Inactive Google redirect virus

lemika

Posts: 36   +0
Hello!
i have a google redirect virus.
I have followed the instruction and here are the result. I hope you will be able to help me. this virus is killing me!

1.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8293

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/2/2011 6:05:28 PM
mbam-log-2011-12-02 (18-05-27).txt

Scan type: Quick scan
Objects scanned: 178463
Time elapsed: 21 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Saban\application data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.
 
here is GMER

2.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-12-08 13:43:39
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD400BB-75FRA0 rev.77.07W77
Running: g1tyw5o3.exe; Driver: C:\DOCUME~1\Saban\LOCALS~1\Temp\awtdrpow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys

---- Threads - GMER 1.0.15 ----

Thread System [4:120] 822F4121
Thread System [4:412] 8214BB90

---- EOF - GMER 1.0.15 ----
 
dds

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Saban at 13:44:06 on 2011-12-08
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.250 [GMT -5:00]
.
AV: AVG Anti-Virus 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: PriceGongCtrl Class: {d2a2595c-4fe4-4315-aa9b-19dbd6271b71} - c:\program files\pricegong\1.5.0\PriceGongIE.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Google Update] "c:\documents and settings\saban\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [<NO NAME>]
mRun: [hpbdfawep] "c:\program files\hp\dfawep\bin\hpbdfawep.exe" 1
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [KernelFaultCheck] "%systemroot%\system32\dumprep" 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=QUFTWUwtR1o5VzItTlFIWEMtUVRJUlctWVlKQlktUQ"&"inst=NzYtOTY4NzE2NjY4LVNUMTJPSSsxLUREVCsw"&"prod=92"&"ver=2012.0.1873"&"mid=16f4a4c63c3c47d1b752d145b75a3023-f7ea3a8800fd4d1b7344d3
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 uzeyodq1;AVZ-RK Kernel Driver;c:\windows\system32\drivers\uzeyodq1.sys [2010-3-17 11264]
R4 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriver.sys --> c:\windows\system32\drivers\AVGIDSDriver.Sys [?]
R4 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\avgidseh.sys --> c:\windows\system32\drivers\AVGIDSEH.Sys [?]
R4 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilter.sys --> c:\windows\system32\drivers\AVGIDSFilter.Sys [?]
R4 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshim.sys --> c:\windows\system32\drivers\AVGIDSShim.Sys [?]
R4 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys --> c:\windows\system32\drivers\avgrkx86.sys [?]
R4 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
S0 cerc6;cerc6; [x]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
=============== Created Last 30 ================
.
2011-12-02 22:35:36 -------- d-----w- c:\documents and settings\saban\application data\Malwarebytes
2011-12-02 22:34:44 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-02 22:34:36 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-02 22:34:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-02 19:35:54 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-11-29 18:00:09 -------- d-----w- c:\program files\iPod
2011-11-29 17:59:37 -------- d-----w- c:\program files\iTunes
2011-11-29 17:43:16 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-11-07 19:11:55 11264 ----a-w- c:\windows\DCEBoot.exe
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 13:45:01.20 ===============
 
Welcome to TechSpot! I will tell you right up that Price Gong comes with a price of it's own!

There is another log from DDS named Attach.txt Please paste in you next reply.
================================
There are quite a few entries to remove. We can do some of them with the following:

AVG will have to be temporarily uninstall as Combofix will not run with it:
Download AppRemover and save to the desktop
  1. Double click the setup on the desktop> click Next
  2. Select “Remove Security Application”
  3. Let scan finish to determine security apps
  4. A screen like below will appear:
    image_preview
  5. Click on Next after choice has been made
  6. Check the AVG program you want to uninstall
  7. After uninstall shows complete, follow online prompts to Exit the program.

