Solved Malware redirecting websites

Status
Not open for further replies.
Okay, there are a few things we need to discuss:

1. There is a multitude of Java on the system for the OS, Firefox and Chrome:
"{1111706F-666A-4037-7777-203328764D10}" = JavaFX 2.0.3
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 18
"{26A24AE4-039D-4CA4-87B4-2F83217003FF}" = Java(TM) 7 Update 3

Firefox - plugin: C:\Program Files\Oracle\JavaFX 2.0 Runtime
Java Plug-in 1.7.0_03
CHR - plugin: Java Deployment Toolkit 6.0.180.7 (Enabled)
Java 6 Update 20 includes a fixed 6.0.200.2 version of the Java Deployment Toolkit plugin, now named "npdeployJava1.dll". The update should remove the blacklisted (sp. corrected) "npdeploytk.dll" plugin. If any copies of npdeploytk.dll remain, you should remove them manually.

CHR - plugin: Java(TM) Platform SE 6 U18 (Enabled)
------------------------------------------
Unless the user has particular needs for developer versions of Java, all of the above should be removed and the following installed:
Java Downloads for All Operating Systems>> Recommended Version 6 Update 32>> https://www.techspot.com/downloads/6463-java-se.html

There is a program I can use to remove all of the outdated versions, but I don't know if it will also remove developer versions. All of the outdated versions are vulnerabilities.
======================================
2. Who set this and what is the sub-net?
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabledxpsp2res:mad:.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabledxpsp2res:mad:.dll,-22008
"139:TCP" = 139:TCP:LocalSubNetisabledxpsp2res:D:mad:.dll,-22004
"445:TCP" = 445:TCP:LocalSubNetisabledxpsp2res:D:mad:.dll,-22005
"137:UDP" = 137:UDP:LocalSubNetisabledxpsp2res:D:mad:.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22002
=======================================================
I will have to get back to you as I have ask about one section of entries that needs to be removed. Combofix would delete the entries automatically, but I will have to list them.
 
Ok, I uninstalled JavaFX, but I can't seem to uninstall Java(TM) 6 Update 18, I get internal error 2753 regutils.dll. Java(TM) 7 Update 3 doesn't even show up in add/remove programs. As for the sub-net, I have no idea, and neither does the owner of the computer.
 
