Solved: Dell laptop w/XP - Google redirect virus

rherder · 09-Nov-2009, 12:39 PM #1

Our five year old Dell laptop (Inspiron 1000) has a redirect virus. Google searches are redirected to other pages, esp. Gotoseek page and gambling pages. Have tried spybot, AVG, Malware Bytes, and SuperAnti-spyware pro. None of it worked. I also tried to update Java, but whatever malware we got blocks the update.
Help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29:55 AM, on 11/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Richard Herder\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Richard Herder\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Richard Herder\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Richard Herder\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Richard Herder\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.perimeter.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Richard Herder\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1181791605750
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

--
End of file - 7252 bytes

rherder · 20-Nov-2009, 09:55 AM #2

I need to make one correction to my post. I said it frequently redirects to "gotoseek." That was a mistake. The website that comes up most frequently is "Toseeka." Then again, I just tested it by doing 10 random searches W/Google in Firefox. 7 of them redirected, none of them to the Toseeka site. In all but two of the redirects the signature blue "2" flashed in the address bar. Two of the searches redirected to a website called "NeXplore."

NeonFx · 20-Nov-2009, 03:45 PM #3

Hello there

Welcome to the TSG Forums.
My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:

The fixes are specific to your problem and should only be used on this machine.
Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

Step 1

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Additional Scans check the following:
- Reg - Desktop Components
- Reg - Disabled MS Config Items
- Reg - NetSvcs
- Reg - Shell Spawning
- Reg - Uninstall List
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
Please copy the following into the Custom Scans box at the bottom

Code:

%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
%SYSTEMDRIVE%\si3112.sys /s /md5
%SYSTEMDRIVE%\viadsk.sys /s /md5
%SYSTEMDRIVE%\nvatabus.sys /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys  /s /md5
%SYSTEMDRIVE%\AGP440.sys /s /md5
%SYSTEMDRIVE%\vaxscsi.sys /s /md5

Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post. To do so click on the blue "Reply" button or "Go Advanced" and click on the "Manage Attachments" button

To ensure that I get all the information this log will need to be attached. If it is too large to attach then upload it to Dropio and post the sharing link/url (The Drop's URL will be similar to : http:://drop.io/daerk)

Step 2

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.

Click on the Log tab.
In the Write to log box select All items.
Place a checkmark next to Hidden Objects Only
Click on the Create Log button on the bottom right.
After a few seconds a new Window should appear.
Make sure Scan all drives is selected and click on the Start button.
(Unless you have a floppy drive. In this case, please use "Scan Root Drive Only" and press Start)
When it is complete a new Window will appear to indicate that the scan is finished.
The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.

rherder · 20-Nov-2009, 10:16 PM #4

Thank you for responding. I will do all of this as soon as possible... either later tonight or tomorrow morning.
RH

NeonFx · 20-Nov-2009, 11:04 PM #5

Alright

rherder · 21-Nov-2009, 07:13 AM #6

Here is the scan. What do you think?
RH

SysProt AntiRootkit v1.0.1.0
by swatkat

*************************************************************************** ***************
*************************************************************************** ***************

No Hidden Processes found

*************************************************************************** ***************
*************************************************************************** ***************
No Hidden Kernel Modules found

*************************************************************************** ***************
*************************************************************************** ***************
SSDT:
Function Name: ZwTerminateProcess
Address: F67390B0
Driver Base: F6730000
Driver End: F6755000
Driver Name: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys

*************************************************************************** ***************
*************************************************************************** ***************
No Kernel Hooks found

*************************************************************************** ***************
*************************************************************************** ***************
No IRP Hooks found

*************************************************************************** ***************
*************************************************************************** ***************
Ports:
Local Address: RICKSLAPTOP.GATEWAY.2WIRE.NET:1363
Remote Address: GW-IN-F102.1E100.NET:HTTPS
Type: TCP
Process: C:\Documents and Settings\Richard Herder\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
State: ESTABLISHED

Local Address: RICKSLAPTOP.GATEWAY.2WIRE.NET:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: RICKSLAPTOP:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING

Local Address: RICKSLAPTOP:1025
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: RICKSLAPTOP:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: RICKSLAPTOP:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: RICKSLAPTOP.GATEWAY.2WIRE.NET:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: RICKSLAPTOP.GATEWAY.2WIRE.NET:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: RICKSLAPTOP.GATEWAY.2WIRE.NET:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: RICKSLAPTOP.GATEWAY.2WIRE.NET:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: RICKSLAPTOP:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: RICKSLAPTOP:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: RICKSLAPTOP:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: RICKSLAPTOP:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: RICKSLAPTOP:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

*************************************************************************** ***************
*************************************************************************** ***************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{D866F547-D98C-40FC-8993-9F8109FC9880}
Status: Access denied

rherder · 09:48 AM

I just ran 4 or 5 Google searches in Firefox. It is still there, though it took 4 searches before the redirect page loaded. The first few redirects produced blank pages.

NeonFx · 21-Nov-2009, 03:44 PM #8

That's because those steps don't fix anything. They are to scan your system so that I can hunt down the culprit. Do you have the results from step 1?

rherder · 21-Nov-2009, 11:34 PM #9

OK, this is strange. I know I posted this scan earlier.
Let's try this again.

[code]
OTS logfile created on: 11/21/2009 10:22:36 PM - Run 2
OTS by OldTimer - Version 3.1.6.1 Folder = C:\Documents and Settings\Richard Herder\My Documents\Downloads
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

221.48 Mb Total Physical Memory | 137.51 Mb Available Physical Memory | 62.08% Memory free
786.57 Mb Paging File | 360.08 Mb Available in Paging File | 45.78% Paging File free
Paging file location(s): C:\pagefile.sys 336 672 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 27.92 Gb Total Space | 14.55 Gb Free Space | 52.09% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: RICKSLAPTOP
Current User Name: Richard Herder
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days

[Processes - Safe List]
ots (1).exe -> C:\Documents and Settings\Richard Herder\My Documents\Downloads\OTS (1).exe -> [2009/11/21 22:15:28 | 00,525,824 | ---- | M] (OldTimer Tools)
avgtray.exe -> C:\Program Files\AVG\AVG9\avgtray.exe -> [2009/11/12 16:48:03 | 02,020,120 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgnsx.exe -> C:\Program Files\AVG\AVG9\avgnsx.exe -> [2009/11/12 16:47:56 | 00,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.)
superantispyware.exe -> C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE -> [2009/11/11 22:41:50 | 02,001,648 | ---- | M] (SUPERAntiSpyware.com)
googlecrashhandler.exe -> C:\Documents and Settings\Richard Herder\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe -> [2009/11/10 16:17:21 | 00,136,176 | ---- | M] (Google Inc.)
jqs.exe -> C:\Program Files\Java\jre6\bin\jqs.exe -> [2009/11/08 09:59:22 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.)
jusched.exe -> C:\Program Files\Java\jre6\bin\jusched.exe -> [2009/11/08 09:59:22 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.)
avgchsvx.exe -> C:\Program Files\AVG\AVG9\avgchsvx.exe -> [2009/11/02 06:10:52 | 01,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgrsx.exe -> C:\Program Files\AVG\AVG9\avgrsx.exe -> [2009/11/02 06:10:50 | 00,502,040 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgcsrvx.exe -> C:\Program Files\AVG\AVG9\avgcsrvx.exe -> [2009/11/02 06:10:48 | 00,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgwdsvc.exe -> C:\Program Files\AVG\AVG9\avgwdsvc.exe -> [2009/11/02 06:10:32 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.)
googletoolbarnotifier.exe -> C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> [2009/05/22 06:43:29 | 00,039,408 | ---- | M] (Google Inc.)
explorer.exe -> C:\WINDOWS\explorer.exe -> [2007/06/13 05:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation)
qttask.exe -> C:\Program Files\QuickTime\qttask.exe -> [2006/11/22 00:24:31 | 00,098,304 | ---- | M] (Apple Computer, Inc.)
issch.exe -> C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -> [2005/02/16 16:15:20 | 00,081,920 | ---- | M] (InstallShield Software Corporation)
msmsgs.exe -> C:\Program Files\Messenger\msmsgs.exe -> [2004/10/13 11:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)
wdfmgr.exe -> C:\WINDOWS\system32\wdfmgr.exe -> [2004/10/11 10:20:30 | 00,038,912 | ---- | M] (Microsoft Corporation)
spkrmon.exe -> C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe -> [2003/08/28 14:01:22 | 00,061,440 | ---- | M] ()