Temporary AV: Use one:
Avira-AntiVir-Personal-Free-Antivirus
Avast Free Version
=============================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    ***Please note: if you have downloaded Combofix to a flash drive, then run it on the infected machine> the Recovery Console will not install- just bypass and go on.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once installed, you should see a blue screen prompt that says:
    The Recovery Console was successfully installed.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
=======================================
Please run the Eset online virus scan:

For Internet Explorer:> start here:
  • Open the ESETOnlineScan
    -------------
    Note: If you are using a browser other than Internet Explorer> start here:
  • Open Eset Smart Installer
  • Click on the esetsmartinstaller_enu.exelink and save to the desktop.
  • Double click on the desktop icon to run.
  • After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
  • Continue with the directions.
  • Check 'Yes I accept terms of use.'
  • Click Start button
  • Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  • Uncheck 'Remove found threats'
  • Check 'Scan archives/
  • Leave remaining settings as is.
  • Press the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  • When the scan completes, press List of found threats
  • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  • Push the Back button
  • Push Finish
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
=======================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
  • Please let me know if there is any change in the system.
If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
 
attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 7/15/2009 6:35:00 PM
System Uptime: 12/8/2011 3:07:41 PM (19 hours ago)
.
Motherboard: Dell Computer Corp. | | 0F4491
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/533mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 8.15 GiB free.
D: is CDROM ()
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&1C660DD6&0&08F0
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&1C660DD6&0&08F0
Service:
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Input Device
Device ID: PCI\VEN_1102&DEV_7004&SUBSYS_10031102&REV_00\4&1C660DD6&0&11F0
Manufacturer:
Name: PCI Input Device
PNP Device ID: PCI\VEN_1102&DEV_7004&SUBSYS_10031102&REV_00\4&1C660DD6&0&11F0
Service:
.
Class GUID:
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_01741028&REV_02\3&172E68DD&0&FD
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_01741028&REV_02\3&172E68DD&0&FD
Service:
.
==== System Restore Points ===================
.
RP351: 9/12/2011 10:35:31 AM - System Checkpoint
RP352: 9/13/2011 12:08:16 PM - System Checkpoint
RP353: 9/14/2011 5:08:08 PM - Software Distribution Service 3.0
RP354: 9/19/2011 9:27:20 AM - System Checkpoint
RP355: 9/20/2011 10:06:55 AM - System Checkpoint
RP356: 9/22/2011 9:12:28 AM - System Checkpoint
RP357: 9/23/2011 11:23:12 AM - System Checkpoint
RP358: 9/27/2011 9:12:37 AM - System Checkpoint
RP359: 9/28/2011 10:08:13 AM - System Checkpoint
RP360: 9/29/2011 3:00:25 AM - Software Distribution Service 3.0
RP361: 10/3/2011 9:27:38 AM - System Checkpoint
RP362: 10/4/2011 1:07:56 PM - System Checkpoint
RP363: 10/5/2011 1:14:11 PM - System Checkpoint
RP364: 10/6/2011 1:39:27 PM - System Checkpoint
RP365: 10/10/2011 12:00:18 PM - System Checkpoint
RP366: 10/12/2011 12:03:40 PM - System Checkpoint
RP367: 10/13/2011 1:15:35 PM - System Checkpoint
RP368: 10/13/2011 5:50:12 PM - Software Distribution Service 3.0
RP369: 10/18/2011 2:21:27 PM - System Checkpoint
RP370: 10/20/2011 11:03:09 AM - System Checkpoint
RP371: 10/24/2011 5:21:11 PM - System Checkpoint
RP372: 10/26/2011 3:27:39 PM - System Checkpoint
RP373: 10/28/2011 4:04:14 PM - System Checkpoint
RP374: 11/2/2011 11:35:13 AM - System Checkpoint
RP375: 11/4/2011 11:20:04 AM - System Checkpoint
RP376: 11/8/2011 11:24:00 AM - Installed AVG 2012
RP377: 11/8/2011 11:24:51 AM - Installed AVG 2012
RP378: 11/9/2011 5:15:20 PM - Software Distribution Service 3.0
RP379: 11/11/2011 3:27:38 PM - System Checkpoint
RP380: 11/11/2011 6:00:47 PM - Software Distribution Service 3.0
RP381: 11/14/2011 10:40:28 AM - System Checkpoint
RP382: 11/15/2011 5:59:14 PM - System Checkpoint
RP383: 11/16/2011 6:29:07 PM - System Checkpoint
RP384: 11/18/2011 11:15:38 AM - System Checkpoint
RP385: 11/21/2011 11:01:55 AM - System Checkpoint
RP386: 11/22/2011 12:23:27 PM - System Checkpoint
RP387: 11/24/2011 11:37:02 AM - System Checkpoint
RP388: 11/25/2011 6:19:38 PM - System Checkpoint
RP389: 11/26/2011 7:05:36 PM - System Checkpoint
RP390: 11/27/2011 8:05:31 PM - System Checkpoint
RP391: 11/29/2011 12:50:19 PM - Installed iTunes
RP392: 12/1/2011 6:00:00 PM - System Checkpoint
RP393: 12/5/2011 11:40:03 AM - System Checkpoint
RP394: 12/6/2011 3:40:09 PM - System Checkpoint
RP395: 12/8/2011 10:54:05 AM - System Checkpoint
RP396: 12/8/2011 1:40:38 PM - Removed AVG 2012
RP397: 12/8/2011 1:43:09 PM - Removed AVG 2012
RP398: 12/8/2011 2:03:50 PM - Installed AVG 2012
RP399: 12/8/2011 2:09:50 PM - Installed AVG 2012
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Community Help
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG 2012
BitTorrentBar Toolbar
Bonjour
Google Chrome
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP LaserJet P1000 series
HPCarePackCore
HPCarePackProducts
hppMSRedist
hppusgP1000
HPSSupply
Intel(R) PRO Network Adapters and Drivers
iTunes
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
MrvlUsgTracking
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
MSXML 6.0 Parser
PriceGong 1.5.0
QuickTime
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Skype Click to Call
Skype™ 5.5
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
.
==== Event Viewer Messages From Past Week ========
.
12/8/2011 2:55:56 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Apple Mobile Device service to connect.
12/8/2011 2:55:56 PM, error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/6/2011 1:33:02 PM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
12/5/2011 12:47:30 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/5/2011 12:47:13 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
12/2/2011 6:10:42 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
12/2/2011 4:55:23 PM, error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 2 time(s).
12/2/2011 2:51:18 PM, error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).
.
==== End Of File ===========================
 
