SickAndTired

I reran AdwCleaner. When the scan finished and I clicked Delete I got a Data Execution Prevention window, then after closing that I got another window that said Windows Explorer encountered a problem and needs to close. After I closed that window AdwCleaner looked like it continued anyway and then said to reboot. I let it reboot and here is the txt results. # AdwCleaner v2.007 - Logfile created 11/13/2012 at 11:06:02 # Updated 06/11/2012 by Xplode # Operating system : Microsoft Windows XP Service Pack 3 (32 bits) # User : ~XXXX~ - XXXXX # Boot Mode : Normal # Running from : C:\Documents and Settings\~XXXX~\Desktop\adwcleaner.exe # Option [Delete] ***** [services] ***** ***** [Files / Folders] ***** Folder Deleted : C:\Documents and Settings\~XXXX~\Local Settings\Application Data\Conduit Folder Deleted : C:\Program Files\Conduit ***** [Registry] ***** Key Deleted : HKCU\Software\Conduit Key Deleted : HKCU\Software\IM Key Deleted : HKCU\Software\ImInstaller Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A} Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1 Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1 Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE} Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2438727 Key Deleted : HKLM\Software\Conduit Key Deleted : HKLM\Software\ImInstaller Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E} Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD} Key Deleted : HKLM\Software\Viewpoint ***** [internet Browsers] ***** -\\ Internet Explorer v8.0.6001.18702 [OK] Registry is clean. -\\ Mozilla Firefox v16.0.2 (en-US) Profile name : default File : C:\Documents and Settings\~XXXX~\Application Data\Mozilla\Firefox\Profiles\bje13j1z.default\prefs.js Deleted : user_pref("browser.search.defaultenginename", "MyStart Search"); ************************* AdwCleaner[R1].txt - [2641 octets] - [12/11/2012 23:08:13] AdwCleaner[R2].txt - [2760 octets] - [13/11/2012 11:05:25] AdwCleaner[s1].txt - [367 octets] - [13/11/2012 10:53:43] AdwCleaner[s2].txt - [2429 octets] - [13/11/2012 11:06:02] ########## EOF - C:\AdwCleaner[s2].txt - [2489 octets] ##########

Forgot ... it says "waiting for an action" what should I do with it now? Thanks

# AdwCleaner v2.007 - Logfile created 11/12/2012 at 23:08:13 # Updated 06/11/2012 by Xplode # Operating system : Microsoft Windows XP Service Pack 3 (32 bits) # User : ~XXXX~ - XXXXX # Boot Mode : Normal # Running from : C:\Documents and Settings\~XXXX~\Desktop\adwcleaner.exe # Option [search] ***** [services] ***** ***** [Files / Folders] ***** Folder Found : C:\Documents and Settings\~XXXX~\Local Settings\Application Data\Conduit Folder Found : C:\Program Files\Conduit ***** [Registry] ***** Key Found : HKCU\Software\Conduit Key Found : HKCU\Software\IM Key Found : HKCU\Software\ImInstaller Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A} Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1 Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1 Key Found : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E} Key Found : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD} Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1} Key Found : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE} Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2438727 Key Found : HKLM\Software\Conduit Key Found : HKLM\Software\ImInstaller Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E} Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD} Key Found : HKLM\Software\Viewpoint Key Found : HKU\S-1-5-21-1500982738-3618749481-1802049845-1007\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} Key Found : HKU\S-1-5-21-1500982738-3618749481-1802049845-1007\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A} ***** [internet Browsers] ***** -\\ Internet Explorer v8.0.6001.18702 [OK] Registry is clean. -\\ Mozilla Firefox v16.0.2 (en-US) Profile name : default File : C:\Documents and Settings\~XXXX~\Application Data\Mozilla\Firefox\Profiles\bje13j1z.default\prefs.js Found : user_pref("browser.search.defaultenginename", "MyStart Search"); ************************* AdwCleaner[R1].txt - [2512 octets] - [12/11/2012 23:08:13] ########## EOF - C:\AdwCleaner[R1].txt - [2572 octets] ##########

