoft\Internet Explorer\Quick Launch\COMODO GeekBuddy.lnk
[2012/03/29 17:06:03 | 000,000,899 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\COMODO GeekBuddy.lnk
[2012/03/29 17:05:42 | 000,000,763 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Comodo Dragon.lnk
[2012/03/26 16:54:11 | 000,002,501 | ---- | C] () -- C:\Documents and Settings\TimH\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Word.lnk
[2012/03/26 16:54:11 | 000,002,449 | ---- | C] () -- C:\Documents and Settings\TimH\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Streets & Trips 2007 with GPS Locator.lnk
[2012/03/26 16:54:11 | 000,001,620 | ---- | C] () -- C:\Documents and Settings\TimH\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/03/26 16:54:11 | 000,001,493 | ---- | C] () -- C:\Documents and Settings\TimH\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Explorer.lnk
[2012/03/26 16:54:11 | 000,000,814 | ---- | C] () -- C:\Documents and Settings\TimH\Application Data\Microsoft\Internet Explorer\Quick Launch\Adobe Photoshop 7.0.lnk
[2012/03/26 16:54:11 | 000,000,809 | ---- | C] () -- C:\Documents and Settings\TimH\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to compupic.exe.lnk
[2012/03/26 16:54:11 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\TimH\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2012/03/26 16:54:10 | 000,001,543 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Yahoo! Mail.lnk
[2012/03/26 16:54:10 | 000,001,507 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Update.lnk
[2012/03/26 16:54:10 | 000,000,523 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Interface File.lnk
[2012/03/26 16:54:09 | 000,001,824 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
[2012/03/26 16:54:09 | 000,000,986 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
[2012/03/26 16:54:08 | 000,002,437 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Streets & Trips 2007 with GPS Locator.lnk
[2012/03/26 16:53:58 | 000,001,830 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Apple Software Update.lnk
[2012/02/17 17:11:53 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/11/04 17:29:40 | 000,001,611 | ---- | C] () -- C:\WINDOWS\apcs_bak.ini
[2011/11/04 16:55:57 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2011/11/04 16:52:01 | 000,002,034 | ---- | C] () -- C:\WINDOWS\apcs.ini
[2011/08/05 04:57:57 | 000,000,026 | ---- | C] () -- C:\WINDOWS\DfrgUIEx.INI

========== LOP Check ==========

[2007/10/06 08:55:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Autodesk
[2011/03/14 23:21:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012/03/29 19:24:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CPA_VA
[2011/11/04 16:44:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2007/10/13 08:47:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/09/19 09:10:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2007/09/11 19:55:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TimH\Application Data\acccore
[2007/10/03 06:02:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TimH\Application Data\Ansys
[2007/11/10 15:22:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TimH\Application Data\Autodesk
[2011/11/04 16:50:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TimH\Application Data\DAEMON Tools Lite
[2008/12/30 17:34:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TimH\Application Data\GARMIN
[2007/09/30 17:36:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TimH\Application Data\Image Zone Express
[2006/12/08 23:53:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TimH\Application Data\Leadertech
[2006/12/10 03:43:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TimH\Application Data\OfficeUpdate12
[2007/09/05 20:56:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TimH\Application Data\Printer Info Cache

========== Purity Check ==========


< End of report >

You still have the redirect because nothing to remove malware will run- but we'll do a bit of checking:

First: Describe as clearly as possible what you are calling a Google redirect.

You ran OTL, but can't run the fix.
You can't run TDSSKiller
Malwarebytes is clean.
Can't run DDS, Combofix, TDSSKiller
---------------------------------------------------------
First, set up a Directory for HijackThis as follows:
Right click Taskbar> Explore> My Computer> Local Drive (C)> File> New> Folder> Name folder HijackThis
Exit Explorer
You now have a folder C:\HijackThis
-----------------------------------------
Download HijackThis and save to your desktop.

• Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'
• Extract it to the directory on your hard drive you created C:\HijackThis.
• Then navigate to that directory and double-click on the hijackthis.exe file.
• When started click on the Scan button and then the Save Log button to create a log of your information.
• The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

When using Google, bing, or yahoo the search functions would operate normally. When you would click on a link the page that opens would not be the link you clicked on Ex: click on techspot.com and the search special would come up. It would first start loading youngestangels.com then the address would change to the page that would load. In other instances it would have youngest angels in the address bar then just reload the search page even if it was opened in another tab.This would not always happen but in spurts. The first three pages might open followed by maybe ten that would get redirected.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:11:09 PM, on 4/18/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\COMODO\COMODO GeekBuddy\CLPS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Autodesk\Data Management Server 2008\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
C:\Program Files\Autodesk\Data Management Server 2008\Server\Webserver\Connectivity.EDMWS.Server.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [COMODO] C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLA.exe
O4 - HKLM\..\Run: [CPA] C:\Program Files\COMODO\COMODO GeekBuddy\VALA.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\TimH\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Interface File.lnk = C:\EPICXL\Agcosi_eu.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165632870640
O16 - DPF: {E0FEE963-BB53-4215-81AD-B28C77384644} (WebBrowserType Class) - https://pattcw.att.motive.com/wizlet/DSLActivation/static/installer/ATTInternetInstaller.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Data Management Job Dispatch - Autodesk - C:\Program Files\Autodesk\Data Management Server 2008\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
O23 - Service: Autodesk EDM Server - Autodesk - C:\Program Files\Autodesk\Data Management Server 2008\Server\Webserver\Connectivity.EDMWS.Server.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO livePCsupport Service (CLPSLS) - COMODO - C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
--
End of file - 9267 bytes

You have 3 browsers configured: Chrome, Firefox and Internet Explorer. Which do you use the most? Does the redirect happen will all 3 browsers? If not, which browser redirects?

It's curious because in OTL, I see several entries for Search Scopes in IE. I had some removals set for them, but you can't run it.

I have tried it in Chrome and in IE. It seems to happen in both of them equally. I have not tried it in Firefox despite firefox being my browser of choice. Since I got the virus I have only used IE except starting up chrome to check the redirect. IE is also my default browser. Later I will try Firefox and see how it acts.

I can't get consistent information on the dot com domain name you gave me. You are not describing a typical redirect. You can reset the browsers.

Clarifying this:

If you have a Windows operating system, Internet Explorer is the default browser. If you would rather that Firefox be the default browser, you would do this:

Launch Firefox> Click on Tools> Options> Advanced> General tab> System Default section> Check "Always check to see if Firefox is my Default brouser"> Press "Check Now"> it will say something like "Firefox isn't the default- would you like it to be?"> Check 'Yes.'

Then open Internet Explorer> Tools> Internet Options (or you can access Internet Options without using IE by going to the Control Panel> Internet Options(> Programs tab> Uncheck "Internet Explorer should check of it's the default browser'> Then click on Apply> Okay.

Reboot the computer

Now that you have made Firefox the default browser, any time you click on a link, it will open in Firefox.

See if that helps. If it does, I have one more step.

I followed your instructions and make Fire fox the Default browser then I did some google searches to test it out
I did the same search in Firefox, IE and Chrome. I tried to click on the same links in every search. During each search I clicked on 3 links and below is what they did.


IE with google.
Clicked on a link the address bar said coachleather.com the loaded click.get-answers-fast.com
Clicked on a link the address bar said coachleather.com the loaded click.expandedsearchanswers.com.
Clicked on a link the address bar said coachleather.com the loaded the Google link address but failed to load page

IE Yahoo
Clicked on a link the address bar said coachleather.com the loaded another page that then redirected me to a third page. I closed out because I was concerned about additional viruses
The same happened for the second link I clicked on.
The third link actually loaded what I clicked on.

Chrome Google
Clicked on a link the address bar saidsearch.zoyco.com then loaded beesq.net
Clicked on a link the address bar saidsearch.zoyco.com then loaded indexerq.net
Clicked on a link the address bar clicks.the special search.com then loaded dsnextgen.com

Chome Yahoo
First link loaded just fine.
Second link loaded just fine then chrome crashed.
Third link the address bar said arb I did not catch the rest then it loaded another page (not the one i clicked on.)