combofix

Hello! thank you for helping me.
I have an issue with Combofix. it got stocked. I tried it twice. it finished 50 steps, then started deleting some files and got stocked. I have waited for 30 minutes each time. may be I have to be more patient. but this is my job computer, I have to work . but this programm blocked everything.I will try to run it during weekend and post you the result on Monday.
thank u
 
combofix.exe

ComboFix 11-12-09.03 - Saban 12/09/2011 18:02:25.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.285 [GMT -5:00]
Running from: c:\documents and settings\Saban\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Saban\Application Data\PriceGong
c:\documents and settings\Saban\Application Data\PriceGong\Data\mru.xml
.
.
((((((((((((((((((((((((( Files Created from 2011-11-10 to 2011-12-10 )))))))))))))))))))))))))))))))
.
.
2011-12-08 19:13 . 2011-12-09 15:27 -------- d-----w- c:\program files\AVG Secure Search
2011-12-02 22:35 . 2011-12-02 22:35 -------- d-----w- c:\documents and settings\Saban\Application Data\Malwarebytes
2011-12-02 22:34 . 2011-12-02 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-02 19:35 . 2011-12-02 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-11-29 18:00 . 2011-11-29 18:00 -------- d-----w- c:\program files\iPod
2011-11-29 17:59 . 2011-11-29 18:03 -------- d-----w- c:\program files\iTunes
2011-11-29 17:43 . 2011-11-29 17:43 -------- d-----w- c:\program files\Bonjour
2011-11-28 21:14 . 2011-11-28 21:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-07 19:11 . 2011-11-07 19:11 11264 ----a-w- c:\windows\DCEBoot.exe
2011-10-10 14:22 . 2009-07-15 22:29 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2008-04-14 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2008-04-14 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2008-04-14 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-09-26 17353352]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 uzeyodq1;AVZ-RK Kernel Driver;c:\windows\system32\drivers\uzeyodq1.sys [3/17/2010 8:54 AM 11264]
S0 cerc6;cerc6; [x]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-12-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1123561945-1417001333-1003Core.job
- c:\documents and settings\Saban\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-03 13:08]
.
2011-12-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1123561945-1417001333-1003UA.job
- c:\documents and settings\Saban\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-03 13:08]
.
2011-12-09 c:\windows\Tasks\HP WEP.job
- c:\program files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 18:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
AddRemove-HP LaserJet P1000 series - c:\program files\Avago-HP\{615c3b97-30bf-4420-a56a-7550e81e62f4}\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-09 18:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-12-09 19:07:09
ComboFix-quarantined-files.txt 2011-12-10 00:06
.
Pre-Run: 12,923,858,944 bytes free
Post-Run: 14,961,184,768 bytes free
.
- - End Of File - - F8F342EA9EA219A56D6BFDA52B59BACF
 
esets

here is the last one

C:\Documents and Settings\Saban\Desktop\Helen\Mus\WinRAR\??????? ???????????\Keygen_FFF\Keygen.exe a variant of Win32/Keygen.AI application
 
