Solved Redirect problem, hijack this report included. Please help

Status
Not open for further replies.
It looks, like you didn't...

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.

======================================================================

Update Firefox to the latest 3.6.15 version.

======================================================================

Update Adobe Reader

You can download it from https://www.techspot.com/downloads/2083-adobe-reader-dc.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.

...and Eset....
 
Many issues this morning. All programs slow and internet connection non-existent. Ping times out yet modem and router login show connection available. Java is up to date according to link yet it is crashing a few minutes after restart of computer. Sending error report but not debugging. Updates seem to have made this bug mad lol. Can only access internet after running rkill (sorry but had to try something)

latest rkill...

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/15/2011 at 10:42:11.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe


Rkill completed on 03/15/2011 at 10:42:15.



eset from last night.........

C:\Program Files\Uniblue\RegistryBooster\Launcher.exe Win32/RegistryBooster application
C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe Win32/RegistryBooster application
C:\Program Files\Uniblue\RegistryBooster\rbnotifier.exe Win32/RegistryBooster application
C:\Program Files\Uniblue\RegistryBooster\rb_move_serial.exe Win32/RegistryBooster application
C:\Program Files\Uniblue\RegistryBooster\rb_track_install.exe Win32/RegistryBooster application
C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{705E4833-3F8F-4187-B8DB-4E08FECCEBE8}\RP639\A0093940.exe a variant of Win32/Kryptik.LJM trojan
C:\System Volume Information\_restore{705E4833-3F8F-4187-B8DB-4E08FECCEBE8}\RP646\A0100028.dll probably a variant of Win32/Wimpixo.AA trojan
C:\System Volume Information\_restore{705E4833-3F8F-4187-B8DB-4E08FECCEBE8}\RP646\A0100096.exe Win32/Adware.SpywareProtect2009 application
C:\System Volume Information\_restore{705E4833-3F8F-4187-B8DB-4E08FECCEBE8}\RP647\A0104182.exe a variant of Win32/Kryptik.HIN trojan
C:\System Volume Information\_restore{705E4833-3F8F-4187-B8DB-4E08FECCEBE8}\RP647\A0104183.exe a variant of Win32/Kryptik.HIN trojan
C:\System Volume Information\_restore{705E4833-3F8F-4187-B8DB-4E08FECCEBE8}\RP647\A0104184.exe a variant of Win32/Kryptik.HIN trojan
C:\System Volume Information\_restore{705E4833-3F8F-4187-B8DB-4E08FECCEBE8}\RP647\A0104185.exe a variant of Win32/Kryptik.HIN trojan
C:\System Volume Information\_restore{705E4833-3F8F-4187-B8DB-4E08FECCEBE8}\RP647\A0104186.exe a variant of Win32/Kryptik.HIN trojan
C:\System Volume Information\_restore{705E4833-3F8F-4187-B8DB-4E08FECCEBE8}\RP647\A0104187.exe a variant of Win32/Kryptik.HIN trojan
C:\WINDOWS\system32\123.js JS/TrojanDownloader.Agent.NWG trojan
C:\WINDOWS\system32\12543.js JS/TrojanDownloader.Agent.NWG trojan
C:\_OTL\MovedFiles\03142011_232951\C_Documents and Settings\USER\Application Data\Uniblue\RegistryBooster\_temp\ub.exe Win32/RegistryBooster application
 
I wonder, if you got reinfected...

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code:
    :OTL
    
    :Services
    
    :Reg
    
    :Files
    C:\Program Files\Uniblue
    C:\WINDOWS\system32\123.js 
    C:\WINDOWS\system32\12543.js
    
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.

====================================================================

Update MBAM, run it and post fresh log.
 
All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Program Files\Uniblue\System Tweaker\Dependencies folder moved successfully.
C:\Program Files\Uniblue\System Tweaker folder moved successfully.
C:\Program Files\Uniblue\SpeedUpMyPC\ErrorLogs folder moved successfully.
C:\Program Files\Uniblue\SpeedUpMyPC folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\xt\LC_MESSAGES folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\xt folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\xs\LC_MESSAGES folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\xs folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\tr\LC_MESSAGES folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\tr folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\se\LC_MESSAGES folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\se folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\ru\LC_MESSAGES folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\ru folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\pt\LC_MESSAGES folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\pt folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\pl\LC_MESSAGES folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\pl folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\no\LC_MESSAGES folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\no folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\nl\LC_MESSAGES folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\nl folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\jp\LC_MESSAGES folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\jp folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\it\LC_MESSAGES folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\it folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\gr\LC_MESSAGES folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\gr folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\fr\LC_MESSAGES folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\fr folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\fi\LC_MESSAGES folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\fi folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\es\LC_MESSAGES folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\es folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\en\LC_MESSAGES folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\en folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\dk\LC_MESSAGES folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\dk folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\de\LC_MESSAGES folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\de folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\br\LC_MESSAGES folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale\br folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster\locale folder moved successfully.
C:\Program Files\Uniblue\RegistryBooster folder moved successfully.
C:\Program Files\Uniblue folder moved successfully.
C:\WINDOWS\system32\123.js moved successfully.
C:\WINDOWS\system32\12543.js moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: USER
->Temp folder emptied: 381914 bytes
->Temporary Internet Files folder emptied: 37368312 bytes
->Java cache emptied: 2027 bytes
->FireFox cache emptied: 3666657 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 1310 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 49635 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 1741 bytes