[Modules - Safe List]
ots (1).exe -> C:\Documents and Settings\Richard Herder\My Documents\Downloads\OTS (1).exe -> [2009/11/21 22:15:28 | 00,525,824 | ---- | M] (OldTimer Tools)
comctl32.dll -> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll -> [2004/08/04 02:57:00 | 01,050,624 | ---- | M] (Microsoft Corporation)
framedyn.dll -> C:\WINDOWS\system32\wbem\framedyn.dll -> [2004/08/04 02:56:42 | 00,185,856 | ---- | M] (Microsoft Corporation)

[Win32 Services - Safe List]
(JavaQuickStarterService) Java Quick Starter [Auto | Running] -> C:\Program Files\Java\jre6\bin\jqs.exe -> [2009/11/08 09:59:22 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.)
(avg9wd) AVG Free WatchDog [Auto | Running] -> C:\Program Files\AVG\AVG9\avgwdsvc.exe -> [2009/11/02 06:10:32 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.)
(gusvc) Google Software Updater [On_Demand | Stopped] -> C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -> [2009/06/22 06:46:49 | 00,182,768 | ---- | M] (Google)
(IDriverT) InstallDriver Table Manager [On_Demand | Stopped] -> C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -> [2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation)
(UMWdf) Windows User Mode Driver Framework [Auto | Running] -> C:\WINDOWS\system32\wdfmgr.exe -> [2004/10/11 10:20:30 | 00,038,912 | ---- | M] (Microsoft Corporation)
(helpsvc) Help and Support [Auto | Running] -> C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -> [2004/08/04 02:56:44 | 00,038,912 | ---- | M] (Microsoft Corporation)
(spkrmon) spkrmon [Auto | Running] -> C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe -> [2003/08/28 14:01:22 | 00,061,440 | ---- | M] ()
(ose) Office Source Engine [On_Demand | Stopped] -> C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -> [2003/07/28 15:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation)

[Driver Services - Safe List]
(AvgTdiX) AVG Free8 Network Redirector [Kernel | System | Running] -> C:\WINDOWS\System32\Drivers\avgtdix.sys -> [2009/11/10 08:49:54 | 00,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.)
(AvgLdx86) AVG Free AVI Loader Driver x86 [Kernel | System | Running] -> C:\WINDOWS\System32\Drivers\avgldx86.sys -> [2009/11/02 06:11:55 | 00,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.)
(AvgMfx86) AVG Free On-access Scanner Minifilter Driver x86 [File_System | System | Running] -> C:\WINDOWS\System32\Drivers\avgmfx86.sys -> [2009/11/02 06:11:55 | 00,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.)
(SASENUM) SASENUM [Kernel | On_Demand | Running] -> C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -> [2009/10/12 21:24:56 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
(SASDIFSV) SASDIFSV [Kernel | System | Running] -> C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -> [2009/10/12 21:24:54 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
(SASKUTIL) SASKUTIL [Kernel | System | Running] -> C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -> [2009/10/12 21:24:52 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
(GEARAspiWDM) GEAR ASPI Filter Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -> [2008/04/17 13:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.)
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\secdrv.sys -> [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
(BCM43XX) Broadcom 802.11 Network Adapter Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\BCMWL5.SYS -> [2005/02/11 20:46:22 | 00,371,712 | ---- | M] (Broadcom Corporation)
(usbaudio) USB Audio Driver (WDM) [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\USBAUDIO.sys -> [2004/08/04 02:07:56 | 00,059,264 | ---- | M] (Microsoft Corporation)
(atapi) Standard IDE/ESDI Hard Disk Controller [Kernel | Boot | Running] -> C:\WINDOWS\System32\DRIVERS\atapi.sys -> [2004/08/04 00:59:42 | 00,095,360 | ---- | M] ()
(SISNIC) SiS PCI Fast Ethernet Adapter Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\sisnic.sys -> [2004/07/03 21:52:56 | 00,032,768 | ---- | M] (SiS Corporation)
(SiSkp) SiSkp [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\srvkp.sys -> [2004/06/10 19:56:24 | 00,012,160 | ---- | M] (Silicon Integrated Systems Corporation)
(SiS315) SiS315 [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\sisgrp.sys -> [2004/06/10 19:56:16 | 00,216,320 | ---- | M] (Silicon Integrated Systems Corporation)
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\ptilink.sys -> [2004/04/12 03:06:53 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.)
(smwdm) smwdm [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\smwdm.sys -> [2004/03/29 16:04:42 | 00,612,352 | ---- | M] (Analog Devices, Inc.)
(AgereSoftModem) Agere Systems Soft Modem [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\AGRSM.sys -> [2003/11/19 17:41:18 | 01,205,292 | ---- | M] (Agere Systems)
(sisagp) SiS AGP Filter [Kernel | Boot | Running] -> C:\WINDOWS\System32\DRIVERS\SISAGPX.sys -> [2003/07/18 11:58:20 | 00,036,992 | ---- | M] (Silicon Integrated Systems Corporation)
(WLAN_DCB) IEEE 802.11g Wireless LAN CardBus Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\WLANDCB.sys -> [2003/06/20 00:45:14 | 00,056,416 | R--- | M] ()
(aeaudio) aeaudio [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\aeaudio.sys -> [2002/04/01 13:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation)
(OMCI) OMCI [Kernel | System | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -> [2001/08/22 10:42:58 | 00,013,632 | ---- | M] (Dell Computer Corporation)