Here's ComboFix.txt (NOTE: I replaced my user name with XXXX) ComboFix 12-11-12.03 - ~XXXX~ 11/12/2012 22:16:37.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2496 [GMT -5:00] Running from: c:\documents and settings\~XXXX~\Desktop\ComboFix.exe AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\~XXXX~\My Documents\Downloads\PowerPointViewer.exe c:\documents and settings\~XXXX~\WINDOWS c:\documents and settings\Administrator\WINDOWS c:\documents and settings\Default User\WINDOWS c:\windows\system32\config\systemprofile\WINDOWS c:\windows\system32\SET4C6.tmp c:\windows\system32\URTTemp c:\windows\system32\URTTemp\fusion.dll c:\windows\system32\URTTemp\mscoree.dll c:\windows\system32\URTTemp\mscoree.dll.local c:\windows\system32\URTTemp\mscorsn.dll c:\windows\system32\URTTemp\mscorwks.dll c:\windows\system32\URTTemp\msvcr71.dll c:\windows\system32\URTTemp\regtlib.exe c:\windows\Update.bat . . ((((((((((((((((((((((((( Files Created from 2012-10-13 to 2012-11-13 ))))))))))))))))))))))))))))))) . . 2012-11-13 03:09 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7FFDA52C-890E-4765-B900-858D0606FCB4}\mpengine.dll 2012-11-13 01:41 . 2012-11-13 01:41 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys 2012-11-12 22:44 . 2012-11-12 22:44 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache 2012-11-11 14:52 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2012-11-06 17:59 . 2012-11-06 17:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2012-11-01 22:47 . 2012-11-01 22:47 -------- d-----w- c:\documents and settings\~XXXX~\Local Settings\Application Data\Sun 2012-11-01 22:47 . 2012-11-01 22:47 -------- d-----w- c:\program files\Common Files\Java 2012-11-01 22:46 . 2012-11-01 22:46 143872 ----a-w- c:\windows\system32\javacpl.cpl 2012-11-01 22:46 . 2012-11-01 22:46 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll 2012-10-27 02:46 . 2012-10-27 02:46 -------- d-----w- c:\documents and settings\~XXXX~\Application Data\Malwarebytes 2012-10-27 02:45 . 2012-10-27 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2012-10-27 02:45 . 2012-10-27 02:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-10-27 02:45 . 2012-09-29 23:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-10-26 18:08 . 2011-01-25 15:28 26216 ----a-r- c:\windows\system32\nvhdap32.dll 2012-10-26 18:08 . 2011-01-25 15:28 118248 ----a-r- c:\windows\system32\drivers\nvhda32.sys 2012-10-26 18:08 . 2011-01-25 15:28 837224 ----a-r- c:\windows\system32\nvhdagenco322040.dll 2012-10-26 18:07 . 2012-11-08 17:16 292700 ----a-w- c:\windows\system32\nvdrsdb1.bin 2012-10-26 18:07 . 2012-11-08 17:16 1 ----a-w- c:\windows\system32\nvdrssel.bin 2012-10-26 18:07 . 2012-11-08 17:15 292700 ----a-w- c:\windows\system32\nvdrsdb0.bin 2012-10-26 18:07 . 2011-03-01 04:35 941160 ----a-r- c:\windows\system32\nvdispco322090.dll 2012-10-26 18:07 . 2011-03-01 04:35 837736 ----a-r- c:\windows\system32\nvgenco322040.dll 2012-10-26 18:06 . 2011-03-01 04:35 2294442 ----a-w- c:\windows\system32\nvdata.bin . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-11-01 22:46 . 2012-07-06 13:57 821736 ----a-w- c:\windows\system32\npdeployJava1.dll 2012-11-01 22:46 . 2010-08-25 14:48 746984 ----a-w- c:\windows\system32\deployJava1.dll 2012-10-26 19:03 . 2012-08-09 00:38 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-10-26 19:03 . 2012-08-09 00:38 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-09-05 14:49 . 2010-10-04 23:56 230840 ----a-r- c:\windows\system32\cpnprt2.cid 2012-08-31 02:03 . 2011-04-18 17:18 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys 2012-08-28 15:14 . 2006-06-17 09:23 916992 ----a-w- c:\windows\system32\wininet.dll 2012-08-28 15:14 . 2006-06-17 09:23 43520 ----a-w- c:\windows\system32\licmgr10.dll 2012-08-28 15:14 . 2006-06-17 09:23 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-08-28 12:07 . 2006-06-17 09:23 385024 ----a-w- c:\windows\system32\html.iec 2012-08-24 13:53 . 2006-06-17 09:23 177664 ----a-w- c:\windows\system32\wintrust.dll 2012-08-21 13:33 . 2006-06-17 09:23 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-08-21 12:58 . 2004-08-04 05:59 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe 2012-07-02 18:43 . 2012-07-02 18:43 10974280 ----a-w- c:\program files\Common Files\lpuninstall.exe 2012-11-01 16:36 . 