Total Files Cleaned = 40.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

User: USER
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 03152011_132841

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\USER\Local Settings\Temp\~DFABF3.tmp not found!
File\Folder C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.Word\~WRF{4ADD451D-C5FD-4547-9ED0-EBEF8B271FF2}.tmp not found!
File\Folder C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.Word\~WRS{5A86611A-0717-4970-8A8E-361B45791903}.tmp not found!
C:\windows\temp\hlktmp moved successfully.
File\Folder C:\windows\temp\Perflib_Perfdata_578.dat not found!

Registry entries deleted on Reboot...


.....updated mbam and ran....


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6067

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/15/2011 1:40:31 PM
mbam-log-2011-03-15 (13-40-31).txt

Scan type: Quick scan
Objects scanned: 169946
Time elapsed: 3 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{52794457-af6c-4c50-9def-f2e24f4c8889} (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\whitesmoketoolbar (PUP.Whitesmoke) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\whitesmoketoolbar (PUP.Whitesmoke) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
Your help thus far has been immense, thank you for sticking it out with me. Internet working without rkill but java still crashing after restart, IE slow to open but once open seems to work normally. Firefox now updated as well as adobe reader. Other than screen shot I’m not sure how to get a report on java for you.
 
You're very welcome :)

It looks like you got reinfected with WhiteSmoke crap.
We'll need re-run some scans.

Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/


  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
  • Close SUPERAntiSpyware.
Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

  • Open SUPERAntiSpyware.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Post SUPERAntiSpyware log.
 
Application Version : 4.34.1000

Core Rules Database Version : 6599
Trace Rules Database Version: 4411

Scan type : Complete Scan
Total Scan Time : 01:09:29

Memory items scanned : 266
Memory threats detected : 0
Registry items scanned : 8913
Registry threats detected : 0
File items scanned : 138926
File threats detected : 15

Trojan.Agent/Gen-Downloader[FakeSoft]
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\ITLNFW32.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{705E4833-3F8F-4187-B8DB-4E08FECCEBE8}\RP648\A0113260.DLL

Trojan.Agent/Gen-Nullo[Short]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{705E4833-3F8F-4187-B8DB-4E08FECCEBE8}\RP626\A0092716.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{705E4833-3F8F-4187-B8DB-4E08FECCEBE8}\RP646\A0096221.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{705E4833-3F8F-4187-B8DB-4E08FECCEBE8}\RP646\A0096222.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{705E4833-3F8F-4187-B8DB-4E08FECCEBE8}\RP646\A0096223.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{705E4833-3F8F-4187-B8DB-4E08FECCEBE8}\RP646\A0096224.EXE

Trojan.Agent/Gen-FakeSecurity
C:\SYSTEM VOLUME INFORMATION\_RESTORE{705E4833-3F8F-4187-B8DB-4E08FECCEBE8}\RP639\A0093940.EXE

Trojan.Agent/Gen-Exploit
C:\SYSTEM VOLUME INFORMATION\_RESTORE{705E4833-3F8F-4187-B8DB-4E08FECCEBE8}\RP646\A0100097.EXE

Trojan.Agent/Gen
C:\SYSTEM VOLUME INFORMATION\_RESTORE{705E4833-3F8F-4187-B8DB-4E08FECCEBE8}\RP647\A0104182.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{705E4833-3F8F-4187-B8DB-4E08FECCEBE8}\RP647\A0104183.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{705E4833-3F8F-4187-B8DB-4E08FECCEBE8}\RP647\A0104184.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{705E4833-3F8F-4187-B8DB-4E08FECCEBE8}\RP647\A0104185.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{705E4833-3F8F-4187-B8DB-4E08FECCEBE8}\RP647\A0104186.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{705E4833-3F8F-4187-B8DB-4E08FECCEBE8}\RP647\A0104187.EXE


so far no java crash
 
Spoke to soon, java crash.