[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Page_URL" -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Search_URL" -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Secondary_Page_URL" -> [binary data] ->
HKEY_LOCAL_MACHINE\: Main\\"Extensions Off Page" -> about:NoAdd-ons ->
HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\"Search Page" -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\"Security Risk Page" -> about:SecurityRisk ->
HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Search\\"CustomizeSearch" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKEY_LOCAL_MACHINE\: Search\\"Default_Search_URL" -> http://www.google.com/ie ->
HKEY_LOCAL_MACHINE\: Search\\"SearchAssistant" -> http://www.google.com/ie ->
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> ->
HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 0 ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> ->
HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 0 ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > -> ->
HKEY_USERS\S-1-5-19\: "ProxyEnable" -> 0 ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > -> ->
HKEY_USERS\S-1-5-20\: "ProxyEnable" -> 0 ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1482476501-484763869-682003330-1004\] > -> ->
HKEY_USERS\S-1-5-21-1482476501-484763869-682003330-1004\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm ->
HKEY_USERS\S-1-5-21-1482476501-484763869-682003330-1004\: Main\\"Search Page" -> http://www.google.com ->
HKEY_USERS\S-1-5-21-1482476501-484763869-682003330-1004\: Main\\"Start Page" -> http://www.perimeter.org/ ->
HKEY_USERS\S-1-5-21-1482476501-484763869-682003330-1004\: Search\\"SearchAssistant" -> http://www.google.com/ie ->
HKEY_USERS\S-1-5-21-1482476501-484763869-682003330-1004\: SearchURL\\"" -> http://www.google.com/search?q=%s ->
HKEY_USERS\S-1-5-21-1482476501-484763869-682003330-1004\: URLSearchHooks\\"*{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
HKEY_USERS\S-1-5-21-1482476501-484763869-682003330-1004\: URLSearchHooks\\"{A3BC75A2-1F87-4686-AA43-5347D756017C}" [HKLM] -> C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [AVG Security Toolbar BHO] -> [2009/10/16 12:12:42 | 01,119,488 | ---- | M] ()
HKEY_USERS\S-1-5-21-1482476501-484763869-682003330-1004\: "ProxyEnable" -> 1 ->
HKEY_USERS\S-1-5-21-1482476501-484763869-682003330-1004\: "ProxyOverride" -> <local> ->
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\Richard Herder\Application Data\Mozilla\FireFox\Profiles\2qa60jyq.default\prefs.js ->
browser.search.defaultenginename -> "Yahoo! Search" ->
browser.startup.homepage -> "http://www.perimeter.org/" ->
extensions.enabledItems -> {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.701 ->
extensions.enabledItems -> avg@igeared:2.710.016.005 ->
extensions.enabledItems -> {EF522540-89F5-46b9-B6FE-1829E2B572C6}:3.22 ->
extensions.enabledItems -> {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}:6.0.17 ->
extensions.enabledItems -> jqs@sun.com:1.0 ->
extensions.enabledItems -> LogMeInClient@logmein.com:1.0.0.464 ->
extensions.enabledItems -> zotero@chnm.gmu.edu:2.0b7.1 ->
extensions.enabledItems -> {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.5 ->
keyword.URL -> "http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=" ->
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions -> ->
HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71} -> C:\Program Files\AVG\AVG9\Firefox [C:\PROGRAM FILES\AVG\AVG9\FIREFOX] -> [2009/11/10 23:08:32 | 00,000,000 | ---D | M]
HKLM\software\mozilla\Firefox\Extensions\\avg@igeared -> C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared [C:\PROGRAM FILES\AVG\AVG9\TOOLBAR\FIREFOX\AVG@IGEARED] -> [2009/11/10 23:08:32 | 00,000,000 | ---D | M]
HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com -> C:\Program Files\Java\jre6\lib\deploy\jqs\ff [C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF] -> [2009/11/10 23:08:32 | 00,000,000 | ---D | M]
HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions -> ->
HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components -> C:\Program Files\Mozilla Firefox\components [C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS] -> [2009/11/07 11:44:53 | 00,000,000 | ---D | M]
HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins -> C:\Program Files\Mozilla Firefox\plugins [C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS] -> [2009/11/08 10:01:18 | 00,000,000 | ---D | M]
< FireFox Extensions [User Folders] > ->
-> C:\Documents and Settings\Richard Herder\Application Data\Mozilla\Extensions -> [2009/02/28 09:17:24 | 00,000,000 | ---D | M]
-> C:\Documents and Settings\Richard Herder\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} -> [2009/02/28 09:17:24 | 00,000,000 | ---D | M]
-> C:\Documents and Settings\Richard Herder\Application Data\Mozilla\Firefox\Profiles\2qa60jyq.default\extensions -> [2009/11/20 08:49:18 | 00,000,000 | ---D | M]
-> C:\Documents and Settings\Richard Herder\Application Data\Mozilla\Firefox\Profiles\2qa60jyq.default\extensions\{EF522540-89F5-46b9-B6FE-1829E2B572C6} -> [2009/11/10 23:08:05 | 00,000,000 | ---D | M]
-> C:\Documents and Settings\Richard Herder\Application Data\Mozilla\Firefox\Profiles\2qa60jyq.default\extensions\LogMeInClient@log mein.com -> [2009/11/10 23:08:04 | 00,000,000 | ---D | M]
-> C:\Documents and Settings\Richard Herder\Application Data\Mozilla\Firefox\Profiles\2qa60jyq.default\extensions\zotero@chnm.gmu.e du -> [2009/11/10 23:08:04 | 00,000,000 | ---D | M]
< FireFox Extensions [Program Folders] > ->
-> C:\Program Files\Mozilla Firefox\extensions -> [2009/11/20 08:49:18 | 00,000,000 | ---D | M]
-> C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} -> [2009/11/07 11:44:50 | 00,000,000 | ---D | M]
-> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} -> [2009/11/10 23:08:04 | 00,000,000 | ---D | M]
< FireFox Components [Program Folders] > ->
browserdirprovider.dll -> C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll -> [2009/11/07 11:44:33 | 00,023,512 | ---- | M] (Mozilla Foundation)
brwsrcmp.dll -> C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll -> [2009/11/07 11:44:33 | 00,137,176 | ---- | M] (Mozilla Foundation)
< HOSTS File > (734 bytes and 19 lines) -> C:\WINDOWS\system32\drivers\etc\hosts ->
Reset Hosts
127.0.0.1 localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> [2006/10/22 23:08:42 | 00,062,080 | ---- | M] (Adobe Systems Incorporated)
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [HKLM] -> C:\Program Files\AVG\AVG9\avgssie.dll [AVG Safe Search] -> [2009/11/10 08:49:45 | 01,475,864 | ---- | M] (AVG Technologies CZ, s.r.o.)
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> [2009/01/26 14:31:02 | 01,879,896 | ---- | M] (Safer Networking Limited)
{A3BC75A2-1F87-4686-AA43-5347D756017C} [HKLM] -> C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [AVG Security Toolbar BHO] -> [2009/10/16 12:12:42 | 01,119,488 | ---- | M] ()
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [Google Toolbar Helper] -> [2009/11/02 05:45:34 | 00,256,112 | ---- | M] (Google Inc.)
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] -> C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll [Google Toolbar Notifier BHO] -> [2009/09/30 08:48:08 | 00,762,864 | ---- | M] (Google Inc.)
{C84D72FE-E17D-4195-BB24-76C02E2E7C4E} [HKLM] -> C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll [Google Dictionary Compression sdch] -> [2009/11/02 05:45:31 | 00,458,736 | ---- | M] (Google Inc.)
{DBC80044-A445-435b-BC74-9C25C1C588A9} [HKLM] -> C:\Program Files\Java\jre6\bin\jp2ssv.dll [Java(tm) Plug-In 2 SSV Helper] -> [2009/11/08 09:59:22 | 00,041,760 | ---- | M] (Sun Microsystems, Inc.)
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} [HKLM] -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [JQSIEStartDetectorImpl Class] -> [2009/11/08 09:59:28 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.)
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" [HKLM] -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [Google Toolbar] -> [2009/11/02 05:45:34 | 00,256,112 | ---- | M] (Google Inc.)
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [AVG Security Toolbar] -> [2009/10/16 12:12:42 | 01,119,488 | ---- | M] ()
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1482476501-484763869-682003330-1004\] > -> HKEY_USERS\S-1-5-21-1482476501-484763869-682003330-1004\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [Google Toolbar] -> [2009/11/02 05:45:34 | 00,256,112 | ---- | M] (Google Inc.)
WebBrowser\\"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [Google Toolbar] -> [2009/11/02 05:45:34 | 00,256,112 | ---- | M] (Google Inc.)