For the Eset entry:

Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code:
    :
    :Files 
    C:\Documents and Settings\Saban\Desktop\Helen\Mus\WinRAR\??????? ???????????\Keygen_FFF\Keygen.exe
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=======================================
The entry in Eset indicates you are using a keygen to pirate software.

Download CKScanner and save to your desktop.
  • Doubleclick CKScanner.exe and click Search For Files.
  • When the cursor hourglass disappears, click Save List To File.
  • A message box will verify that the file is saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
=====================================
I would appreciate it if you would give me some information about the system problems you are having.
When you say 'Google redirect', do you mean that when you do qa search using Google that you are sent to a site other than what you choose?
Are there any other problems?
Are you still being redirected?
What did you do to get Combofix running? What does "stocked" mean?
You said Combofix did some deletions, but they don't show up in the log.
 
All processes killed
Error: Unable to interpret <:> in the current context!
========== FILES ==========
File/Folder C:\Documents and Settings\Saban\Desktop\Helen\Mus\WinRAR\??????? ???????????\Keygen_FFF\Keygen.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 16384 bytes
->Temporary Internet Files folder emptied: 618910 bytes

User: Saban
->Temp folder emptied: 24154094 bytes
->Temporary Internet Files folder emptied: 124276149 bytes
->FireFox cache emptied: 84668221 bytes
->Google Chrome cache emptied: 13669210 bytes
->Flash cache emptied: 2874948 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2402044 bytes
%systemroot%\System32 .tmp files removed: 4198417 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 1577193 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 247.00 mb


OTM by OldTimer - Version 3.1.19.0 log created on 12142011_151522

Files moved on Reboot...
C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_228.dat moved successfully.

Registry entries deleted on Reboot...
 
CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11.HBAPNN
----- EOF -----
 
Hey! thank you for your help!
I still get the problem. yes, it does send me to sites different from what i chose. and sometimes it even redirect me when while checking my email I click on the website I got an email from.
and when I open google it redirects me to google.lt or uk most of the time.

as for combofix. I left it for the weekend. it just took longer then I thought i would. here is the full report I got after the scan. I sent it to you before. let me know if I need to rerun the combofix.

ComboFix 11-12-09.03 - Saban 12/09/2011 18:02:25.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.285 [GMT -5:00]
Running from: c:\documents and settings\Saban\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Saban\Application Data\PriceGong
c:\documents and settings\Saban\Application Data\PriceGong\Data\mru.xml
.
.
((((((((((((((((((((((((( Files Created from 2011-11-10 to 2011-12-10 )))))))))))))))))))))))))))))))
.
.
2011-12-08 19:13 . 2011-12-09 15:27 -------- d-----w- c:\program files\AVG Secure Search
2011-12-02 22:35 . 2011-12-02 22:35 -------- d-----w- c:\documents and settings\Saban\Application Data\Malwarebytes
2011-12-02 22:34 . 2011-12-02 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-02 19:35 . 2011-12-02 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-11-29 18:00 . 2011-11-29 18:00 -------- d-----w- c:\program files\iPod
2011-11-29 17:59 . 2011-11-29 18:03 -------- d-----w- c:\program files\iTunes
2011-11-29 17:43 . 2011-11-29 17:43 -------- d-----w- c:\program files\Bonjour
2011-11-28 21:14 . 2011-11-28 21:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-07 19:11 . 2011-11-07 19:11 11264 ----a-w- c:\windows\DCEBoot.exe
2011-10-10 14:22 . 2009-07-15 22:29 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2008-04-14 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2008-04-14 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2008-04-14 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-09-26 17353352]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 uzeyodq1;AVZ-RK Kernel Driver;c:\windows\system32\drivers\uzeyodq1.sys [3/17/2010 8:54 AM 11264]
S0 cerc6;cerc6; [x]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-12-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1123561945-1417001333-1003Core.job
- c:\documents and settings\Saban\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-03 13:08]
.
2011-12-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1123561945-1417001333-1003UA.job
- c:\documents and settings\Saban\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-03 13:08]
.
2011-12-09 c:\windows\Tasks\HP WEP.job
- c:\program files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 18:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
AddRemove-HP LaserJet P1000 series - c:\program files\Avago-HP\{615c3b97-30bf-4420-a56a-7550e81e62f4}\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-09 18:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-12-09 19:07:09
ComboFix-quarantined-files.txt 2011-12-10 00:06
.
Pre-Run: 12,923,858,944 bytes free
Post-Run: 14,961,184,768 bytes free
.
- - End Of File - - F8F342EA9EA219A56D6BFDA52B59BACF
 