Microsoft technical link said newer version would correct problem, followed link and clicked download to find that i have newest version. Very odd.


Event errors.
Not sure if they help but cannot hurt to post for your observation...........

Faulting application jusched.exe, version 2.0.3.1, faulting module user32.dll, version 5.1.2600.5512, fault address 0x000187f1.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

And........

Fault bucket -1980725657.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 
ComboFix 11-03-15.01 - removed 03/15/2011 17:39:12.4.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3454.2998 [GMT -4:00]
Running from: c:\documents and settings\USER\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((( Files Created from 2011-02-15 to 2011-03-15 )))))))))))))))))))))))))))))))
.
.
2011-03-15 13:50 . 2011-03-15 13:50 -------- d-----w- c:\program files\Common Files\Java
2011-03-15 13:49 . 2011-03-15 13:49 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-03-15 13:49 . 2011-03-15 13:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-15 03:46 . 2011-03-15 03:46 -------- d-----w- c:\program files\ESET
2011-03-15 03:29 . 2011-03-15 03:29 -------- d-----w- C:\_OTL
2011-03-13 17:37 . 2011-03-13 17:37 -------- d-----w- c:\documents and settings\USER\Application Data\Avira
2011-03-13 17:28 . 2011-01-10 18:23 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-03-13 17:28 . 2011-01-10 18:23 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-03-13 17:28 . 2010-06-17 18:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-03-13 17:28 . 2010-06-17 18:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-03-13 17:28 . 2011-03-13 17:28 -------- d-----w- c:\program files\Avira
2011-03-13 17:28 . 2011-03-13 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-03-13 06:14 . 2011-03-13 06:14 -------- d-----w- c:\program files\Yontoo Layers Client
2011-03-02 03:13 . 2011-03-02 03:16 -------- d-----w- c:\program files\InterActual
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 13:49 . 2009-12-20 13:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-09 13:53 . 2007-07-27 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2007-07-27 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2008-02-14 16:25 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-02-14 16:25 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2007-07-27 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2007-07-27 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2007-07-27 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2007-07-27 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2007-07-27 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2007-07-27 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2007-07-27 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:09 . 2008-08-13 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2008-08-13 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2007-07-27 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2007-07-27 12:00 385024 ----a-w- c:\windows\system32\html.iec
2009-05-01 21:02 . 2009-05-01 21:02 1044480 -c--a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 -c--a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-14_04.29.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-15 21:26 . 2011-03-15 21:26 16384 c:\windows\temp\Perflib_Perfdata_55c.dat
+ 2010-11-10 16:49 . 2010-11-10 16:49 17304 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\ViewerPS.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 35736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\reader_sl.exe
+ 2010-11-10 16:49 . 2010-11-10 16:49 84896 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\PDFPrevHndlr.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 94608 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\eula.exe
+ 2010-11-10 16:49 . 2010-11-10 16:49 49064 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acrotextextractor.exe
+ 2010-11-10 16:49 . 2010-11-10 16:49 17824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32Info.exe
+ 2010-11-10 16:49 . 2010-11-10 16:49 62376 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acroiehelpershim.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 64928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroIEHelper.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 63384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\Acrofx32.dll
+ 2011-03-15 13:49 . 2011-03-15 13:49 157472 c:\windows\system32\javaws.exe
- 2010-01-28 00:33 . 2009-12-17 22:14 145184 c:\windows\system32\javaw.exe
+ 2011-03-15 13:49 . 2011-03-15 13:49 145184 c:\windows\system32\javaw.exe
+ 2011-03-15 13:49 . 2011-03-15 13:49 145184 c:\windows\system32\java.exe
- 2010-01-28 00:33 . 2009-12-17 22:14 145184 c:\windows\system32\java.exe
+ 2010-02-07 15:11 . 2011-03-15 21:26 226243 c:\windows\system32\inetsrv\MetaBase.bin
+ 2011-03-15 13:50 . 2011-03-15 13:50 180224 c:\windows\Installer\195eb2.msi
+ 2011-03-15 13:49 . 2011-03-15 13:49 675840 c:\windows\Installer\195ea4.msi
+ 2011-03-15 14:59 . 2011-03-15 14:59 814080 c:\windows\Installer\1171a8.msi
+ 2010-11-10 16:49 . 2010-11-10 16:49 390552 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\pdfshell.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 101288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\PDFPrevHndlrShim.exe
+ 2010-11-10 16:49 . 2010-11-10 16:49 135568 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\nppdf32.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 681872 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\JP2KLib.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 104344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AiodLite.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 702352 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroPDF.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 294808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acrobroker.exe
+ 2010-11-10 16:49 . 2010-11-10 16:49 205720 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\a3dutils.dll
+ 2011-03-15 13:59 . 2011-03-15 13:59 2283008 c:\windows\Installer\19607c.msi
+ 2010-11-10 16:49 . 2010-11-10 16:49 2207632 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\rt3d.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 6222744 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\authplay.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 5503368 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AGM.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 1216416 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AdobeCollabSync.exe
+ 2010-11-10 16:49 . 2010-11-10 16:49 1289624 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32.exe
+ 2011-01-30 20:44 . 2011-01-30 20:44 12425728 c:\windows\Installer\19607d.msp
