Browser Hijack Help Malwarebyte Anti-Malware Shows Clear

[parkway233]

Hello all,

I am running Windows 7 x64 on my computer. The other day it got infected with something called White Smoke toolbar and White Smoke Translator. The toolbar is still an option, just not checked on IE 8. But now IE and Firefox are both hijacked and redirected to various random sites. For instance, if I do a search in Google or Bing on "Browser Hijack" and try to go to say Microsoft's site on Browser Hijacks, I can't get there. I am redirected. Sometimes a new random browser window pops up. I am running Avast Free and at odd times I get a Trojan warning but not necessarily when my browser is hijacked. I ran Malwarebytes Anti-malware and it took care of a lot of problems. Here is the log file

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5182

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

11/24/2010 11:50:09 AM

mbam-log-2010-11-24 (11-50-09).txt

Scan type: Full scan (C:\|F:\|)

Objects scanned: 463073

Time elapsed: 1 hour(s), 38 minute(s), 17 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 40

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 13

Memory Processes Infected:

C:\Windows\nvsvc32.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{69725738-cd68-4f36-8d02-8c43722ee5da} (Adware.Hotbar) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\HostOL.MailAnim (Adware.Hotbar) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\HostOL.MailAnim (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqtw+ (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqtw+la/5.0 (windows; u; windows nt 5.1; en-us) applewebkit/534.0 (khtml, like gecko) chrome/6.0.408.1 safari/534.0 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqtw+la/5.0 (windows; u; windows nt 5.1; en-us; rv:1.9) gecko/2008052906 firefox/3.0 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqtw+ (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqtw+la/5.0 (windows; u; windows nt 5.1; en-us) applewebkit/534.0 (khtml, like gecko) chrome/6.0.408.1 safari/534.0 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqtw+la/5.0 (windows; u; windows nt 5.1; en-us; rv:1.9) gecko/2008052906 firefox/3.0 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqtw+ (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqug (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mquglla/5.0 (windows; u; windows nt 5.1; en-us) applewebkit/534.0 (khtml, like gecko) chrome/6.0.408.1 safari/534.0 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mquglla/5.0 (windows; u; windows nt 6.1; en-us) applewebkit/532.5 (khtml, like gecko) chrome/4.0.249.89 safari/532.5 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqsz (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upc+kt0napjsiv (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqug (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mquglla/5.0 (windows; u; windows nt 5.1; en-us) applewebkit/534.0 (khtml, like gecko) chrome/6.0.408.1 safari/534.0 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mquglla/5.0 (windows; u; windows nt 6.1; en-us) applewebkit/532.5 (khtml, like gecko) chrome/4.0.249.89 safari/532.5 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqsz (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upc+kt0napjsiv (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions\hotbar@hotbar.com (Adware.Hotbar) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmpb (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmp0z (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmnb (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmn0z (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmnbla/5.0 (windows; u; windows nt 5.1; en-us; rv:1.9.2.3) gecko/20100401 firefox/3.6.3 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmnbla/5.0 (windows; u; windows nt 5.1; en-us) applewebkit/533.9 (khtml, like gecko) chrome/6.0.401.1 safari/533.9 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmn0za/5.0 (windows; u; windows nt 5.1; en-us; rv:1.9) gecko/2008052906 firefox/3.0 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmn0za/5.0 (windows; u; windows nt 5.1; en-us) applewebkit/533.9 (khtml, like gecko) chrome/6.0.401.1 safari/533.9 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmn0za/5.0 (windows; u; windows nt 6.1; en-us) applewebkit/532.5 (khtml, like gecko) chrome/4.0.249.89 safari/532.5 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmn0za/5.0 (windows; u; windows nt 5.1; en-us; rv:1.9.1) gecko/20090624 firefox/3.5 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmn0za/5.0 (windows; u; windows nt 5.1; en-us; rv:1.9.1.9) gecko/20100315 firefox/3.5.9 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmnb (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmn0z (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmnbla/5.0 (windows; u; windows nt 5.1; en-us; rv:1.9.2.3) gecko/20100401 firefox/3.6.3 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmnbla/5.0 (windows; u; windows nt 5.1; en-us) applewebkit/533.9 (khtml, like gecko) chrome/6.0.401.1 safari/533.9 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmn0za/5.0 (windows; u; windows nt 5.1; en-us; rv:1.9) gecko/2008052906 firefox/3.0 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmn0za/5.0 (windows; u; windows nt 5.1; en-us) applewebkit/533.9 (khtml, like gecko) chrome/6.0.401.1 safari/533.9 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmn0za/5.0 (windows; u; windows nt 6.1; en-us) applewebkit/532.5 (khtml, like gecko) chrome/4.0.249.89 safari/532.5 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmn0za/5.0 (windows; u; windows nt 5.1; en-us; rv:1.9.1) gecko/20090624 firefox/3.5 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqmn0za/5.0 (windows; u; windows nt 5.1; en-us; rv:1.9.1.9) gecko/20100315 firefox/3.5.9 (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\ProgramData\WSTB\localeX86.exe (Trojan.Clicker) -> Quarantined and deleted successfully.

