TechSpot

[Solved] Google redirects, crazy mouse

By Whale
Aug 3, 2010
  1. Hi guys. Thanks for providing this forum.

    I have already done some of the things that you are not supposed to do before I found this thread. I tried a system restore but the restoration could not be completed. I also downloaded some registry cleaning software, but they were trial versions and didn't do much. Also, I had already downloaded MalwareBytes about two weeks ago and it got rid of a fake AntiVir program. If you want I can post the logs from the other times I ran the program. But I ran it again today in the recommended order.

    --I ran my AVG Anti-virus free program, a full scan, and nothing came up.

    --I ran TFC

    --Next I ran GMER

    --Then DDS

    when I start my computer, after running MalwareBytes the first time, I get a message saying I am missing two .dll files.

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4383

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    8/2/2010 9:59:05 PM
    mbam-log-2010-08-02 (21-59-05).txt

    Scan type: Quick scan
    Objects scanned: 132570
    Time elapsed: 6 minute(s), 18 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\Software\SolutionAV (Rogue.AntivirSolutionPro) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)



    ==========================================================
    ==========================================================


    I have attached the DDS files below, as that's what the instructions on the log told me to do.


    Thank you for your time and expertise!!

    I should also mention that I use Firefox, but have IE and Chrome installed. When I try to use them they won't connect to the internet. This is keeping me from getting the recommended update listed in the main thread.
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    Welcome aboard [​IMG]

    GMER log is missing.
     
  3. Whale

    Whale TS Rookie Topic Starter Posts: 17

    Ah, crud. Sorry about that. It's attached below. Thanks. :)
     

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    Looks normal :)

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  5. Whale

    Whale TS Rookie Topic Starter Posts: 17

    My mouse has stopped acting crazy, but as of last night I was still getting Google redirects. Only one, though. I haven't seen anything since running Combofix.



    ComboFix 10-08-03.04 - Owner 08/04/2010 11:27:06.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.618 [GMT -4:00]
    Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Owner\Local Settings\Application Data\{4F34ED36-0503-4988-A0E0-ADD8CD0D1390}
    c:\documents and settings\Owner\Local Settings\Application Data\{4F34ED36-0503-4988-A0E0-ADD8CD0D1390}\chrome.manifest
    c:\documents and settings\Owner\Local Settings\Application Data\{4F34ED36-0503-4988-A0E0-ADD8CD0D1390}\chrome\content\_cfg.js
    c:\documents and settings\Owner\Local Settings\Application Data\{4F34ED36-0503-4988-A0E0-ADD8CD0D1390}\chrome\content\overlay.xul
    c:\documents and settings\Owner\Local Settings\Application Data\{4F34ED36-0503-4988-A0E0-ADD8CD0D1390}\install.rdf

    .
    ((((((((((((((((((((((((( Files Created from 2010-07-04 to 2010-08-04 )))))))))))))))))))))))))))))))
    .