2012-11-01 16:35 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Power2GoExpress"="NA" [X] "CalendarPal"="c:\program files\CalendarPal\CalendarPal.exe" [2008-05-21 1122304] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264] "KGShareApp"="c:\program files\Kodak\KODAK Share Button App\KGShare_App.exe" [2012-06-26 394752] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512] "readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-03-09 139264] "ledpointer"="CNYHKey.exe" [2004-03-03 5576704] "CTHelper"="CTHELPER.EXE" [2006-12-12 19456] "CTxfiHlp"="CTXFIHLP.EXE" [2006-12-12 20480] "PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008] "DT GWY"="c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2008-06-25 81920] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824] "Easy Synchronization"="c:\program files\Logitech\Easy Synchronization\LogitechEasySync.exe" [2005-10-05 53248] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888] "IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-01-15 8744960] "Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2007-10-30 16200] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648] "CHotkey"="mHotkey.exe" [2004-09-21 550400] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176] "KodakShareButtonApp"="c:\program files\Kodak\KODAK Share Button App\Listener.exe" [2012-06-26 108032] "Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2010-06-14 153672] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "Easy Synchronization"="c:\program files\Logitech\Easy Synchronization\LogitechEasySync.exe" [2005-10-05 53248] "Z1"="c:\documents and settings\~Debb~\Desktop\mbar-1.01.0.1009\mbar\mbar.exe" [2012-11-08 1341800] . c:\documents and settings\Administrator\Start Menu\Programs\Startup\ Install LastPass FF RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe [2012-7-2 10974280] Install LastPass IE RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe [2012-7-2 10974280] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-29 561213] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360] Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-9-25 813584] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{FE24CD78-7C63-465D-8787-4EDF7FC79895}"= "c:\program files\Logitech\Easy Synchronization\shellexecutehook.dll" [2005-10-05 69632] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\IncrediMail\\Bin\\IncMail.exe"= "c:\\Program Files\\IncrediMail\\Bin\\ImApp.exe"= "c:\\Program Files\\IncrediMail\\Bin\\ImpCnt.exe"= "c:\\Program Files\\IncrediMail\\Bin\\ImLc.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\IncrediMail\\Bin\\ImPackr.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5353:UDP"= 5353:UDP:Bonjour Port 5353 . R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [10/26/2012 9:45 PM 399432] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/26/2012 9:45 PM 676936] R2 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [8/23/2010 10:00 PM 90112] R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [11/12/2012 8:41 PM 35144] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/26/2012 9:45 PM 22856] S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 9:58 AM 11336] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - MBAMCHAMELEON . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder . 2012-11-13 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-09 19:03] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local IE: &Add animation to IncrediMail Style Box - c:\program files\IncrediMail\bin\resources\WebMenuImg.htm IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html IE: LastPass - file://c:\documents and settings\~XXXX~\Local Settings\Application Data\LastPass\context.html?cmd=lastpass IE: LastPass Fill Forms - file://c:\documents and settings\~XXXX~\Local Settings\Application Data\LastPass\context.html?cmd=fillforms IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm TCP: DhcpNameServer = 97.64.209.36 97.64.168.13 FF - ProfilePath - c:\documents and settings\~XXXX~\Application Data\Mozilla\Firefox\Profiles\bje13j1z.default\ FF - prefs.js: browser.startup.homepage - hxxp://thundercloud.net/infoave/premium/2012/newsletter/omega/ . - - - - ORPHANS REMOVED - - - - . HKLM-Run-SysTrayApp - c:\program files\IDT\WDM\sttray.exe HKLM-Run-hpqSRMon - (no file) AddRemove-KB913433 - c:\windows\system32\MacroMed\Flash\genuinst.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-11-12 22:23 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(708) c:\program files\common files\logitech\bluetooth\LBTWlgn.dll c:\program files\common files\logitech\bluetooth\LBTServ.dll . Completion time: 2012-11-12 22:24:57 ComboFix-quarantined-files.txt 2012-11-13 03:24 . Pre-Run: 943,022,694,400 bytes free Post-Run: 943,218,434,048 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect . - - End Of File - - 0006F32D45DBE1F27F5E1F47BC5C670F