C:\Users\Tim\AppData\Local\Temp\nwaxsmceor.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Windows\Temp\gcjc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Windows\Temp\hkvsp.exe (Adware.BHO) -> Quarantined and deleted successfully.

C:\Windows\Temp\jsdfaot.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\Windows\Temp\quwklmx.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Windows\Temp\shbd.tmp\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\nvsvc32.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Windows\mdm.exe (Trojan.Downloader) -> Delete on reboot.

C:\Windows\System32\ji90z.dll (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

C:\Windows\Temp\mdm.exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

C:\Windows\Temp\system.exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.

C:\Windows\System32\config\systemprofile\AppData\Roaming\skvkfd.bat (Malware.Trace) -> Quarantined and deleted successfully.

I was still having the re-direct problem. When I ran Malwarebytes Anti-Malware again. I only got one infecting notice. It was for a Hijack. But I could not seem to get the program to delete it. Here is the log.

Database version: 5182

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

11/25/2010 10:34:55 AM

mbam-log-2010-11-25 (10-34-55).txt

Scan type: Quick scan

Objects scanned: 171964

Time elapsed: 9 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I tried to get rid of this Nofolderoptions problem by following what had been done on previous forums. Now I when I run Malwarebytes program it no longer shows any infection. Here is the log I get now.

alwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5199

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

11/27/2010 9:02:04 AM

mbam-log-2010-11-27 (09-02-04).txt

Scan type: Quick scan

Objects scanned: 169914

Time elapsed: 3 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

In addition, when I run Microsoft's Malicious Sofware, Microsoft Security Essential

s, and Avast Antivirus. They see nothing. Both IE and Firefox are affected. Help.

Here is my DDS.txt

DDS (Ver_10-11-27.01) - NTFS_AMD64

Run by Tim at 10:08:57.55 on Sat 11/27/2010

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20

Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.4094.2341 [GMT -8:00]

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

c:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\Windows\system32\Dwm.exe

C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe

C:\Windows\Explorer.EXE

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe

C:\Program Files (x86)\Valve\Steam\Steam.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files (x86)\Verizon\VSP\VerizonServicepoint.exe

C:\Program Files (x86)\Freecorder\FLVSrvc.exe

C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Alwil Software\Avast5\AvastUI.exe

C:\Program Files (x86)\Gigabyte\ET6\GUI.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Kodak\MediaImpression\ArcMonitor.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files (x86)\Bonjour\mDNSResponder.exe

C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt

C:\Program Files\Jasmio\Media Center Support Service\Jasmio.MediaCenter.Service.exe

C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\mcShoutCast\ECommerceService\mcShoutCastECommerceService.exe

C:\Program Files\mcShoutCast\LauraFMService\ShoutCastLauraFMService.exe

C:\Program Files\mcShoutCast\ShoutCastProxy\ShoutCastProxyService.exe

C:\Program Files\Microsoft LifeCam\MSCamS64.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\SysWOW64\PnkBstrA.exe

C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files (x86)\Verizon\VSP\ServicepointService.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files (x86)\Verizon\VSP\VerizonServicepointComHandler.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\system32\DllHost.exe

C:\Windows\system32\sppsvc.exe

C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\sysWOW64\wbem\wmiprvse.exe

C:\Users\Tim\Downloads\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\svchost.exe -k SDRSVC