Sorry- my fault on OTM. IT can't read the encoding

Please uninstall the WinRar program and any associated files.
Then run Eset again.

Either the WinRar program has been pirated or some download using it. However, I don't understand how this scan can come up clean when it's a keygen file!
CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11.HBAPNN
----- EOF -----
 
C:\Documents and Settings\Saban\Desktop\Helen\Mus\WinRAR\??????? ???????????\Keygen_FFF\Keygen.exe a variant of Win32/Keygen.AI application




it gave me the same message
 
You will need to manually remove the entry. The price of WinRAR is $29.00. Using a keygen for the license and/or key means that the program was pirated. Instead of paying for it, a torrent site was visited.

HackTool:Win32/Keygen is the detection for a tool that generates keys for illegally-obtained versions of various software products.

I don't see it in the list of installed programs but it is somewhere on the system:
C:\Documents and Settings\Saban\Desktop\Helen\Mus\WinRAR

Look for WinRar entries and any with keygen in them.
Account name is Saban. Location is the Desktop.
================================
Please rerun the following. Do not remove any of the content:
Download CKScanner and save to your desktop.
  • Doubleclick CKScanner.exe and click Search For Files.
  • When the cursor hourglass disappears, click Save List To File.
  • A message box will verify that the file is saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
=====================================
 
Here you go

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11.CWLBUI
----- EOF -----
 
Please update and rescan with the Eset Online Virus scan.

Did you locate the WinRar and keygen entries to remove?
 
HERE YOU GO. i RERUN IT

C:\System Volume Information\_restore{987B1B85-12D5-430C-923E-7A4B948FE860}\RP406\A0083724.exe a variant of Win32/Keygen.AI application


i HAVE REMOVED A WINRAR
 
Holiday Notice! I will not be working on the threads Sat. Dec. 24 or Sunday Dec. 25. I will begin with the oldest threads first on Monday. I will do my best to get you finished or as far along as I can before that. Please do not send a PM during those days.
----------------------------------------
After running the App Remover to uninstall AVG, links to 2 free AV programs were left for you to choose which to install in the meantime. It appears you did not do that and have no aV on the system. Please go back to that reply and choose one of them.
======================================
redirect me when while checking my email I click on the website I got an email from.
This is unusual. You may have a configuration problem> the redirects usually happen when you've done a search and chosen one of the hits> but instead of getting the one you chose, you get some other site, frequently a 'search' site.
============================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code:
File::

ClearJavaCache::
DDS::
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: PriceGongCtrl Class: {d2a2595c-4fe4-4315-aa9b-19dbd6271b71} - c:\program files\pricegong\1.5.0\PriceGongIE.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
Reboot::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Please update the Adobe Reader:aVisit this Adobe Reader site and get current v10.xx. Uninstall any earlier updates as they are vulnerabilities.
=====================================
There's not much in the log: Please uninstall Price Gone in Add/Remove Programs. Then use Windows Explorer to access My Computer> Local Drive (C)> Programs> find the folder for Price Gong and do a right click> Delete to remove it.
=================================
Bit Torrent is a file sharing program: P2P Warning:
Note: Even if you are using a "safe" P2P program, it is only the program that is safe.
  • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
  • Malware writers use these program to include malicious content.
  • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
  • The 'sharing' also includes malware that the shared system has on it.
  • Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.
======================================
To run HijackThis:
First, set up a Directory for HijackThis as follows:
Right click Taskbar> Explore> My Computer> Local Drive (C)> File> New> Folder> Name folder HijackThis
Exit Explorer
You now have a folder C:\HijackThis
-----------------------------------------
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.
  • Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'
  • Extract it to the directory on your hard drive you created C:\HijackThis.
  • Then navigate to that directory and double-click on the hijackthis.exe file.
  • When started click on the Scan button and then the Save Log button to create a log of your information.
  • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste (Ctrl+V) the log in your next reply.
NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
 