    2010-08-04 14:59 . 2010-08-04 14:59 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
    2010-08-04 14:59 . 2010-08-04 14:55 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
    2010-08-04 14:59 . 2010-07-07 18:30 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
    2010-08-04 14:59 . 2009-10-14 15:19 529171 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivX7\DivX Converter\DivXConverterUninstall.exe
    2010-08-04 14:59 . 2009-10-14 15:19 529171 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivX7\DivX Plus DirectShow Filters\DivXDSFiltersUninstall.exe
    2010-08-04 14:59 . 2010-08-04 14:59 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
    2010-08-04 14:59 . 2010-08-04 14:59 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
    2010-08-04 14:58 . 2010-08-04 14:58 57715 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
    2010-08-04 14:58 . 2010-08-04 14:58 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
    2010-08-04 14:57 . 2010-08-04 14:57 84054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
    2010-08-04 14:57 . 2010-08-04 14:57 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
    2010-08-04 14:57 . 2010-08-04 14:57 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
    2010-08-04 14:57 . 2010-08-04 14:57 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
    2010-08-04 14:57 . 2010-08-04 14:57 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
    2010-08-04 14:57 . 2010-08-04 14:57 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
    2010-08-04 14:57 . 2010-08-04 14:57 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
    2010-08-04 14:57 . 2010-08-04 14:57 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe
    2010-08-04 14:57 . 2010-08-04 14:57 54644 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
    2010-08-04 14:57 . 2010-08-04 14:57 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
    2010-08-04 14:57 . 2010-08-04 14:57 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
    2010-08-04 14:57 . 2010-08-04 14:57 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
    2010-08-04 14:56 . 2010-08-04 14:56 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
    2010-08-04 14:56 . 2010-08-04 14:56 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
    2010-08-04 00:28 . 2010-08-04 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
    2010-08-02 20:47 . 2010-08-02 20:47 -------- d-----w- c:\documents and settings\Owner\Application Data\Grisoft
    2010-08-02 20:46 . 2007-05-30 12:10 10872 ----a-w- c:\windows\system32\drivers\AvgAsCln.sys
    2010-08-02 20:46 . 2010-08-02 20:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft
    2010-08-02 00:06 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2010-07-29 19:06 . 2010-07-29 19:06 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
    2010-07-29 19:06 . 2010-07-29 19:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
    2010-07-29 19:06 . 2010-07-29 19:06 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
    2010-07-28 00:00 . 2010-08-02 20:15 -------- d-----w- c:\program files\Common Files\PC Tools
    2010-07-28 00:00 . 2010-08-02 19:15 -------- d-----w- c:\program files\Spyware Doctor
    2010-07-27 23:55 . 2010-07-27 23:55 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2010-07-27 23:47 . 2010-08-02 20:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-07-27 23:32 . 2010-07-28 00:29 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\pkupqekyk
    2010-07-16 18:04 . 2010-08-03 00:16 452104 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.12\setup.exe
    2010-07-14 15:09 . 2010-07-14 15:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2010-07-14 14:54 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-14 14:54 . 2010-07-14 14:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-07-14 14:54 . 2010-07-14 14:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-14 14:54 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-13 20:48 . 2010-07-14 16:02 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\usgvmocie
    2010-07-13 20:43 . 2010-07-13 20:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2010-07-13 20:38 . 2010-07-13 20:38 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2010-07-12 23:57 . 2010-07-12 23:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-07-11 18:47 . 2010-07-10 19:59 2068320 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
    2010-07-11 18:47 . 2010-07-10 19:59 2722656 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
    2010-07-11 18:47 . 2010-07-10 19:59 3537760 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
    2010-07-11 18:47 . 2010-07-10 19:59 2048352 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
    2010-07-11 18:45 . 2010-07-10 19:58 1146208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
    2010-07-09 21:32 . 2010-07-10 19:55 0 ----a-w- c:\windows\Eyedivehada.bin
    2010-07-09 21:32 . 2010-07-12 19:20 0 ----a-w- c:\windows\Xnumeteco.dat

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-04 15:10 . 2009-05-25 20:14 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
    2010-08-04 15:06 . 2009-10-14 15:23 -------- d-----w- c:\documents and settings\Owner\Application Data\DivX
    2010-08-04 14:59 . 2009-10-14 15:18 -------- d-----w- c:\program files\DivX
    2010-08-04 14:59 . 2009-10-14 15:18 -------- d-----w- c:\program files\Common Files\DivX Shared
    2010-08-03 21:37 . 2009-11-03 15:25 -------- d-----w- c:\program files\JDownloader
    2010-08-03 15:52 . 2009-05-21 16:51 -------- d-----w- c:\program files\Common Files\Adobe
    2010-08-02 23:56 . 2009-11-02 00:05 -------- d-----w- c:\program files\uTorrent
    2010-08-02 21:20 . 2009-11-02 00:04 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
    2010-08-02 19:16 . 2009-06-09 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
    2010-08-01 22:13 . 2004-08-04 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
    2010-07-29 19:06 . 2010-07-29 19:06 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
    2010-07-29 19:06 . 2010-07-29 19:06 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
    2010-07-29 19:06 . 2010-07-29 19:06 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
    2010-07-21 13:27 . 2009-05-20 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
    2010-07-06 22:35 . 2010-03-21 15:24 439816 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\setup.exe
    2010-07-06 15:36 . 2010-02-02 18:44 -------- d-----w- c:\documents and settings\Owner\Application Data\PrimoPDF
    2010-06-14 14:31 . 2003-12-02 06:24 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    2010-06-09 23:01 . 2009-10-14 15:19 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
    2010-06-09 23:01 . 2009-10-14 15:19 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
    2010-06-09 23:01 . 2009-10-14 15:19 45648 ------w- c:\windows\system32\drivers\PxHelp20.sys
    2010-06-09 23:01 . 2009-10-14 15:19 133616 ------w- c:\windows\system32\pxafs.dll
    2010-06-09 23:01 . 2009-10-14 15:19 126448 ------w- c:\windows\system32\pxinsi64.exe
    2010-06-09 23:01 . 2009-10-14 15:19 123888 ------w- c:\windows\system32\pxcpyi64.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-11 2048352]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-21 198160]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-09 148888]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-08-28 13:06 11952 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-12-22 05:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
    2009-05-19 05:23 49968 ----a-w- c:\program files\AIM6\aim6.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
    2003-05-12 20:02 270336 ----a-w- c:\program files\Dell AIO Printer A920\dlbkbmgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    2005-06-22 03:44 126976 ----a-w- c:\windows\system32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    2005-06-22 03:48 155648 ----a-w- c:\windows\system32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2009-06-05 17:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    2004-10-14 18:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2009-05-21 00:01 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
    "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/20/2009 6:13 PM 335240]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/20/2009 6:13 PM 108552]
    R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/28/2009 9:06 AM 297752]
    S2 gupdate1ca4ce1aeab4299;Google Update Service (gupdate1ca4ce1aeab4299);c:\program files\Google\Update\GoogleUpdate.exe [10/14/2009 11:19 AM 133104]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-01 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2010-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-14 15:19]