WebBrowser\\"{C4069E3A-68F1-403E-B40E-20066696354B}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"Adobe Reader Speed Launcher" -> C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe ["C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"] -> [2008/01/11 22:16:38 | 00,039,792 | ---- | M] (Adobe Systems Incorporated)
"AVG9_TRAY" -> C:\Program Files\AVG\AVG9\avgtray.exe [C:\PROGRA~1\AVG\AVG9\avgtray.exe] -> [2009/11/12 16:48:03 | 02,020,120 | ---- | M] (AVG Technologies CZ, s.r.o.)
"ISUSPM Startup" -> C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup] -> File not found
"ISUSScheduler" -> C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe ["C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start] -> [2005/02/16 16:15:20 | 00,081,920 | ---- | M] (InstallShield Software Corporation)
"QuickTime Task" -> C:\Program Files\QuickTime\qttask.exe ["C:\Program Files\QuickTime\qttask.exe" -atboottime] -> [2006/11/22 00:24:31 | 00,098,304 | ---- | M] (Apple Computer, Inc.)
"SunJavaUpdateSched" -> C:\Program Files\Java\jre6\bin\jusched.exe ["C:\Program Files\Java\jre6\bin\jusched.exe"] -> [2009/11/08 09:59:22 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.)
< Run [HKEY_USERS\S-1-5-21-1482476501-484763869-682003330-1004\] > -> HKEY_USERS\S-1-5-21-1482476501-484763869-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"Google Update" -> C:\Documents and Settings\Richard Herder\Local Settings\Application Data\Google\Update\GoogleUpdate.exe ["C:\Documents and Settings\Richard Herder\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c] -> [2009/11/10 16:17:21 | 00,135,664 | ---- | M] (Google Inc.)
"MSMSGS" -> C:\Program Files\Messenger\msmsgs.exe ["C:\Program Files\Messenger\msmsgs.exe" /background] -> [2004/10/13 11:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)
"SUPERAntiSpyware" -> C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE [C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe] -> [2009/11/11 22:41:50 | 02,001,648 | ---- | M] (SUPERAntiSpyware.com)
"swg" -> C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe ["C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"] -> [2009/05/22 06:43:29 | 00,039,408 | ---- | M] (Google Inc.)
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
< Default User Startup Folder > -> C:\Documents and Settings\Default User\Start Menu\Programs\Startup ->
< Richard Herder Startup Folder > -> C:\Documents and Settings\Richard Herder\Start Menu\Programs\Startup ->
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explo rer ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explo rer
\\"HonorAutoRunSetting" -> [1] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Syste m ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Syste m
\\"dontdisplaylastusername" -> [0] -> File not found
\\"legalnoticecaption" -> [] -> File not found
\\"legalnoticetext" -> [] -> File not found
\\"shutdownwithoutlogon" -> [1] -> File not found
\\"undockwithoutlogon" -> [1] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Expl orer ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Expl orer
\\"NoDriveTypeAutoRun" -> [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-19] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-20] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-1482476501-484763869-682003330-1004] > -> HKEY_USERS\S-1-5-21-1482476501-484763869-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-21-1482476501-484763869-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [145] -> File not found
< Internet Explorer Menu Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xport to Microsoft Excel -> C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000] -> [2009/10/08 13:44:42 | 10,352,448 | ---- | M] (Microsoft Corporation)
< Internet Explorer Menu Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xport to Microsoft Excel -> C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000] -> [2009/10/08 13:44:42 | 10,352,448 | ---- | M] (Microsoft Corporation)
< Internet Explorer Menu Extensions [HKEY_USERS\S-1-5-21-1482476501-484763869-682003330-1004\] > -> HKEY_USERS\S-1-5-21-1482476501-484763869-682003330-1004\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xport to Microsoft Excel -> C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000] -> [2009/10/08 13:44:42 | 10,352,448 | ---- | M] (Microsoft Corporation)