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - C:\Windows\SysWOW64\dvmurl.dll

uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files (x86)\Freecorder\tbFre1.dll

mURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files (x86)\Freecorder\tbFre1.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files (x86)\Freecorder\tbFre1.dll

TB: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - C:\Program Files (x86)\whitesmoketoolbar\whitesmoketoolbarX.dll

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll

uRun: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

uRun: [steam] "c:\program files (x86)\valve\steam\steam.exe" -silent

uRun: [iSUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

mRun: [EasyTuneVI] C:\Program Files (x86)\GIGABYTE\ET6\ETcall.exe

mRun: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe

mRun: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry

mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe

mRun: [VerizonServicepoint.exe] "C:\Program Files (x86)\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN

mRun: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"

mRun: [Freecorder FLV Service] "C:\Program Files (x86)\Freecorder\FLVSrvc.exe" /run

mRun: [sSBkgdUpdate] C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot

mRun: [iSUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

mRun: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin

mRun: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [ArcSoft MediaImpression Monitor] C:\Program Files (x86)\Kodak\MediaImpression\ArcMonitor.exe

dRun: [uPc+kt0NaPJsiv] rundll32.exe C:\Windows\system32\ji90z.dll, SystemServer

dRun: [MqmPb] C:\Windows\TEMP\mdm.exe

dRun: [MqmP0Z] C:\Windows\TEMP\system.exe

dRun: [MqsZ] C:\Windows\mdm.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ADOBEG~1.LNK - C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BILLMI~1.LNK - C:\Program Files (x86)\Quicken\billmind.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\QUICKE~1.LNK - C:\Program Files (x86)\Quicken\bagent.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\QUICKE~2.LNK - C:\Program Files (x86)\Quicken\QWDLLS.EXE

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200

IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html

IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files (x86)\PlotSoft\PDFill\DownloadPDF.exe

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {3437D640-C91A-458f-89F5-B9095EA4C28B} - {04F93351-81D2-4484-9982-0D55DEFFFAE6} - C:\Program Files (x86)\PicLensIE\cooliris.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - hxxp://entimg.msn.com/client/msnmusax8020.cab

DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPID.cab

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: PDF-XChange Viewer IE-Plugin: {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF Viewer\PDFXCviewIEPlugin.dll

BHO-X64: PDF-XChange Viewer IE-Plugin - No File

TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

TB-X64: {1392B8D2-5C05-419F-A8F6-B9F15A596612} - No File

EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File

mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

mRun-x64: [skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe

mRun-x64: [CmPCIaudio] C:\Windows\syswow64\RunDll32.exe C:\Windows\Syswow64\CMICNFG3.dll,CMICtrlWnd

mRun-x64: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"

mRun-x64: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey

IE-X64: {ED93D107-B43A-490e-AA5C-C5578BAAF479} - C:\Program Files (x86)\PlotSoft\PDFill\DownloadPDF.exe

================= FIREFOX ===================

FF - ProfilePath - C:\Users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\asf10fum.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: network.proxy.type - 0

FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: C:\Program Files (x86)\Verizon\VSP\nprpspa.dll

FF - plugin: C:\Program Files (x86)\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - plugin: C:\Program Files (x86)\Virtual Earth 3D\npVE3D.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll

FF - plugin: C:\Users\Tim\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll

FF - plugin: C:\Users\Tim\AppData\Roaming\Move Networks\plugins\npqmp071505000011.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - C:\Users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\asf10fum.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Extension: BrowserProtect: browserprotect@browserprotect.com - C:\Users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\asf10fum.default\extensions\browserprotect@browserprotect.com

FF - Extension: Move Media Player: moveplayer@movenetworks.com - C:\Users\Tim\AppData\Roaming\Move Networks

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;C:\Windows\System32\drivers\Lbd.sys [2010-11-26 69152]

R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2009-9-10 121936]

R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2010-3-25 173984]

R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2009-9-10 20048]

R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2009-9-10 61008]

R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-9-8 40384]

R2 ES lite Service;ES lite Service for program management.;C:\Program Files (x86)\Gigabyte\EasySaver\essvr.exe [2009-9-10 68136]

R2 Jasmio.MediaCenter.Service;Media Center Support Service;C:\Program Files\Jasmio\Media Center Support Service\Jasmio.MediaCenter.Service.exe [2008-11-27 81920]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2010-9-22 1375992]