+ 2010-11-10 16:49 . 2010-11-10 16:49 23724952 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2010-12-20 18:09 191488 ------w- c:\program files\Yontoo Layers Client\YontooIEClient.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 18:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Auto Admin Utility.lnk]
backup=c:\windows\pss\Auto Admin Utility.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Transaction Manager.lnk]
backup=c:\windows\pss\Transaction Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^USER^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=c:\documents and settings\USER\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=c:\windows\pss\CurseClientStartup.ccipStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^USER^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\USER\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 16:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Core Temp]
2010-07-29 04:46 437264 ----a-w- c:\program files\Core Temp\Core Temp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
2009-01-12 13:54 669520 ------w- c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Artisan 810 Series]
2009-02-23 05:00 199680 -c--a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIFRA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FUFAXSTM]
2009-02-06 05:00 843776 ------w- c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2009-03-14 17:26 222496 -c--a-w- c:\documents and settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
2003-12-17 13:50 19968 ------w- c:\windows\LOGI_MWX.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-05-11 20:43 6061400 ----a-w- c:\program files\Logitech\Logitech Vid\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-10-14 17:36 2793304 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-03-28 04:03 13684736 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-09-05 00:25 81920 -c--a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-03-28 04:03 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-03-28 04:03 1657376 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2011-01-02 00:49 3046808 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-03-29 03:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-08-20 07:38 16384512 ------r- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-09-02 20:15 13351304 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 18:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-02-18 20:40 2012912 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-18 23:24 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}]
2005-07-15 21:48 479232 ----a-w- c:\program files\Google\Gmail Notifier\gnotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"lxdc_device"=2 (0x2)
"LexBceS"=2 (0x2)
"avg8wd"=2 (0x2)
"iPod Service"=3 (0x3)
"Imapi Helper"=3 (0x3)
"getPlus(R) Helper"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"wlidsvc"=2 (0x2)
"SQLWriter"=2 (0x2)
"SQLBrowser"=2 (0x2)
"prfldsvc"=2 (0x2)
"PLFlash DeviceIoControl Service"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"nTuneService"=2 (0x2)
"NMSAccessU"=2 (0x2)
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"MSSQLServerOLAPService"=2 (0x2)
"MsDtsServer"=2 (0x2)
"MDM"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IntuitUpdateService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"hasplms"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"EPSON_PM_RPCV4_01"=2 (0x2)
"EPSON_EB_RPCV4_01"=2 (0x2)
"BrlAPI"=3 (0x3)
"Application Updater"=2 (0x2)
"AdobeActiveFileMonitor7.0"=2 (0x2)
"gupdate"=2 (0x2)
"Ventrilo"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\windows\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_17\\bin\\java.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Codemasters\\The Lord of the Rings Online\\lotroclient.exe"=
"c:\\Documents and Settings\\USER\\Local Settings\\Apps\\2.0\\8P08BJ7T.7N1\\19XQOW2Q.681\\curs..tion_eee711038731a406_0004.0000_efb506202a7c3b08\\CurseClient.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
"1947:UDP"= 1947:UDP:HASP SRM
"56746:TCP"= 56746:TCP:pando Media Booster
"56746:UDP"= 56746:UDP:pando Media Booster
"1301:TCP"= 1301:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [7/27/2007 8:00 AM 14336]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/13/2011 1:28 PM 135336]
R2 Prvflder;Prvflder;c:\windows\system32\drivers\prvflder.sys [4/21/2006 8:22 AM 70912]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [7/27/2007 8:00 AM 14336]
S3 PciPPorts;PCI ECP Parallel Port;c:\windows\system32\drivers\PciPPorts.sys [5/22/2008 2:04 PM 82432]
S3 PciSPorts;High-Speed PCI Serial Port;c:\windows\system32\drivers\PciSPorts.sys [5/22/2008 2:02 PM 119808]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [11/11/2009 11:12 PM 100048]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys --> c:\windows\system32\DRIVERS\VBoxNetFlt.sys [?]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [10/20/2008 7:41 PM 31824]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/18/2010 8:31 PM 135664]
S4 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
S4 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [5/27/2009 4:26 AM 202584]
S4 MSSQL$ALLDATASC;SQL Server (ALLDATASC);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [5/27/2009 4:27 AM 29262680]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 7:17 AM 2805000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
itlsvc REG_MULTI_SZ itlperf
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-02-22 16:38 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1229272821-884357618-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-03-10 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1229272821-884357618-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: CabBuilder
DPF: {FC686D83-E465-46AE-A315-7D1BD14F8163} - hxxp://www.groupboard.com/groupconf/groupconf.cab
FF - ProfilePath - c:\documents and settings\USER\Application Data\Mozilla\Firefox\Profiles\tsah6skg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://searchservice.myspace.com/index.cfm?fuseaction=sitesearch.results&type=Web&orig=IMC-FF&qry=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
------- File Associations -------
.
.txt=
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
AddRemove-System Tweaker_is1 - c:\program files\Uniblue\System Tweaker\unins000.exe
AddRemove-{E63E34A7-E552-412B-9E40-FD6FC5227ABA}_is1 - c:\program files\Uniblue\RegistryBooster\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-15 17:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(956)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2564)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-03-15 17:46:16
ComboFix-quarantined-files.txt 2011-03-15 21:46
ComboFix2.txt 2011-03-14 05:49
ComboFix3.txt 2011-03-14 04:31
ComboFix4.txt 2011-03-14 04:08
.
Pre-Run: 109,118,611,456 bytes free
Post-Run: 109,133,742,080 bytes free
.
- - End Of File - - C4BA86C2BB47C25DA0F26C227DC3377E
 