    2010-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-14 15:19]

    2010-08-04 c:\windows\Tasks\Install_NSS.job
    - c:\program files\DivX\Symantec\scstubinstaller.exe [2010-03-08 18:00]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.ask.com?o=15179&l=dis
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:5643
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tam4d334.default\
    FF - prefs.js: browser.startup.homepage - igoogle.com
    FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
    FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-Vyezumecaha - c:\windows\netvabd.dll
    HKLM-Run-Dlihunepu - c:\windows\axenifusizebaz.dll
    SafeBoot-AVG Anti-Spyware Driver
    SafeBoot-klmdb.sys
    AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-04 11:31
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-08-04 11:34:27
    ComboFix-quarantined-files.txt 2010-08-04 15:34

    Pre-Run: 72,557,563,904 bytes free
    Post-Run: 72,528,334,848 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - 9518EFC30AA50A5241B483AC2EB3B4AC
     
  6. Whale

    Whale TS Rookie Topic Starter Posts: 17

    Crazy mouse is back :( but no redirects today.
     
  7. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    Please, define "crazy". What is happening with your mouse?

    I'm glad to see redirection issue being gone :)

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\Eyedivehada.bin
    c:\windows\Xnumeteco.dat
    
    
    Folder::
    c:\documents and settings\Owner\Local Settings\Application Data\pkupqekyk
    c:\documents and settings\LocalService\Local Settings\Application Data\usgvmocie
    c:\documents and settings\All Users\Application Data\Viewpoint
    
    DDS::
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:5643
    
    Driver::
    
    Registry::
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  8. Whale

    Whale TS Rookie Topic Starter Posts: 17

    By crazy I mean that the cursor arrow will start jumping wildly to the top of the screen, and will cause the scroll function to go up and down. Clicking on anything is (almost) impossible. When this happens the light on my keyboard will flash. It may be a hardware problem, but it started when I noticed the redirects.
     

    Attached Files:

  9. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    I misread your previous reply:
    That's good :)
    Any sign of redirection, or any other problems?

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ====================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  10. Whale

    Whale TS Rookie Topic Starter Posts: 17

    Broni, everything is working now. Thanks a ton. Insane amount of appreciation to you and your great work!!
     
  11. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    I'm glad to hear good news, but we need to complete all cleaning process steps.
    Please, continue....
     
     
  12. Whale

    Whale TS Rookie Topic Starter Posts: 17

    I bought a new mouse today to see if it was a hardware problem. So far everything seems to be working normally. The logs are too big for me to post them in my reply so I have attached them. Thanks again.
     

    Attached Files:

  13. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    Great :)

    Are you still using Registry Mechanic by any chance?