Scan said no malware found!! Mbar-log file below, system log file attatched. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Malwarebytes Anti-Rootkit 1.1.0.1009 www.malwarebytes.org Database version: v2012.11.13.01 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 ~XXXX~ :: XXXXX [administrator] 11/12/2012 9:04:33 PM mbar-log-2012-11-12 (21-04-33).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken Scan options disabled: PUP | PUM | P2P Objects scanned: 27904 Time elapsed: 21 minute(s), 19 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) system-log.txt

Forgot this result, sorry. MBRScan v1.1.1 OS : Windows XP Home Service Pack 3 (32 bit) PROCESSOR : x86 Family 15 Model 6 Stepping 2, GenuineIntel BOOT : Normal Boot DATE : 2012/11/12 (ISO 8601) at 20:32:49 ________________________________________________________________________________ DISK : Device\Harddisk0\DR0 __Intel Raid 0 Volume (1.0.) BUS_TYPE : (0x03) P-ATA USE_PIO : YES MAX_TRANSFER : 128 Kb ALIGNMENT_MASK : word aligned ________________________________________________________________________________ Device\Harddisk0\DR0 931.5 Go [Fixed] ==> Unknown MBR Code . MBR_MD5 : E86DDF9A13765DCA0A805127DCD61212 MBR_SHA1 : 2779019DB8DA65AD0ABAB00D5838BAA35ED4857C Device\Harddisk0\Partition1 927.2 Go 0x07 NTFS / HPFS __ BOOTABLE __ Device\Harddisk0\Partition2 4.30 Go 0x0B FAT32 [CHS] ________________________________________________________________________________ ############################### Additional scan ################################ DRIVER : C:\WINDOWS\System32\Drivers\dump_iaStor.sys => Invisible on the disk ADDRESS : 0x9DE9D000 SIZE : 852.0 Ko SystemStartOptions : NOEXECUTE=OPTIN FASTDETECT ________________________________________________________________________________ _______MBR \Device\Harddisk0\DR0 0x00000000 33 FF BE 00 02 8E D7 BC 00 7A BB A0 07 8B CE 8E 3.¾...×¼.z»...Î. 0x00000010 DB 8E C3 F3 A4 EA 5F 00 A0 07 10 00 01 00 00 7A Û.Ãó¤ê_........z 0x00000020 00 00 00 00 00 00 00 00 00 00 8B F5 B1 04 38 64 ...........õ±.8d 0x00000030 04 74 0D 38 44 04 74 08 83 C6 10 E2 F1 E9 C6 00 .t.8D.t..Æ.âñéÆ. 0x00000040 BB 0E 00 FF 30 FF 31 8F 00 8F 01 80 EB 02 73 F3 »...0.1.....ë.só 0x00000050 C3 AC 0A C0 74 FA B4 0E BB 07 00 CD 10 EB F2 BD ì.Àtú´.»..Í.ëò½ 0x00000060 BE 01 BF CE 01 B8 0B 12 E8 BF FF C6 05 80 C6 45 ¾.¿Î.¸..è¿.Æ..ÆE 0x00000070 04 0B 8B FD B8 0C 07 E8 B0 FF C6 05 00 C6 45 14 ...ý¸..è°.Æ..ÆE. 0x00000080 12 C6 45 10 00 F6 06 5C 01 04 75 53 F6 06 5C 01 .ÆE..ö.\..uSö.\. 0x00000090 02 75 58 B4 11 CD 16 75 33 8A 16 5B 01 0A D2 74 .uX´.Í.u3..[..Òt 0x000000A0 4A 8B 36 63 01 E8 A9 FF B1 01 B8 30 09 02 C2 CD J.6c.è©.±.¸0..ÂÍ 0x000000B0 10 FE CA 78 30 36 8A 0E 6C 04 80 C1 12 B4 11 CD .þÊx06..l..Á.´.Í 0x000000C0 16 75 09 36 3A 0E 6C 04 75 F3 EB DC BE 57 01 E8 .u.6:.l.uóëܾW.è 0x000000D0 7F FF B4 10 CD 16 3C 72 74 05 80 FC 85 75 0C C6 ..´.Í.<rt..ü.u.Æ 0x000000E0 45 10 80 EB 10 BE 57 01 E8 66 FF C6 05 80 F6 06 E..ë.¾W.èf.Æ..ö. 0x000000F0 5C 01 10 74 04 C6 45 14 0B F6 06 5C 01 40 74 06 \..t.ÆE..ö.\.@t. 0x00000100 BE CE 01 E8 3A FF B1 04 8B FD 80 3D 80 74 12 83 ¾Î.è:.±..ý.=.t.. 0x00000110 C7 10 E2 F6 8B 36 5F 01 E8 36 FF B4 00 CD 16 CD Ç.âö.6_.è6.´.Í.Í 0x00000120 18 80 26 5C 01 F9 B8 00 43 B2 80 BE 1A 00 CD 13 ..&\.ù¸.C².¾..Í. 0x00000130 72 E2 66 8B 5D 08 66 89 1E 22 00 C6 06 1F 00 7C râf.].f..".Æ...| 0x00000140 B4 42 CD 13 72 CE 81 3E FE 03 55 AA 8B 36 5D 01 ´BÍ.rÎ.>þ.Uª.6]. 0x00000150 75 C6 EA 00 7C 00 00 20 0D 0A 00 02 10 65 01 72 uÆê.|.. .....e.r 0x00000160 01 7E 01 80 01 4D 69 73 73 69 6E 67 20 4F 53 0D .~...Missing OS. 0x00000170 0A 00 4D 42 52 20 45 72 72 6F 72 0D 0A 00 20 00 ..MBR Error... . 0x00000180 0D 0A 50 72 65 73 73 20 46 31 31 20 74 6F 20 73 ..Press F11 to s 0x00000190 74 61 72 74 20 72 65 63 6F 76 65 72 79 20 00 00 tart recovery .. 0x000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000001B0 00 00 00 00 00 00 5B 01 AA ED AA ED 00 00 80 00 ......[.ªíªí.... 0x000001C0 81 31 07 FE FF FF F1 84 89 00 0F 96 E6 73 00 01 .1.þ..ñ.....æs.. 0x000001D0 01 00 0B FE BF 30 3F 00 00 00 B2 84 89 00 00 00 ...þ¿0?...²..... 0x000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ..............Uª