rherder · 21-Nov-2009, 11:37 PM **#10**

Is it possible a virus could block the posting of a script?... Or am I "misremembering" like Roger Clemens?

NeonFx · 22-Nov-2009, 02:20 AM **#11**

Please try attaching it instead. The size limits have cut off the end of it, and that's probably the reason you weren't able to post it earlier.

To attach results click on either the blue "Reply" button or the "Go Advanced" button and then on the "Manage Attachments" button to browse for the results on your computer and attach them.

rherder · 22-Nov-2009, 06:53 PM **#12**

file attached

NeonFx · 22-Nov-2009, 07:04 PM **#13**

Good job

I can see the cause now. Please do the following:

NOTE: ComboFix should NOT be used without supervision by someone trained in its use. It does a whole lot more to a system than just remove infected files.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Disabling Security Programs
Double click on ComboFix.exe & follow the prompts.

Note: Combofix will run without the Recovery Console installed.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you please let me know. A increasing number of infections are spreading using Autoplay and leaving it disabled is a good idea.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

rherder · 22-Nov-2009, 11:38 PM **#14**

log file - What do you think?
RH

NeonFx · 23-Nov-2009, 01:15 AM **#15**

That actually seems to have done it

Let's do the following now:

STEP 1

Run OTS

Under the Paste Fix Here box on the right, paste in the contents of following code box

Code:

[Unregister Dlls]
[Empty Temp Folders]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
This will create a log in C:\_OTS\MovedFiles\<date>_<time>.txt where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste or attach the contents of that file here.

Note: You may receive some errors while running the fix. Just press Ok and the fix should continue normally.
If it seems to get stuck, give it some time. It's probably still working.

STEP 2

Run Malwarebytes AntiMalware

Update it by clicking on the update tab and then on the button.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan. Scan all of your harddrives.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

STEP 3

Run OTS again and click on the Quick Scan button at the top. Attach the results of this scan in your next reply.

Tag Cloud
access acer asus bios bsod computer crash drive driver drivers error ethernet excel freeze games gaming graphics hard drive hardware hdmi internet laptop malware memory monitor motherboard netgear network printer problem ram random registry router slow software sound trojan usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless xbox

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!