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      PRC - [2007/05/30 08:31:10 | 000,312,880 | ---- | M] (GRISOFT s.r.o.) -- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
      SRV - [2007/05/30 08:31:10 | 000,312,880 | ---- | M] (GRISOFT s.r.o.) [Auto | Running] -- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe -- (AVG Anti-Spyware Guard)
      DRV - [2007/05/30 08:10:42 | 000,011,000 | ---- | M] () [Kernel | System | Running] -- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys -- (AVG Anti-Spyware Driver)
      DRV - [2007/05/30 08:10:42 | 000,010,872 | ---- | M] (GRISOFT, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AvgAsCln.sys -- (AvgAsCln)
      O28 - HKLM ShellExecuteHooks: {57B86673-276A-48B2-BAE7-C6DBB3020EB8} - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll (GRISOFT s.r.o.)
      [2010/08/02 16:47:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Grisoft
      [2010/08/02 16:46:58 | 000,010,872 | ---- | C] (GRISOFT, s.r.o.) -- C:\WINDOWS\System32\drivers\AvgAsCln.sys
      [2010/08/02 16:46:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Grisoft
      [2010/08/02 16:46:52 | 000,000,000 | ---D | C] -- C:\Program Files\Grisoft
      @Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
      @Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
      @Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
      
      :Services
      
      :Reg
      
      :Files
      C:\Program Files\Grisoft
      
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  14. Whale

    Whale TS Rookie Topic Starter Posts: 17

    All processes killed
    ========== OTL ==========
    No active process named guard.exe was found!
    Error: Unable to stop service AVG Anti-Spyware Guard!
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVG Anti-Spyware Guard deleted successfully.
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe moved successfully.
    Error: Unable to stop service AVG Anti-Spyware Driver!
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVG Anti-Spyware Driver deleted successfully.
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys moved successfully.
    Service AvgAsCln stopped successfully!
    Service AvgAsCln deleted successfully!
    C:\WINDOWS\system32\drivers\AvgAsCln.sys moved successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{57B86673-276A-48B2-BAE7-C6DBB3020EB8}\ deleted successfully.
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll moved successfully.
    C:\Documents and Settings\Owner\Application Data\Grisoft\AVG Antispyware 7.5\Reports folder moved successfully.
    C:\Documents and Settings\Owner\Application Data\Grisoft\AVG Antispyware 7.5\quarantine folder moved successfully.
    C:\Documents and Settings\Owner\Application Data\Grisoft\AVG Antispyware 7.5 folder moved successfully.
    C:\Documents and Settings\Owner\Application Data\Grisoft folder moved successfully.
    File C:\WINDOWS\System32\drivers\AvgAsCln.sys not found.
    C:\Documents and Settings\All Users\Application Data\Grisoft\AVG Anti-Spyware 7.5\Downloads folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Grisoft\AVG Anti-Spyware 7.5 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Grisoft folder moved successfully.
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Translations folder moved successfully.
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Signatures folder moved successfully.
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5 folder moved successfully.
    C:\Program Files\Grisoft folder moved successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 deleted successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    File\Folder C:\Program Files\Grisoft not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Owner
    ->Temp folder emptied: 2198976 bytes
    ->Temporary Internet Files folder emptied: 976347 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 35971768 bytes
    ->Google Chrome cache emptied: 856432 bytes
    ->Flash cache emptied: 5470 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 49152 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 508264334 bytes

    Total Files Cleaned = 523.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default User

    User: LocalService
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Flash cache emptied: 0 bytes

    User: Owner
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.9.1 log created on 08072010_015928

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
  15. Whale

    Whale TS Rookie Topic Starter Posts: 17

    OTL logfile created on: 8/7/2010 2:15:45 AM - Run 2
    OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Owner\My Documents\Downloads
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1,022.00 Mb Total Physical Memory | 643.00 Mb Available Physical Memory | 63.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 88.00% Paging File free
    Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 149.04 Gb Total Space | 70.40 Gb Free Space | 47.24% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: OWNER-B4E78E752
    Current User Name: Owner
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 90 Days
    Output = Standard
    Quick Scan

    ========== Processes (SafeList) ==========

    PRC - [2010/08/06 23:35:39 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\My Documents\Downloads\OTL.exe
    PRC - [2010/07/11 14:46:42 | 002,048,352 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
    PRC - [2010/06/02 20:50:58 | 001,144,104 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    PRC - [2009/08/28 09:06:30 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
    PRC - [2009/08/28 09:06:26 | 000,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
    PRC - [2009/08/28 09:06:15 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
    PRC - [2009/05/20 20:01:32 | 000,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