Before you run the following, please shut the computer down, then reboot:
  • Run OTL
  • Copy the contents of the Code box and paste in the Custom Scans/Fixes box at the bottom:
    Code:
    :OTL
    IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
    IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
    IE - HKCU\..\SearchScopes\{a17cc547-016c-4a35-a95b-de64acafa170}: "URL" = http://ws.infospace.com/playsushi_tbar/ws/redir?_iceUrl=true& user_id=%userid&tool_id=60231&qkw={searchTerms}
    IE - HKCU\..\SearchScopes\{BE28C22E-F666-424d-B5FD-125C4AFEE34E}: "URL" = http://search.myheritage.com?orig=ds&q={searchTerms}
    FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
    CHR - plugin: MetaStream 3 Plugin (Enabled) = C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    CHR - plugin: WeatherBlink Installer Plugin Stub (Enabled) = C:\Program Files\WeatherBlinkEI\Installr\1.bin\NPgcEISB.dll
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://aolsvc.aol.com/onlinegames/popzuma/popcaploader_v10.cab (PopCapLoader Object)
    O16 - DPF: Photobucket Publisher http://pic.photobucket.com/plugins/csve/photobucket_publisher.CAB (Reg Error: Key error.)
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [2007/08/17 20:25:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
    [2005/10/31 11:56:00 | 000,700,416 | ---- | M] (LimeWire) -- C:\StubInstaller.exe
    [2011/10/07 22:59:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\BcbnQWRTUIPADFH
    [2011/10/07 13:46:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\bIBrzPNyc1v2n4
    [2011/10/07 12:49:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\bJ6dWK8fR9TwUe
    [2011/10/07 15:10:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\BqhYXwkUVlBx0c1
    [2011/10/07 04:12:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\dA1ivD2on4m5
    [2011/10/07 14:19:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\DL8gRZqhYwUrOt
    [2011/10/07 22:59:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\dmH6sWK7fLgXjCk
    [2011/10/06 17:50:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\dP0ucS1ib3n4
    [2011/10/06 17:50:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\dpmG5aQ6dKfZhXj
    [2011/09/27 18:33:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\FCSB000063127
    [2011/10/07 22:59:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Gb3n4Q6W7R
    [2011/10/08 14:49:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\hjUIBtzPN
    [2011/10/08 14:49:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\iBtzPNycAiDoF
    [2011/10/07 13:46:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\IgTZqhYCwIrOtAu
    [2011/10/07 14:19:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\IRZqhYCwkVlNx0c
    [2011/10/08 14:49:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\jnF4pmH5sJdLg
    [2011/10/07 22:59:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\KE8RqYwUrOtPuSi
    [2011/10/06 18:03:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\KQH6dWK7fLhXjCl
    [2011/10/06 18:03:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\LXwkUVrlOtPuSiD
    [2011/10/07 14:20:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\S4aQH6dWKf
    [2011/10/07 04:12:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\s5sWJ7fELgZjCkV
    [2011/10/07 15:10:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\tgTXqjCekBOyAuS
    [2011/10/07 15:10:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\tgTXqjYCeIrOyAu
    [2011/10/06 17:50:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\U7E9TqYeIrOyAuS
    [2011/10/07 22:59:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\UamH6sWK7E9TqY
    [2011/10/07 22:59:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\umHsJ7fEL
    [2011/10/07 23:06:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Upoxu
    [2011/10/08 14:49:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\UZqjYCwkIrOtAuS
    [2011/10/07 15:10:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\vekIVrzONx0v2b3
    [2007/08/17 20:25:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Viewpoint
    [2011/10/08 14:49:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\vK7fRL9hTq
    [2011/10/06 17:50:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\vpGsQ6E8R9
    [2011/10/07 22:59:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\wG4amH6sW7E9T
    [2011/09/27 18:32:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\WhiteSmokeTranslator
    [2011/10/06 18:34:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\wibF3pmG5Q
    [2011/10/07 22:59:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\wNc1v2n4m5
    [2011/10/06 18:34:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\x6dEK8fRZhXjVlB
    [2011/10/07 14:19:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\X6W7E9TqYeIrOyA
    [2011/10/08 14:49:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\XlBtzPNyc1
    [2011/10/07 04:12:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\XqjYCwkIVzNx0
    [2011/10/07 12:49:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\yycA1ivD3n4m6W
    [2011/10/07 15:10:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\YYCekIBONx
    [2011/10/07 15:10:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\YYCekIBrzN
    [2011/10/06 17:50:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\z6dEK8fRZhXjVlB
    [2011/10/07 15:10:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\zNyxA1uvSoFpGsJ
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [emptyjava]
    [resethosts]
    [CreateRestorePoint]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run uninterrupted, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
===================================
I doubt you can handle more code than above at one time, so we will have to run the fix again with additional entries. There were only a few good appdata entries and I have removed them. It took me a while to get through them all!
 
OTL logfile created on: 5/11/2012 1:26:27 AM - Run 2
OTL by OldTimer - Version 3.2.39.2 Folder = D:\
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

381.69 Mb Total Physical Memory | 98.67 Mb Available Physical Memory | 25.85% Memory free
919.09 Mb Paging File | 688.46 Mb Available in Paging File | 74.91% Paging File free
Paging file location(s): C:\pagefile.sys 576 1152 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 143.75 Gb Total Space | 124.19 Gb Free Space | 86.39% Space Free | Partition Type: NTFS
Drive D: | 242.00 Mb Total Space | 232.43 Mb Free Space | 96.05% Space Free | Partition Type: FAT32
Drive H: | 5.28 Gb Total Space | 3.41 Gb Free Space | 64.48% Space Free | Partition Type: FAT32

Computer Name: YOUR-99DDF15D27 | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - D:\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe (Verizon)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.)