ComboFix 11-12-28.03 - Saban 12/28/2011 9:37.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.91 [GMT -5:00]
Running from: c:\documents and settings\Saban\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Saban\Desktop\CFScript.txt.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\pricegong\1.5.0\PriceGongIE.dll
.
c:\windows\system32\drivers\i8042prt.sys . . . is missing!!
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-28 )))))))))))))))))))))))))))))))
.
.
2011-12-23 20:35 . 2011-12-23 20:35 -------- d-----w- c:\documents and settings\Saban\Application Data\Sammsoft
2011-12-23 20:35 . 2011-12-26 14:50 -------- d-----w- c:\documents and settings\Saban\Local Settings\Application Data\AskToolbar
2011-12-23 20:34 . 2011-12-23 20:36 -------- d-----w- c:\program files\Ask.com
2011-12-23 20:34 . 2011-12-23 20:34 -------- d-----w- c:\program files\ARO 2011
2011-12-14 20:15 . 2011-12-14 20:15 -------- d-----w- C:\_OTM
2011-12-12 14:09 . 2011-12-12 14:09 -------- d-----w- c:\program files\ESET
2011-12-08 19:13 . 2011-12-09 15:27 -------- d-----w- c:\program files\AVG Secure Search
2011-12-02 22:35 . 2011-12-02 22:35 -------- d-----w- c:\documents and settings\Saban\Application Data\Malwarebytes
2011-12-02 22:34 . 2011-12-02 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-02 19:35 . 2011-12-02 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-11-29 18:00 . 2011-11-29 18:00 -------- d-----w- c:\program files\iPod
2011-11-29 17:59 . 2011-11-29 18:03 -------- d-----w- c:\program files\iTunes
2011-11-29 17:43 . 2011-11-29 17:43 -------- d-----w- c:\program files\Bonjour
2011-11-28 21:14 . 2011-11-28 21:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:25 . 2008-04-14 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-07 19:11 . 2011-11-07 19:11 11264 ----a-w- c:\windows\DCEBoot.exe
2011-11-04 19:20 . 2008-04-14 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2008-04-14 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2008-04-14 12:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2008-04-14 00:01 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2008-04-14 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2009-07-15 22:29 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-09-26 17353352]
"AROReminder"="c:\program files\ARO 2011\aro.exe" [2011-11-11 2315120]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-07-26 397992]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 uzeyodq1;AVZ-RK Kernel Driver;c:\windows\system32\drivers\uzeyodq1.sys [3/17/2010 8:54 AM 11264]
S0 cerc6;cerc6; [x]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-12-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1123561945-1417001333-1003Core.job
- c:\documents and settings\Saban\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-03 13:08]
.
2011-12-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1123561945-1417001333-1003UA.job
- c:\documents and settings\Saban\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-03 13:08]
.
2011-12-28 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-07-26 23:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Saban\Application Data\Mozilla\Firefox\Profiles\l22j95ne.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2790392&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2790392&SearchSource=13
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: BitTorrentBar Community Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - %profile%\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
FF - Ext: Support.com Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-28 09:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(616)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-12-28 09:55:54 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-28 14:55
ComboFix2.txt 2011-12-28 14:30
ComboFix3.txt 2011-12-10 00:07
.
Pre-Run: 14,506,586,112 bytes free
Post-Run: 14,493,413,376 bytes free
.
- - End Of File - - 59B91B0AF13C9EEBCAB20CF186BD27C4
 
Hello! happy holidays!