    ========== Modules (SafeList) ==========

    MOD - [2010/08/06 23:35:39 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\My Documents\Downloads\OTL.exe
    MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- C:\Program Files\Blaze Media Pro\NMSAccess32.exe -- (NMSAccess)
    SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
    SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
    SRV - [2009/08/28 09:06:15 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys -- (catchme)
    DRV - [2009/08/28 09:06:30 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
    DRV - [2009/08/28 09:06:29 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
    DRV - [2009/05/20 18:13:38 | 000,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
    DRV - [2006/03/01 20:30:54 | 000,618,880 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC52.sys -- (IntelC52)
    DRV - [2005/05/06 14:42:26 | 001,339,776 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC51.sys -- (IntelC51)
    DRV - [2005/05/06 14:40:50 | 000,047,360 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC53.sys -- (IntelC53)
    DRV - [2005/05/06 14:40:20 | 000,036,880 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mohfilt.sys -- (mohfilt)
    DRV - [2004/09/17 09:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
    DRV - [2003/06/30 18:11:52 | 000,043,136 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
    DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========


    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 62 8B 30 B0 7F 35 CB 01 [binary data]
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.search.update: false
    FF - prefs.js..browser.startup.homepage: "igoogle.com"
    FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5.0.429
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21

    FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009/12/22 10:54:49 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/03 10:49:18 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/04 13:02:58 | 000,000,000 | ---D | M]

    [2009/05/20 18:14:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
    [2009/12/06 01:08:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\tam4d334.default\extensions
    [2009/09/01 09:33:26 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\tam4d334.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2009/12/06 01:08:26 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\tam4d334.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
    [2009/11/02 17:04:44 | 000,002,254 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\tam4d334.default\searchplugins\askcom.xml
    [2010/08/04 13:03:01 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
    [2010/08/04 13:03:01 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    [2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

    O1 HOSTS File: ([2010/08/05 13:57:45 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
    O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
    O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
    O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
    O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.15.1
    O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
    O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
    O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2003/12/02 02:26:54 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 90 Days ==========

    [2010/08/07 01:59:28 | 000,000,000 | ---D | C] -- C:\_OTL
    [2010/08/06 23:34:26 | 000,000,000 | --SD | C] -- C:\ComboFix
    [2010/08/06 01:57:11 | 000,000,000 | -HSD | C] -- C:\RECYCLER
    [2010/08/04 13:03:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
    [2010/08/04 13:03:20 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
    [2010/08/04 12:58:14 | 000,000,000 | ---D | C] -- C:\Config.Msi
    [2010/08/04 12:20:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\vlc
    [2010/08/04 11:25:56 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2010/08/04 11:20:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2010/08/03 20:28:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DivX
    [2010/08/02 16:05:55 | 000,000,000 | ---D | C] -- C:\Program Files\Registry Mechanic
    [2010/07/29 15:06:35 | 000,233,136 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
    [2010/07/29 15:06:28 | 000,218,592 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
    [2010/07/29 15:06:22 | 000,088,040 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
    [2010/07/27 20:00:37 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
    [2010/07/27 20:00:37 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
    [2010/07/27 19:47:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2010/07/14 11:09:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
    [2010/07/14 10:54:48 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2010/07/14 10:54:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2010/07/14 10:54:46 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2010/07/14 10:54:46 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2010/07/13 16:43:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
    [2010/07/13 16:43:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
    [2010/07/13 16:37:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
    [2010/07/13 16:37:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
    [2010/07/12 19:57:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
    [2010/07/10 18:47:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
    [2010/07/10 18:12:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
    [2010/07/10 18:12:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
    [2010/06/09 23:56:08 | 000,000,000 | ---D | C] -- C:\4a3f492236976f9c87a1aa