========== Modules (No Company Name) ==========

MOD - C:\WINDOWS\system32\sbe.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\5adb0f89d469632511aed9d88cfe05c4\System.ServiceProcess.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\631b3eba1ba5bd3c3f027f34011cadeb\System.Configuration.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\563a54b98adb70fae862974042298348\System.Xml.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\37217abe2c5164e59aba251860f4c79e\System.ni.dll ()
MOD - C:\WINDOWS\system32\quartz.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\7124a40b9998f7b63c86bd1a2125ce26\mscorlib.ni.dll ()
MOD - C:\WINDOWS\system32\devenum.dll ()
MOD - C:\WINDOWS\system32\msdmo.dll ()


========== Win32 Services (SafeList) ==========

SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (IHA_MessageCenter) -- C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe (Verizon)
SRV - (PrismXL) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PSSdk23) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\catchme.sys File not found
DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (MREMP50) -- C:\Program Files\Common Files\Motive\MREMP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (MRESP50) -- C:\Program Files\Common Files\Motive\MRESP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (MRENDIS5) -- C:\Program Files\Common Files\Motive\MRENDIS5.sys (Motive, Inc.)
DRV - (MREMPR5) -- C:\Program Files\Common Files\Motive\MREMPR5.sys (Motive, Inc.)
DRV - (SRS_SSCFilter) SRS Labs Audio Sandbox (WDM) -- C:\WINDOWS\system32\drivers\SRS_SSCFilter.sys ()
DRV - (hamachi_oem) -- C:\WINDOWS\system32\drivers\gan_adapter.sys (Applied Networking Inc.)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys (Realtek Semiconductor Corp.)
DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys (Realtek Semiconductor Corporation )
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (HSFHWBS2) -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (Cdralw2k) -- C:\WINDOWS\System32\drivers\cdralw2k.sys (Roxio)
DRV - (Cdr4_xp) -- C:\WINDOWS\System32\drivers\cdr4_xp.sys (Roxio)
DRV - (rtl8139) Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)
DRV - (wanatw) WAN Miniport (ATW) -- C:\WINDOWS\system32\drivers\wanatw4.sys (America Online, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...putEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\..\SearchScopes\{a17cc547-016c-4a35-a95b-de64acafa170}: "URL" = http://ws.infospace.com/playsushi_tbar/ws/redir?_iceUrl=true& user_id=%userid&tool_id=60231&qkw={searchTerms}
IE - HKLM\..\SearchScopes\{BE28C22E-F666-424d-B5FD-125C4AFEE34E}: "URL" = http://search.myheritage.com?orig=ds&q={searchTerms}

IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...={outputEncoding}&sourceid=ie7&rlz=1I7GGLL_en
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.3.1: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.3.0: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Alcatel-Lucent)
FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Move Networks\plugins\npqmp071701000002.dll (Move Networks)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.666: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.666: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.666: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.666: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.666: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Move Networks\plugins\npqmp071701000002.dll (Move Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/09/27 15:27:05 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\moveplayer@movenetworks.com: C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Move Networks [2010/01/31 15:58:15 | 000,000,000 | ---D | M]

[2010/11/14 18:10:33 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Mozilla\Extensions
[2010/03/16 18:09:04 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Mozilla\Extensions\mozswing@mozswing.org