I have downloaded Adobe Reader MUI 10.1 - Multiple Languages

I can not find Price Gone. if I am not mistaken I saw ComboFix removing this program. but I did removed it from My Computer> Local Drive (C)> Programs
 
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:29:32 AM, on 12/28/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Saban\Desktop\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O4 - HKLM\..\Run: [hpbdfawep] "C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe" 1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\ARO 2011\aro.exe -rem
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} (Photo Upload Plugin Class) - http://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4784 bytes
 
Please note: Since we started, you have just recently gotten the AskBar on the system. You must check all download screens before you download and uncheck any pre-checked items. The Ask Bar is frequently one of them: It looks like it was bundled with ARO 2012.
==================================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code:
File::
Folder::
c:\documents and settings\Saban\Local Settings\Application Data\AskToolbar
c:\program files\Ask.com
c:\program files\ARO 2011
c:\program files\AVG Secure Search
Extra::
File::
Firefox::
Firefox-: - Profile - c:\documents and settings\Saban\Application Data\Mozilla\Firefox\Profiles\l22j95ne.default\
Firefox-: prefs.js- Search.DefaultURL
Firefox-: prefs.js- Searchengine.defaultURL
Firefox-: prefs.js- Startup.Homepage
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AROReminder"=-
Clearjavacache::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :filefind
    i8042prt.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
=======================================
Please reopen HijackThis to 'do system scan only.' check each of the following, if present:

C:\Program Files\Ask.com\Updater\Updater.exe
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe"
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\ARO 2011\aro.exe -rem


Close all Windows except HijackThis and click on "Fix Checked."
===================================================
Go to Add/Remove Programs and uninstall the following, if found:
Any Ask entries
Bit Torrent Toolbar
Conduit Engine
ARO 2012
When finished, use Windows Explorer to access Computer> Local Drive> Programs> Look for program folder for each of the programs you uninstalled and do a right click> Delete on each.
===============================================
Remove this Scheduled Tasks: Access Scheduled Tasks with Click on Start> All Programs> Accessories> System Tools> Scheduled Tasks.

  • Right click on the following Task> Delete.
    c:\windows\Tasks\Scheduled Update for Ask Toolbar (c:\program files\Ask.com\UpdateTask.exe)
    ===============================================
    Don't forget to Update Adobe Reader v9.0 to v10.xx
    =============================================
    Note: I have removed ARO 2012 It is a registry optimizer. We don't recommend registry 'cleaners' to anyone. The risk far outweighs any benefit.
    ============================================
    Please open Firefox> Tools> Add ons> Extensions> Remove the following:
    Ext: Conduit Engine
    Ext: BitTorrentBar Community Toolbar
    Ext: Support.com Toolbar: (this is another entry from ask.com) -
    ============================================
    Please let me know how the system is doing when you finish the above, then reboot.
 