I only ran the scan in safe mode. As far as system restore - I am not making them so have no idea what is. I think Software Distribution Center has to do with Microsoft Updates doesn't it? Why in the world would it make so many restore points? FF "attempts" to redirect. Exact same thing as on the laptop. I get to the page I searched for but FF tells me it blocked a redirect. I cannot tell when an attempt has been made in other browsers because they don't warn you. I end up on the page I want however. Maybe I am getting redirects that are NOT malicious? I cannot do a system restore on this computer. It has not worked since removing Norton 360. Can I run this next scan without worry since I cannot restore?

DDS and Attach Files attached. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ RogueKiller Scan Results: RogueKiller V8.2.3 [11/07/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website: http://tigzy.geekstogo.com/roguekiller.php Blog: http://tigzyrk.blogspot.com Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Safe mode with network support User : Administrator [Admin rights] Mode : Scan -- Date : 11/12/2012 17:45:46 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 2 ¤¤¤ [HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED] ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\WINDOWS\system32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: Volume0 +++++ --- User --- [MBR] e86ddf9a13765dca0a805127dcd61212 [bSP] db63615aa66f3fdfa2e467ad7beb91fe : MBR Code unknown Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 9012465 | Size: 949458 Mo 1 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 4400 Mo User = LL1 ... OK! Error reading LL2 MBR! +++++ PhysicalDrive1: HP Photosmart C8100 USB Device +++++ Error reading User MBR! User = LL1 ... OK! Error reading LL2 MBR! Finished : << RKreport[1]_S_11122012_02d1745.txt >> RKreport[1]_S_11122012_02d1745.txt dds.txt attach.txt

Thanks for helping on laptop ... since I cannot continue on that right now I would like to work with you on the desktop, if that is okay. My issues are the same: Getting redirects (attempted redirects - FF is blocking them). I have scanned computer with MSE and Malwarebytes Pro (which trial ran out day before yeterday) - no infections. Thanks.

Sending you a private note Mr.C ....

Wanted to let you know I wont get on that other scan immediately. We would like to back up a few things before doing so, especially since it's beta. I'll get back with you on that. Please do give me your thoughts on my previous post tho. Thanks.

I will check into that number. No stores like that within 40 miles of me tho; family not too close either. Thanks!