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:eek:riginalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\18.0.1025.168\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Java Deployment Toolkit 6.0.180.7 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll
CHR - plugin: Java(TM) Platform SE 6 U18 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll
CHR - plugin: RealPlayer(tm) HTML5VideoShim Plug-In (32-bit) (Enabled) = C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
CHR - plugin: RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = c:\program files\real\realplayer\Netscape6\nppl3260.dll
CHR - plugin: RealPlayer Version Plugin (Enabled) = c:\program files\real\realplayer\Netscape6\nprpjplug.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\18.0.1025.168\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\18.0.1025.168\pdf.dll
CHR - plugin: RealNetworks(tm) Chrome Background Extension Plug-In (32-bit) (Enabled) = C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
CHR - plugin: Move Streaming Media Player (Enabled) = C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Move Networks\plugins\npqmp071701000002.dll
CHR - plugin: Motive Plugin (Enabled) = C:\Program Files\Common Files\Motive\npMotive.dll
CHR - plugin: RIM Handheld Application Loader (Enabled) = C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll
CHR - plugin: MetaStream 3 Plugin (Enabled) = C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
CHR - plugin: WeatherBlink Installer Plugin Stub (Enabled) = C:\Program Files\WeatherBlinkEI\Installr\1.bin\NPgcEISB.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: RealJukebox NS Plugin (Enabled) = c:\program files\real\realplayer\Netscape6\nprjplug.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin

O1 HOSTS File: ([2012/05/10 13:21:31 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll File not found
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab (Disney Online Games ActiveX Control)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} http://www.worldwinner.com/games/v63/bjattack/bja.cab (BJA Control)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab (Wwlaunch Control)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2399B279-E23A-4D25-9FC3-FDBB1988B757}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner.YOUR-99DDF15D27\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner.YOUR-99DDF15D27\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/06/17 05:41:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2012/03/28 12:27:29 | 000,000,000 | R--D | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2012/03/28 12:27:30 | 000,000,000 | RHSD | M] - D:\autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2012/03/28 12:27:30 | 000,000,000 | R--D | M] - H:\autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/05/09 11:45:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Sun
[2012/05/01 11:52:34 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/05/01 11:51:35 | 004,480,463 | R--- | C] (Swearware) -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\ComboFix.exe
[2012/04/18 12:15:59 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/04/17 11:31:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC

========== Files - Modified Within 30 Days ==========

[2012/05/11 01:27:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/05/11 01:24:58 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/05/11 01:24:29 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-944287074-3991993469-2546533042-1006.job
[2012/05/11 01:24:27 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/05/11 01:24:21 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/05/11 01:24:17 | 400,302,080 | -HS- | M] () -- C:\hiberfil.sys
[2012/05/10 13:21:31 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2012/05/09 22:28:03 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-944287074-3991993469-2546533042-1006.job
[2012/05/01 11:49:14 | 004,480,463 | R--- | M] (Swearware) -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\ComboFix.exe
[2012/04/18 12:11:58 | 000,001,483 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\On-Screen Keyboard (2).lnk
[2012/04/17 11:33:41 | 000,000,325 | RHS- | M] () -- C:\boot.ini
[2012/04/17 11:32:59 | 000,000,191 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\Malware redirecting websites - TechSpot OpenBoards.url

========== Files Created - No Company Name ==========

[2012/04/18 12:11:46 | 000,001,483 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\On-Screen Keyboard (2).lnk
[2012/04/17 11:34:42 | 400,302,080 | -HS- | C] () -- C:\hiberfil.sys
[2012/04/10 12:45:16 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/04/10 12:45:16 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/04/10 12:45:16 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/04/10 12:45:16 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/04/10 12:45:16 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/03/29 12:26:14 | 000,000,004 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2011/10/05 19:29:35 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

========== LOP Check ==========

[2010/04/02 17:07:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MyHeritage
[2006/11/27 21:20:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2010/10/14 20:51:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2003/12/31 23:11:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Soluto
[2007/01/18 18:10:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SRS Labs
[2006/12/03 19:50:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2012/03/11 19:36:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WSTB
[2007/05/08 20:15:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\acccore
[2010/04/15 18:20:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1
[2010/05/20 16:28:21 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\ijjigame
[2006/11/23 20:53:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\MSNInstaller
[2010/04/02 17:02:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\MyHeritage
[2008/10/21 16:32:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\NPLUTO Corporation
[2010/06/02 14:51:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\OpenOffice.org
[2012/03/29 13:07:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Oracle
[2009/04/20 17:56:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Research In Motion
[2006/07/31 20:49:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\SampleView
[2010/02/09 23:36:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Singlesnet
[2009/09/08 22:10:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Template
[2012/03/11 19:55:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Tutys
[2011/10/06 18:34:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\wbF3pmG5aJ
[2009/09/08 21:54:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\WeatherBug