ComboFix 11-12-29.05 - Saban 12/29/2011 16:30:38.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.312 [GMT -5:00]
Running from: c:\documents and settings\Saban\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Saban\Desktop\CFScript.txt.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\i8042prt.sys . . . is missing!!
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-29 )))))))))))))))))))))))))))))))
.
.
2011-12-29 15:35 . 2011-12-29 15:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-28 16:52 . 2011-12-28 16:52 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-12-28 15:18 . 2011-12-28 15:18 -------- d-----w- C:\HijackThis
2011-12-23 20:35 . 2011-12-23 20:35 -------- d-----w- c:\documents and settings\Saban\Application Data\Sammsoft
2011-12-23 20:35 . 2011-12-26 14:50 -------- d-----w- c:\documents and settings\Saban\Local Settings\Application Data\AskToolbar
2011-12-23 20:34 . 2011-12-23 20:36 -------- d-----w- c:\program files\Ask.com
2011-12-23 20:34 . 2011-12-23 20:34 -------- d-----w- c:\program files\ARO 2011
2011-12-14 20:15 . 2011-12-14 20:15 -------- d-----w- C:\_OTM
2011-12-12 14:09 . 2011-12-12 14:09 -------- d-----w- c:\program files\ESET
2011-12-08 19:13 . 2011-12-09 15:27 -------- d-----w- c:\program files\AVG Secure Search
2011-12-02 22:35 . 2011-12-02 22:35 -------- d-----w- c:\documents and settings\Saban\Application Data\Malwarebytes
2011-12-02 22:34 . 2011-12-02 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-02 19:35 . 2011-12-02 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:25 . 2008-04-14 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-07 19:11 . 2011-11-07 19:11 11264 ----a-w- c:\windows\DCEBoot.exe
2011-11-04 19:20 . 2008-04-14 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2008-04-14 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2008-04-14 12:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2008-04-14 00:01 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2008-04-14 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2009-07-15 22:29 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-12-28_14.24.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-28 17:02 . 2011-12-28 17:02 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-15 22:36 . 2011-12-28 17:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-07-15 22:36 . 2011-11-08 15:44 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-12-28 17:02 . 2011-12-28 17:02 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-12-28 16:57 . 2011-12-28 16:57 22016 c:\windows\Installer\5e31d0.msi
+ 2011-12-28 16:52 . 2011-12-28 16:52 28160 c:\windows\Installer\5e31cb.msi
+ 2011-12-28 16:52 . 2011-12-28 16:52 24064 c:\windows\Installer\5e31c6.msi
+ 2011-06-06 17:55 . 2011-06-06 17:55 17304 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\ViewerPS.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 35736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\reader_sl.exe
+ 2011-06-06 17:55 . 2011-06-06 17:55 88992 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\PDFPrevHndlr.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 94608 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\eula.exe
+ 2011-06-06 17:55 . 2011-06-06 17:55 49064 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acrotextextractor.exe
+ 2011-06-06 17:55 . 2011-06-06 17:55 17824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32Info.exe
+ 2011-06-06 17:55 . 2011-06-06 17:55 63912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acroiehelpershim.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 64928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroIEHelper.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 63384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\Acrofx32.dll
+ 2011-12-29 15:35 . 2011-12-29 15:35 247968 c:\windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe
+ 2011-12-29 15:35 . 2011-12-29 15:35 335520 c:\windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 249232 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\sqlite.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 394136 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\pdfshell.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 103848 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\PDFPrevHndlrShim.exe
+ 2011-06-06 17:55 . 2011-06-06 17:55 183696 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\nppdf32.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 104344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AiodLite.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 102808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRdIF.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 755088 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroPDF.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 296344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acrobroker.exe
+ 2011-06-06 17:55 . 2011-06-06 17:55 205720 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\a3dutils.dll
+ 2011-12-28 16:52 . 2011-12-28 16:52 2295808 c:\windows\Installer\5e31bd.msi
+ 2011-06-06 17:55 . 2011-06-06 17:55 2215312 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\rt3d.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 6543768 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\authplay.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 1240992 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AdobeCollabSync.exe
+ 2011-06-06 17:55 . 2011-06-06 17:55 1480600 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32.exe
+ 2011-09-05 21:51 . 2011-09-05 21:51 13135872 c:\windows\Installer\5e31be.msp
+ 2011-06-06 17:55 . 2011-06-06 17:55 24731544 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-09-26 17353352]
"AROReminder"="c:\program files\ARO 2011\aro.exe" [2011-11-11 2315120]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-12-28 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-07-26 397992]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 uzeyodq1;AVZ-RK Kernel Driver;c:\windows\system32\drivers\uzeyodq1.sys [3/17/2010 8:54 AM 11264]
S0 cerc6;cerc6; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/28/2011 11:52 AM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/28/2011 11:52 AM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-28 16:52]
.
2011-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-28 16:52]
.
2011-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1123561945-1417001333-1003Core.job
- c:\documents and settings\Saban\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-03 13:08]
.
2011-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1123561945-1417001333-1003UA.job
- c:\documents and settings\Saban\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-03 13:08]
.
2011-12-29 c:\windows\Tasks\HP WEP.job
- c:\program files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 18:28]
.
2011-12-29 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-07-26 23:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Saban\Application Data\Mozilla\Firefox\Profiles\l22j95ne.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2790392&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2790392&SearchSource=13
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: BitTorrentBar Community Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - %profile%\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
FF - Ext: Support.com Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-PriceGong - c:\program files\PriceGong\uninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-29 16:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3460)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Microsoft Office\Office10\msohev.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
Completion time: 2011-12-29 16:44:04
ComboFix-quarantined-files.txt 2011-12-29 21:44
ComboFix2.txt 2011-12-28 14:55
ComboFix3.txt 2011-12-28 14:30
ComboFix4.txt 2011-12-10 00:07
.
Pre-Run: 14,070,751,232 bytes free
Post-Run: 14,231,277,568 bytes free
.
- - End Of File - - 22F4FAC0FFD9AFC320CA8A3269D9627A
 
Back