R2 mcShoutCastECommerceService;mcShoutCast ECommerce Service;C:\Program Files\mcShoutCast\ECommerceService\mcShoutCastECommerceService.exe [2009-8-17 7680]

R2 mcShoutCastLauraFM;mcShoutCastLauraFM;C:\Program Files\mcShoutCast\LauraFMService\ShoutCastLauraFMService.exe [2009-8-17 7168]

R2 mcShoutCastProxy;mcShoutCastProxy;C:\Program Files\mcShoutCast\ShoutCastProxy\ShoutCastProxyService.exe [2009-8-17 51712]

R2 ServicepointService;ServicepointService;C:\Program Files (x86)\Verizon\VSP\ServicepointService.exe [2010-2-24 668912]

R3 avast! Mail Scanner;avast! Mail Scanner;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-9-8 40384]

R3 avast! Web Scanner;avast! Web Scanner;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-9-8 40384]

R3 GVTDrv64;GVTDrv64;C:\Windows\GVTDrv64.sys [2009-9-10 30528]

R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\System32\drivers\nx6000.sys [2010-1-29 36720]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-3-1 187392]

R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2010-3-21 34872]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-4-13 136176]

S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2010-3-15 79360]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-12-2 79360]

S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2010-11-8 48488]

S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;C:\Program Files (x86)\Lavasoft\Ad-Aware\kernexplorer64.sys [2010-9-22 17440]

S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\System32\drivers\MpNWMon.sys [2010-3-25 40832]

S3 Revoflt;Revoflt;C:\Windows\System32\drivers\revoflt.sys [2010-11-27 31800]

S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]

S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2010-4-19 50688]

S3 vpcuxd;USB Virtualization Stub Service;C:\Windows\System32\drivers\vpcuxd.sys [2009-11-26 16384]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-2-28 1255736]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

=============== Created Last 30 ================

2010-11-27 17:11:36 -------- d-----w- C:\Users\Tim\AppData\Local\VS Revo Group

2010-11-27 17:11:12 31800 ----a-w- C:\Windows\System32\drivers\revoflt.sys

2010-11-27 17:11:10 -------- d-----w- C:\Program Files\VS Revo Group

2010-11-27 16:42:24 -------- d-----w- C:\_OTL

2010-11-27 15:59:23 -------- d--h--w- C:\Users\Tim\AppData\Local\Adobe

2010-11-27 06:28:25 411368 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2010-11-27 06:28:25 411368 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

2010-11-27 04:21:45 15880 ----a-w- C:\Windows\System32\lsdelete.exe

2010-11-27 03:56:39 69152 ----a-w- C:\Windows\System32\drivers\Lbd.sys

2010-11-27 03:56:25 49752 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys

2010-11-27 03:52:24 -------- d-----w- C:\Users\Tim\AppData\Local\Sunbelt Software

2010-11-27 03:51:46 -------- dc-h--w- C:\PROGRA~3\{E961CE1B-C3EA-4882-9F67-F859B555D097}

2010-11-27 03:51:20 -------- d-----w- C:\Program Files (x86)\Lavasoft

2010-11-27 03:38:46 118784 ----a-w- C:\Windows\SysWow64\MSSTDFMT.DLL

2010-11-27 03:38:46 1071088 ----a-w- C:\Windows\SysWow64\MSCOMCTL.OCX

2010-11-27 03:38:38 -------- d-----w- C:\Program Files (x86)\SpywareBlaster

2010-11-27 03:02:03 8199504 ----a-w- C:\PROGRA~3\Microsoft\Microsoft Antimalware\Definition Updates\{D0DF655E-91CB-4292-B8C3-CC52499A2897}\mpengine.dll

2010-11-25 18:38:22 8199504 ----a-w- C:\PROGRA~3\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2010-11-24 20:09:38 -------- d-----w- C:\Program Files (x86)\Microsoft Antimalware

2010-11-24 20:09:14 -------- d-----w- C:\Program Files\Microsoft Security Essentials

2010-11-24 11:27:07 -------- d-----w- C:\PROGRA~3\WSTB

2010-11-24 03:24:40 -------- d-----w- C:\Program Files (x86)\whitesmoketoolbar

2010-11-23 19:35:35 7680 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll

2010-11-23 19:35:35 7680 ----a-w- C:\Program Files (x86)\Internet Explorer\iecompat.dll