========== Purity Check ==========



< End of report >
 
Well this looks a lot better! Just a few more to remove:
  • Run OTL
  • Copy the contents of the Code box and paste in the Custom Scans/Fixes box at the bottom:
    Code:
    :OTL
    CHR - plugin: Java(TM) Platform SE 6 U18 
    CHR - plugin: WeatherBlink Installer Plugin Stub (Enabled) = C:\Program Files\WeatherBlinkEI\Installr\1.bin\NPgcEISB.dll
    [2011/10/06 18:34:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\wbF3pmG5aJ
    IE - HKLM\..\SearchScopes,DefaultScope =
    IE - HKLM\..\SearchScopes\{a17cc547-016c-4a35-a95b-de64acafa170}: "URL" = http://ws.infospace.com/playsushi_tbar/ws/redir?_iceUrl=true& user_id=%userid&tool_id=60231&qkw={searchTerms}
    IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
    :Reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{107254A0-0ADF-11D4-9397-00D0B7020B38}" =
    "{1111706F-666A-4037-7777-203328764D10}" =-
    "ViewpointMediaPlayer" =-
    "{26A24AE4-039D-4CA4-87B4-2F83216018FF}" =-
    "{26A24AE4-039D-4CA4-87B4-2F83217003FF}" =-
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "1900:UDP" =-
    "2869:TCP" =-
    "139:TCP" =-
    "445:TCP" =-
    "137:UDP" =-
    "138:UDP" =- 
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]5
    [emptyjava]
    [resethosts]
    [CreateRestorePoint]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run uninterrupted, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
----------------------
Plese give me an update on how the system is doing.
 
System seems to be running a lot better. No longer getting pop ups or redirected searches and such. Needs more ram, but considering that, it is about how I'd expect XP on a P4 to run.
_____________________________________________

OTL logfile created on: 5/16/2012 1:40:42 PM - Run 3
OTL by OldTimer - Version 3.2.39.2 Folder = D:\
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

381.69 Mb Total Physical Memory | 106.30 Mb Available Physical Memory | 27.85% Memory free
917.33 Mb Paging File | 702.31 Mb Available in Paging File | 76.56% Paging File free
Paging file location(s): C:\pagefile.sys 576 1152 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 143.75 Gb Total Space | 123.96 Gb Free Space | 86.23% Space Free | Partition Type: NTFS
Drive D: | 242.00 Mb Total Space | 232.42 Mb Free Space | 96.04% Space Free | Partition Type: FAT32
Drive H: | 5.28 Gb Total Space | 3.41 Gb Free Space | 64.48% Space Free | Partition Type: FAT32

Computer Name: YOUR-99DDF15D27 | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - D:\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe (Verizon)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.)


========== Modules (No Company Name) ==========

MOD - C:\WINDOWS\system32\sbe.dll ()
MOD - C:\WINDOWS\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\5adb0f89d469632511aed9d88cfe05c4\System.ServiceProcess.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management\16670b6870746e5a8dc4a73a76a90bed\System.Management.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\631b3eba1ba5bd3c3f027f34011cadeb\System.Configuration.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\563a54b98adb70fae862974042298348\System.Xml.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\37217abe2c5164e59aba251860f4c79e\System.ni.dll ()
MOD - C:\WINDOWS\system32\quartz.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\77688ce14f221ed94a9f442ae4736123\CustomMarshalers.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\7124a40b9998f7b63c86bd1a2125ce26\mscorlib.ni.dll ()
MOD - C:\WINDOWS\system32\devenum.dll ()
MOD - C:\WINDOWS\system32\msdmo.dll ()