I did as asked. Removed FF & Chrome. Reset IE default settings. Removed all FF personal folders, emptied Temp files and ran disk cleanup. Rebooted. Ran IE and did the search and used the link I listed before (since I know it was attempting to redirect each time in FF). I can hover over the link and it shows the exact address of the web page. When I click the link it shows (lower left corner of IE) "google" something in the address and then looks like it changes a couple times. It appears to say "ad" in the address. This all happens so fast it is impossible to read just what address(es) it is displaying. When the page fully loads it is on the page it should be on. At the bottom left corner it shows a yellow exclamation mark inside a triangle which when opened reads as follows (mind you - FF has been removed so I don't know why that says Mozilla in the beginning??): Webpage error details User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SIMBAR={3ECF2000-BE61-11DC-8A5B-001E3708EC27}; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Timestamp: Sat, 10 Nov 2012 18:18:54 UTC Message: Object doesn't support this property or method Line: 155 Char: 680 Code: 0 URI: http :// static.ak.fbcdn.net/connect.php/js/FB.Share (I broke the link) I will try your last suggestion momentarily.

I can do this. One question: How will I know if it is attempting to redirect? I I haven't seena setting in IE to tell you when this happens.

I am currently working with MrC on an issue and am not sure our computers are secure yet. My trial of MWB Pro has ended and I would like to oerder it but not online. Do you have a phone number I can call and place an order? I could not find one anywhere. Thank you.

Thanks. I tested laptop in Safe mode w/ networking and still got a redirect attempt.

I cannot get on the computer right now, hopefully later this afternoon. I was wondering ... does MWB have a phone number? I can't seem to find one anywhere. My trial ran out last night and I'd rather order over the phone (if possible) until I know my computers are safe. Thanks.

A little history/info first. 1. I had my router set up when I got my cable hooked up (when we bought this house 3 years ago). The router is mine, but they set everything up for me. I have no clue what I am doing when it comes to setting this stuff back up on either computer. We have the main desktop computer and the laptop is connected in wirelessly. 2. I don't know why, but about a year ago I had to replace my MB. We did so. At that time I had N*rton 360. It was the bigest resource hog I have ever encountered. After nearly paying for a new program every year when it came to renewals I got frusterated with them and removed it and went with MSE. After removing N*rton my computer (desktop) will not revert to a previous time when trying to use System Restore (only tried on 2 occassions a while back). So, I don't know if I can rely on SR to revert if needed. I really don't want to have to reload the OS if I can help it. I do a lot of graphic/photography work and have a lot of backing up to do in that case Any thoughts?

I saw all the snow on the News, wow! I don't recall on ESET, the name sounds familiar but not positive. Yes to uninstalling FF and still getting redirects to IE. IE's version is 8.0 Ran MiniToolBox. No change. File attached. Ran AVPTool. Scan came back clean. Cannot attach a scan result because it wouldn't let me save anything. The button was greyed out so I assumed it was because it found no threats? I took a screenshot of that screen. Result.txt

Good luck with the storm ... as if you guys need more rain! I ran the GooredFix but I am still getting redirect attempts. Here's its log: (I just noticed it did not scan all users?) GooredFix by jpshortstuff (03.07.10.1) Log created at 17:42 on 07/11/2012 (Xxxx) Firefox version 16.0.2 (en-US) ========== GooredScan ========== ========== GooredLog ========== C:\Program Files (x86)\Mozilla Firefox\extensions\ {972ce4c6-7e08-4474-a285-3208198ce6fd} [00:48 01/11/2012] [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions] "{20a82645-c095-46ed-80e3-08825760534b}"="C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [12:33 07/08/2009] -=E.O.F=-

Just letting you know it will be this evening sometime before I can followup. Also, just to clarify ... the pshero.com link is not the only one I get the redirects on. I will do the above and report back this evening. TY.