I will browse around and see what happens. Maybe I can get this mbr fixed and those toolbars out now too. Thanks for the help. Will report back with what happens.
 
So far so good, I have been bouncing around the internet like a jumping bean and no pop ups or redirects. Thank you very much for your hard work and direction.
As for the MBR, when I reload I get invalid boot.ini error, I suspect that is why recovery console will not install (not that I have a clue, only a guess). Not looking forward to fixing it either, took weeks to get it right in the first place (read many forums) and don’t have my notes anymore. I run a duel-boot system Windows /Solaris OS trying to teach myself both systems.
As for toolbars, I don’t use them. Noticed there were some in the scans made during the repair and while Facebook is a site I use, MySpace is not, how did it creep in lol?
I run maintenance and restart my computer every Saturday morning so this bug has had a week to do its damage, no telling what has been added. Not happy with Uniblue either, it seems to be repairing/replacing missing links in registry rather than removing the counterparts.
Seem to be getting long winded, if you have any recommendations I am all ears.

Thanks again.
 
Regarding boot.ini....

Click Start, click Run, type sysdm.cpl, and then click OK.
On the Advanced tab, click Settings under Startup and Recovery.
Under System Startup, click Edit. This will open boot.ini file in Notepad.
Copy all content, and post it in your next reply.

======================================================================

Uniblue....
Registry cleaners/optimizers are not recommended for several reasons:

  • Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

    The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.
  • Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.
  • Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.
  • Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.
  • The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".
Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.


=======================================================================

Toolbars...
Most of them can be uninstalled through Add\Remove.
Let me know, if you have any stubborn one.
 
Thank you for the reply, at this time I am only interested in fixing the boot record on the windows drive. As for the dual boot, I will resort to booting Solaris from bios when necessary. Tool bars are gone now as are the MySpace references.
The following (per your instructions) is very wordy but I am sure you can make since of it :suspiciou.


[boot loader]
timeout=30
 
Open boot.ini again and edit it, so it looks like this:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft
Windows XP Home Edition" /fastdetect

Go File>Save

Restart computer.
 
Windows XP Home Edition?? I have Windows XP Professional Version 2002 Service Pack 3 will that make a difference? Sorry late to reply, very busy week this week.
 
That wording is not crucial, just an info, but you can edit it, so it says:
"Microsoft Windows XP Professional Edition" /fastdetect
 
WOW... if I weren’t so old I would want to be like you when I grew up. If I knew half what you know, I would likely not be scared of this, http://multiboot.solaris-x86.org, to the point of taking notes on everything as I read it. However, I am considering Ranish Partition Manager this time. But I am sure that is another thread. Thank you very much for all your help in this, you have been remarkable.
 
You're very welcome
smiley_says_hello.gif


Good luck and stay safe :)
 
Status
Not open for further replies.
Back