    ========== Files - Modified Within 90 Days ==========

    [2010/08/07 02:10:24 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2010/08/07 02:10:18 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
    [2010/08/07 02:10:16 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010/08/07 02:06:43 | 006,815,744 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
    [2010/08/07 02:06:43 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
    [2010/08/07 01:59:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2010/08/06 23:27:55 | 004,306,270 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
    [2010/08/06 23:07:32 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010/08/06 17:49:03 | 063,026,266 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
    [2010/08/05 13:58:16 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
    [2010/08/05 13:57:45 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2010/08/04 11:26:04 | 000,000,281 | RHS- | M] () -- C:\boot.ini
    [2010/08/03 20:09:36 | 000,158,208 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2010/08/02 00:00:49 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2010/07/31 20:05:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    [2010/07/31 17:59:49 | 000,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
    [2010/07/31 17:59:49 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2010/07/29 15:06:35 | 000,233,136 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
    [2010/07/29 15:06:29 | 000,007,387 | ---- | M] () -- C:\WINDOWS\System32\drivers\pctgntdi.cat
    [2010/07/29 15:06:28 | 000,218,592 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
    [2010/07/29 15:06:22 | 000,088,040 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
    [2010/07/29 15:06:22 | 000,007,383 | ---- | M] () -- C:\WINDOWS\System32\drivers\pctcore.cat
    [2010/07/29 15:06:19 | 000,007,412 | ---- | M] () -- C:\WINDOWS\System32\drivers\PCTAppEvent.cat
    [2010/06/24 09:52:35 | 000,492,248 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
    [2010/06/24 09:52:35 | 000,435,260 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010/06/24 09:52:35 | 000,068,156 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2010/06/10 11:32:28 | 000,115,768 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

    ========== Files Created - No Company Name ==========

    [2010/08/04 11:26:04 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2010/08/04 11:25:59 | 000,260,272 | ---- | C] () -- C:\cmldr
    [2010/07/29 15:06:29 | 000,007,387 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctgntdi.cat
    [2010/07/29 15:06:22 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctcore.cat
    [2010/07/29 15:06:19 | 000,007,412 | ---- | C] () -- C:\WINDOWS\System32\drivers\PCTAppEvent.cat
    [2010/05/12 21:03:23 | 000,074,439 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\untitled.JPG
    [2009/12/09 17:54:52 | 000,000,251 | ---- | C] () -- C:\WINDOWS\dellstat.ini
    [2009/12/09 17:54:32 | 000,000,255 | ---- | C] () -- C:\WINDOWS\System32\dlbkcoin.ini
    [2009/12/09 17:54:22 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlbkvs.dll
    [2009/07/30 21:58:42 | 000,000,314 | ---- | C] () -- C:\WINDOWS\primopdf.ini
    [2009/07/23 17:54:55 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
    [2009/05/20 15:25:53 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2003/01/07 11:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

    ========== LOP Check ==========

    [2009/06/09 11:54:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
    [2010/08/02 16:10:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2009/05/21 12:34:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
    [2009/07/12 17:18:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\.BitTornado
    [2009/06/09 12:01:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\acccore
    [2009/07/01 16:22:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Canneverbe_Limited
    [2010/01/13 10:51:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\GetRightToGo
    [2009/07/15 00:23:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\play2p
    [2010/07/06 11:36:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\PrimoPDF
    [2010/04/29 17:20:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\RipIt4Me
    [2010/08/02 17:20:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\uTorrent
    [2009/12/30 20:30:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\W Photo Studio Viewer

    ========== Purity Check ==========


    < End of report >
     
  16. Whale

    Whale TS Rookie Topic Starter Posts: 17

    I ran registry mechanic before finding this board. It was a trial version and said it would only fix 22 out of supposedly hundreds of errors I had. I ran it once and deleted it. Haven't used it since.
     
  17. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    Good :)

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Go to Kaspersky website and perform an online antivirus scan.

    • Disable your active antivirus program.
    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
      • Archives
      • Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  18. Whale

    Whale TS Rookie Topic Starter Posts: 17

    Broni,

    I haven't done the last instructions because now when I restart my computer I get either a black screen with a blinking line, or a message saying I've had either a keyboard or mouse failure.

    I have to unplug the mouse in order for the computer to start normally, and sometimes the keyboard.
     
  19. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    Are those USB devices?
    Do you have another mouse, keyboard to try?

    I'll be gone for the most of the day, so I'll check on you later.
     
  20. Whale

    Whale TS Rookie Topic Starter Posts: 17

    The old mouse was NOT USB, but the new one is. The keyboard is NOT USB. I do not have any others to try.
     
  21. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    Try your old mouse and see what happens.
     
  22. Whale

    Whale TS Rookie Topic Starter Posts: 17

    I threw the old mouse away because it eventually stopped working altogether. I suppose I could dig it out of the trash?
     
  23. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    Give it a shot, or...
    Try different USB port, borrow another mouse from a friend/family member....
     
  24. Whale

    Whale TS Rookie Topic Starter Posts: 17

    Plugging into a different USB causes the computer to boot to a blank screen with a blinking line . . .
     
  25. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    You have to borrow/buy PS/2 mouse, so you get to your computer somehow.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.