Firefox google
First link adress bar said youngestangels.com then started to the the correct link, then it read youngest angels.com then reloaded the google search.
second and third link did the same.

Firefox yahoo
First, second and third link loaded properly.
As I was typing this on a second computer Firefox crashed.

When I start up Word I get the notice "The add-in template is not valid. (C\Program Fitles\...\$FMaker.dot)"

This is caused by a corrupt Office Document Template trying to load either when you start Windows, when you start MS Office, or when a document requests a virus scan and you have Norton installed.

Click Start> All Programs> point to Startup. If ~$FMaker.dot is present in the Startup folder, right click on it and choose "Delete".

If you don't find it the above way:

Navigate to C:\Program Files\Microsoft Office\Office\Startup. Do you see ~$FMaker.dot in that folder? If so, do the right click> Delete

I don't think this is related to the redirect>>>unless the malware has corrupted something in the browser. I'll help you work on that tomorrow.

I deleted FMaker.dot and now get no warning from Word on start up.

Okay! That is good news!

Are you still getting the redirects? All browsers? How often?

A little after starting the following message pops up in a warning box with the java logo: “Jusched.exe has encountered a problem and needs to close. We are sorry for the inconvience.”

I could not get flash to update it said that installer failed.

About half of my clicks off of serch engines were redirected. This happens with all browsers and bing, google, and yahoo. Google images will not load more than the first set of images, howeverll other search engines loaded images just fine.
I have attached an example of a redirect below.

Edit: Search redirect hyperlinks have been deleted by Bobbye.

I also get random pop up ads in internet exploere even if I am just on techspot. This does not happen all the time.

Unless we can get something to run that will remove the malware, your only option will be to do a reformat/reinstall.

Please run the MGA Diagnostics tool

• You will be prompted to either “Run” or “Save” the tool. Choose to “Run” the tool and follow the on-screen prompts.
• You will receive an Internet Explorer-Security Warning dialog box for the Windows Genuine Advantage Diagnostic Tool>
• You must choose to Run this tool when prompted.
• Once you are presented with the Diagnostics tool choose Continue to run the diagnostic report.
• If the RESOLVE button is available after running the diagnostics, please click RESOLVE to allow the diagnostic tool to attempt a repair.
• After running the MGA Diagnostic tool, click on the Windows tab and then click on Copy
• Please return to this thread and Paste the results here for review.

------------------------------------------
This tool will is to look on the computer itself, in the documentation you received with the computer or with your retail purchase of Windows to see if you have a Certificate of Authenticity (COA). If you have one, tell us about the COA. Tell us:

1. What edition of Windows is it?
2. Does it read "OEM Software" or "OEM Product" in black lettering?
3. Or, does it have the computer manufacturer's name in black lettering?
4. DO NOT post the Product Key.

NOTE: The data collected with the Genuine Diagnostics Tool does NOT contain any information that can personally identify you and can be fully reviewed, by you, before being posted.
================================================
Download Security Check by screen317 and save to the desktop

• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt please
• Post the contents of that document.

===============================================
Download CKScanner and save to your desktop.

• Doubleclick CKScanner.exe and click Search For Files.
• When the cursor hourglass disappears, click Save List To File.
• A message box will verify that the file is saved.
• Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

=====================================

I see some processes for Daemon running. You were suppose to remove it.

I am not proud to admit this but my system is bootlegged (the computer was a gift from the previous owners widow). I am unable to get the copy he had. Bootlegged systems are a pain, I will never own one again. Do you have an alternative to the first step?

I had a feeling that the system wasn't legitimate. With all I had you run, if the system had had a legitimate license and been properly validated, it would have been clean.

I do not support piracy. The fact that you knew this and continued to ask for my help for a month is very disturbing.

This thread is closed. It will NOT be reopened.