Okay, I think I am totally lost now. I tried with all 3 browsers. I did the following search: "free psp grunge masks". It provided me many links. The list below is the one I I got and used from the search for each browser. In FF (actually tried FF first - the list is not in order), it warned it blocked a redirect attempt. I clicked the Allow button so it could redirect. Nothing changed. The page didn't seem to do anything. The addresses stayed the same. So I right clicked on the search link and chose Copy Link Location to compare with web pages (did this for all three browsers as shown below. i also took screenshots of the pages. I am adding them as well. I tried to add them in the post where they need to be but that didn't seem to work so they all ended up below. But they seem to be in order with the browsers as shown. IE 8 Actual Search Link Location: http :// www. google.com/url?sa=t&rct=j&q=free%20psp%20grunge%20masks&source=web&cd=3&cad=rja&ved=0CC4QFjAC&url=http%3A%2F%2Fpshero.com%2Fphotoshop-tutorials%2Fphoto-effects%2Fgrunge-photo-edges&ei=bmuZUM2QEZH68QTthIHYBA&usg=AFQjCNF-SSFPRsiqRodw4PfYZd2NyhvzAA Address of page after clicking link: http :// pshero.com/photoshop-tutorials/photo-effects/grunge-photo-edges FF 16.0.2 Actual Search Link Location: http :// www. google.com/url?sa=t&rct=j&q=free%20psp%20grunge%20masks&source=web&cd=3&cad=rja&ved=0CC4QFjAC&url=http%3A%2F%2Fpshero.com%2Fphotoshop-tutorials%2Fphoto-effects%2Fgrunge-photo-edges&ei=bmuZUM2QEZH68QTthIHYBA&usg=AFQjCNF-SSFPRsiqRodw4PfYZd2NyhvzAA Address of page after clicking link: http :// pshero.com/photoshop-tutorials/photo-effects/grunge-photo-edges Chrome: Actual Search Link Location: http :// www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&sqi=2&ved=0CD0QFjAC&url=http%3A%2F%2Fpshero.com%2Fphotoshop-tutorials%2Fphoto-effects%2Fgrunge-photo-edges&ei=dW6ZUOCxDoqi8ATzvIGwBA&usg=AFQjCNF-SSFPRsiqRodw4PfYZd2NyhvzAA Address of page after clicking link: http :// pshero.com/photoshop-tutorials/photo-effects/grunge-photo-edges Question: If the address links are not bad, or showing I'm getting redirects (and don't seem to be taking me to any other pages [unless I don't realize it]) is it possible nothing bad is happening? I heard some redirects are not of a malicious nature. I am very confused by this. I use online banking and because I last used the laptop to go to the bank site and then went to the desktop since this happened I noticed a redirect attempt during that process as well (on desktop). However, I know they make me (I've had to do it before) go threw a verification process if I switch computers so they did do that. After I got to that page for verification and clicked to go in nothing on the page loaded (blank white page), and FF said it blocked a redirect attempt, the page went blank and nothing happened but I wasn't sure if that redirect was due to the verification page which then attempted to take me to the regular page and since FF blocks them the page went blank ... It worried me at any rate and I closed the page immediately. But at the same time I saw nothing other than that which would have warranted any suspicion. Also, Malwarebytes is running in real time under pro trial and it did not block anything, neither did MSE. Another question: Are you willing to try to install FF and search that link and see if it blocks a redirect attempt for you? You would need to go into settings to have it warn you when it does so you will know. Otherwise there seems to be no other way to determine if and when a redirect is attempted. I read FF has this set as default, however, mine did NOT. had to go in a check that for it to show me. There are no settings I found within FF to remove this blocking of redirect attempts. If there is I do not understand what setting it would be. I am very frustrated at this point as I don't know what to do and we don't seem to be making progress, lol. Thanks, Charlie.

I haven't had time to try this yet but I do have a question before I do, well two actually. First, hubby wants to know if this will cause any harm by allowing it to redirect? Second, I need to know how to reset it once I allow it. Only spot I see for allowing it is when I get a message that says FF has blocked an attempted redirect. It has an "Allow" button on the right of that message but I don't know how I would reset it. I looked through the settings/options and don't see anything other than "Warn me when websites try to redirect or reload the page". Is that the atual setting for that to be blocking it or is that just to warn me? I'm using the latest FF version. Thanks.

Won't be back in tonight. I will check in tomorrow afternoon/evening sometime. I've got a busy day tomorrow.

Hello. 1. Yes, had issues with IncrediMail (not opening), don't recall if it was adwCleaner tho, sorry. It has been working fine after restoring the registry when it happened. 2. Yes, all 3 browsers are installed. 3. Cleared Java cache 4. Ran TFC 5. Tried FF in safe mode. Redirect attempts continued. 6. Took FF out of safe mode 7. Downloaded latest version of ComboFix and results attached. ComboFixLog.txt