========== Win32 Services (SafeList) ==========

SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (IHA_MessageCenter) -- C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe (Verizon)
SRV - (PrismXL) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PSSdk23) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\catchme.sys File not found
DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (MREMP50) -- C:\Program Files\Common Files\Motive\MREMP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (MRESP50) -- C:\Program Files\Common Files\Motive\MRESP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (MRENDIS5) -- C:\Program Files\Common Files\Motive\MRENDIS5.sys (Motive, Inc.)
DRV - (MREMPR5) -- C:\Program Files\Common Files\Motive\MREMPR5.sys (Motive, Inc.)
DRV - (SRS_SSCFilter) SRS Labs Audio Sandbox (WDM) -- C:\WINDOWS\system32\drivers\SRS_SSCFilter.sys ()
DRV - (hamachi_oem) -- C:\WINDOWS\system32\drivers\gan_adapter.sys (Applied Networking Inc.)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys (Realtek Semiconductor Corp.)
DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys (Realtek Semiconductor Corporation )
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (HSFHWBS2) -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (Cdralw2k) -- C:\WINDOWS\System32\drivers\cdralw2k.sys (Roxio)
DRV - (Cdr4_xp) -- C:\WINDOWS\System32\drivers\cdr4_xp.sys (Roxio)
DRV - (rtl8139) Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)
DRV - (wanatw) WAN Miniport (ATW) -- C:\WINDOWS\system32\drivers\wanatw4.sys (America Online, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...putEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\..\SearchScopes\{BE28C22E-F666-424d-B5FD-125C4AFEE34E}: "URL" = http://search.myheritage.com?orig=ds&q={searchTerms}

IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...putEncoding}&sourceid=ie7&rlz=1I7PRFB_enUS475
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.3.1: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.3.0: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Alcatel-Lucent)
FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Move Networks\plugins\npqmp071701000002.dll (Move Networks)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.666: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.666: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.666: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.666: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.666: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Move Networks\plugins\npqmp071701000002.dll (Move Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/09/27 15:27:05 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\moveplayer@movenetworks.com: C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Move Networks [2010/01/31 15:58:15 | 000,000,000 | ---D | M]

[2010/11/14 18:10:33 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Mozilla\Extensions
[2010/03/16 18:09:04 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Mozilla\Extensions\mozswing@mozswing.org

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:eek:riginalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\18.0.1025.168\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Java Deployment Toolkit 6.0.180.7 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll
CHR - plugin: Java(TM) Platform SE 6 U18 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll
CHR - plugin: RealPlayer(tm) HTML5VideoShim Plug-In (32-bit) (Enabled) = C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
CHR - plugin: RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = c:\program files\real\realplayer\Netscape6\nppl3260.dll
CHR - plugin: RealPlayer Version Plugin (Enabled) = c:\program files\real\realplayer\Netscape6\nprpjplug.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\18.0.1025.168\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\18.0.1025.168\pdf.dll
CHR - plugin: RealNetworks(tm) Chrome Background Extension Plug-In (32-bit) (Enabled) = C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
CHR - plugin: Move Streaming Media Player (Enabled) = C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Move Networks\plugins\npqmp071701000002.dll
CHR - plugin: Motive Plugin (Enabled) = C:\Program Files\Common Files\Motive\npMotive.dll
CHR - plugin: RIM Handheld Application Loader (Enabled) = C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll
CHR - plugin: MetaStream 3 Plugin (Enabled) = C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
CHR - plugin: WeatherBlink Installer Plugin Stub (Enabled) = C:\Program Files\WeatherBlinkEI\Installr\1.bin\NPgcEISB.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: RealJukebox NS Plugin (Enabled) = c:\program files\real\realplayer\Netscape6\nprjplug.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin

O1 HOSTS File: ([2012/05/16 09:42:31 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll File not found
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab (Disney Online Games ActiveX Control)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} http://www.worldwinner.com/games/v63/bjattack/bja.cab (BJA Control)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab (Wwlaunch Control)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2399B279-E23A-4D25-9FC3-FDBB1988B757}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner.YOUR-99DDF15D27\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner.YOUR-99DDF15D27\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/06/17 05:41:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2012/03/28 12:27:29 | 000,000,000 | R--D | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2012/03/28 12:27:30 | 000,000,000 | RHSD | M] - D:\autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2012/03/28 12:27:30 | 000,000,000 | R--D | M] - H:\autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/05/09 11:45:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Sun
[2012/05/01 11:52:34 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/05/01 11:51:35 | 004,480,463 | R--- | C] (Swearware) -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\ComboFix.exe
[2012/04/18 12:15:59 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/04/17 11:31:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC

========== Files - Modified Within 30 Days ==========

[2012/05/16 13:27:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/05/16 12:21:53 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/05/16 12:21:24 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-944287074-3991993469-2546533042-1006.job
[2012/05/16 12:21:23 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/05/16 12:21:20 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/05/16 12:21:18 | 400,302,080 | -HS- | M] () -- C:\hiberfil.sys
[2012/05/16 09:42:31 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2012/05/09 22:28:03 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-944287074-3991993469-2546533042-1006.job
[2012/05/01 11:49:14 | 004,480,463 | R--- | M] (Swearware) -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\ComboFix.exe
[2012/04/18 12:11:58 | 000,001,483 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\On-Screen Keyboard (2).lnk
[2012/04/17 11:33:41 | 000,000,325 | RHS- | M] () -- C:\boot.ini
[2012/04/17 11:32:59 | 000,000,191 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\Malware redirecting websites - TechSpot OpenBoards.url

========== Files Created - No Company Name ==========

[2012/04/18 12:11:46 | 000,001,483 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\On-Screen Keyboard (2).lnk
[2012/04/17 11:34:42 | 400,302,080 | -HS- | C] () -- C:\hiberfil.sys
[2012/04/10 12:45:16 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/04/10 12:45:16 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/04/10 12:45:16 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/04/10 12:45:16 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/04/10 12:45:16 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/03/29 12:26:14 | 000,000,004 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2011/10/05 19:29:35 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

========== LOP Check ==========

[2010/04/02 17:07:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MyHeritage
[2006/11/27 21:20:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2010/10/14 20:51:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2003/12/31 23:11:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Soluto
[2007/01/18 18:10:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SRS Labs
[2006/12/03 19:50:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2012/03/11 19:36:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WSTB
[2007/05/08 20:15:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\acccore
[2010/04/15 18:20:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1
[2010/05/20 16:28:21 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\ijjigame
[2006/11/23 20:53:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\MSNInstaller
[2010/04/02 17:02:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\MyHeritage
[2008/10/21 16:32:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\NPLUTO Corporation
[2010/06/02 14:51:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\OpenOffice.org
[2012/03/29 13:07:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Oracle
[2009/04/20 17:56:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Research In Motion
[2006/07/31 20:49:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\SampleView
[2010/02/09 23:36:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Singlesnet
[2009/09/08 22:10:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Template
[2012/03/11 19:55:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Tutys
[2009/09/08 21:54:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\WeatherBug

========== Purity Check ==========



< End of report >
 
Redirect resolved, correct? Just a few more removals:
  • Run OTL
  • Copy the contents of the Code box and paste in the Custom Scans/Fixes box at the bottom:
    Code:
    :OTL
    IE - HKLM\..\SearchScopes,DefaultScope =
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
    IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab (Reg Error: Key error.)
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [emptyjava]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run uninterrupted, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button.
=============================================
Suggestion: you have 3 browsers configured with addons or plugins. The most are Chrome and Firefox, but a few in IE that can be removed:
Open IE> Tools> Manage addons> check addons in both 'addons currently on system' and 'addons previously on system'> Remove McAfee, Eset online scan and any 'SearchScope' entries not directed to a URL that you use.

Check the comparable sections in CHR and FF- remove any outdated or unused. All of these will load up when you boot> the fewer you have, the better on all 3 browsers.
---------------------------------------------
Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
-----
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
  • Choose Disc Cleanup
  • Click "OK" to select the partition or drive you want.
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.
Empty the Recycle Bin

Let me know if you have any questions.
 
Status
Not open for further replies.
Back