2010-11-23 11:55:07 8199504 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{7BF44A13-ABB5-4D81-AAC4-FECCC32F9FDE}\mpengine.dll

2010-11-20 00:10:47 719832 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozcpp19.dll

2010-11-20 00:10:47 16856 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

2010-11-12 18:46:58 4280320 ----a-w- C:\Windows\SysWow64\GPhotos.scr

2010-11-09 00:12:32 -------- d-----w- C:\Windows\en

2010-11-09 00:10:51 48488 ----a-w- C:\Windows\System32\drivers\fssfltr.sys

2010-11-09 00:09:43 -------- d-----w- C:\Program Files (x86)\Bing Bar Installer

2010-11-09 00:09:40 69464 ----a-w- C:\Windows\SysWow64\XAPOFX1_3.dll

2010-11-09 00:09:40 523088 ----a-w- C:\Windows\System32\d3dx10_42.dll

2010-11-09 00:09:40 515416 ----a-w- C:\Windows\SysWow64\XAudio2_5.dll

2010-11-09 00:09:38 4398360 ----a-w- C:\Windows\System32\d3dx9_32.dll

2010-11-09 00:09:38 3426072 ----a-w- C:\Windows\SysWow64\d3dx9_32.dll

2010-11-09 00:02:36 469256 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\69b20cce1cb7fa12d\InstallManager_WLE_WLE.exe

2010-11-09 00:02:21 15712 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\615879191cb7fa122\MeshBetaRemover.exe

2010-11-09 00:02:07 94040 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\595e1c701cb7fa11a\DSETUP.dll

2010-11-09 00:02:07 525656 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\595e1c701cb7fa11a\DXSETUP.exe

2010-11-09 00:02:07 1691480 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\595e1c701cb7fa11a\dsetup32.dll

2010-11-09 00:02:06 525656 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\5767da171cb7fa119\DXSETUP.exe

2010-11-09 00:02:05 94040 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\5767da171cb7fa119\DSETUP.dll

2010-11-09 00:02:05 1691480 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\5767da171cb7fa119\dsetup32.dll

2010-11-09 00:01:32 -------- d-----w- C:\Users\Tim\AppData\Local\Windows Live

2010-11-09 00:01:04 257024 ----a-w- C:\Windows\System32\mfreadwrite.dll

2010-11-09 00:01:04 206848 ----a-w- C:\Windows\System32\mfps.dll

2010-11-09 00:01:03 196608 ----a-w- C:\Windows\SysWow64\mfreadwrite.dll

2010-11-09 00:01:03 1888256 ----a-w- C:\Windows\System32\WMVDECOD.DLL

2010-11-09 00:01:03 1619456 ----a-w- C:\Windows\SysWow64\WMVDECOD.DLL

2010-11-09 00:01:01 4068864 ----a-w- C:\Windows\System32\mf.dll

2010-11-09 00:00:55 3181568 ----a-w- C:\Windows\SysWow64\mf.dll

==================== Find3M ====================

2010-11-27 18:03:54 30528 ----a-w- C:\Windows\GVTDrv64.sys

2010-11-27 18:02:38 23080 ----a-w- C:\Windows\gdrv.sys

2010-10-19 20:51:33 270720 ------w- C:\Windows\System32\MpSigStub.exe

2010-10-14 09:36:52 15451288 ----a-w- C:\Windows\SysWow64\xlive.dll

2010-10-14 09:36:50 13642904 ----a-w- C:\Windows\SysWow64\xlivefnt.dll

2010-09-23 08:47:28 49016 ----a-w- C:\Windows\SysWow64\sirenacm.dll

2010-09-23 08:32:56 301936 ----a-w- C:\Windows\WLXPGSS.SCR

2010-09-21 22:49:02 252800 ----a-w- C:\Windows\System32\LIVESSP.DLL

2010-09-21 22:03:14 208768 ----a-w- C:\Windows\SysWow64\LIVESSP.DLL

2010-09-10 05:35:44 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll

2010-09-10 05:35:43 347648 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll

2010-09-08 18:17:46 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx

2010-09-08 18:17:46 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts

2010-09-08 05:36:17 1192960 ----a-w- C:\Windows\System32\wininet.dll

2010-09-08 05:34:34 57856 ----a-w- C:\Windows\System32\licmgr10.dll

2010-09-08 04:30:04 978432 ----a-w- C:\Windows\SysWow64\wininet.dll

2010-09-08 04:28:15 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll

2010-09-08 04:16:38 482816 ----a-w- C:\Windows\System32\html.iec

2010-09-08 03:35:30 1638912 ----a-w- C:\Windows\System32\mshtml.tlb

2010-09-08 03:22:31 386048 ----a-w- C:\Windows\SysWow64\html.iec

2010-09-08 02:48:16 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2010-09-07 15:12:17 38848 ----a-w- C:\Windows\avastSS.scr

2010-09-07 14:47:33 61008 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys

2010-09-01 05:12:09 12625920 ----a-w- C:\Windows\System32\wmploc.DLL

2010-09-01 04:23:49 12625408 ----a-w- C:\Windows\SysWow64\wmploc.DLL

2010-09-01 02:58:34 3123712 ----a-w- C:\Windows\System32\win32k.sys

2010-08-31 08:28:46 1251944 ----a-w- C:\Windows\RtlExUpd.dll

2010-08-31 04:32:30 954752 ----a-w- C:\Windows\SysWow64\mfc40.dll

2010-08-31 04:32:30 954288 ----a-w- C:\Windows\SysWow64\mfc40u.dll

2010-01-23 20:39:09 1228304 ----a-w- C:\Program Files (x86)\PremiereElements_8_LS8.exe

============= FINISH: 10:21:40.07 ===============

My ark.txt and attach.txt are attached this post.

Any information or guidance would be greatly appreciated.

Thank you.

Attach.zip

ark.zip

[Elise]

Hello ,

And My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

• The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  
• Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  
• The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  
• Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
  

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Please download OTL from one of the following mirrors:
  • This is THE Mirror
    

  [*]Save it to your desktop.

  [*]Double click on the icon on your desktop.

  [*]Click the "Scan All Users" checkbox.

  [*]Push the Quick Scan button.

  [*]Two reports will open, copy and paste them in a reply here:

  • OTListIt.txt <-- Will be opened
    
  • Extra.txt <-- Will be minimized
    

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.

Link 1
Link 2
Link 3

• Double-click on MBRCheck.exe to run it. Vista/Windows 7 users right-click and select Run As Administrator.
  
• It will open a black screen with some data on it...please do not fix anything (if it gives you an option).
  
• When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  
• A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will be created on the desktop.
  
• Copy and paste the contents of that log in your next reply.
  

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

• A detailed description of your problems
  
• A new OTL log (don't forget extra.txt)
  
• MBRcheck log
  

Thanks and again sorry for the delay.

[parkway233]

Hello ,

And My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

• The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  
• Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  
• The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  
• Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
  

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Please download OTL from one of the following mirrors:
  • This is THE Mirror
    

  [*]Save it to your desktop.

  [*]Double click on the icon on your desktop.

  [*]Click the "Scan All Users" checkbox.

  [*]Push the Quick Scan button.

  [*]Two reports will open, copy and paste them in a reply here:

  • OTListIt.txt <-- Will be opened
    
  • Extra.txt <-- Will be minimized
    

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.

Link 1
Link 2
Link 3

• Double-click on MBRCheck.exe to run it. Vista/Windows 7 users right-click and select Run As Administrator.
  
• It will open a black screen with some data on it...please do not fix anything (if it gives you an option).
  
• When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  
• A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will be created on the desktop.
  
• Copy and paste the contents of that log in your next reply.
  

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

• A detailed description of your problems
  
• A new OTL log (don't forget extra.txt)
  
• MBRcheck log
  

Thanks and again sorry for the delay.

Hello Elise,

Thank you for helping me. As I mentioned in the previous post. It all seemed to start when we noticed a WhiteSmoke Toolbar and WhiteSmoke Translator popup, since then browser hijacks in both FF and IE.

Here is my OTL.txt Now here is what is odd. It did not generate an Extra.txt. I ran OTL twice just to make sure. Any reason for that? It did generate an Extra file when I ran the program yesterday morning, but I probably changed my system since then. I can send you that txt if you think it would help.

After the OTL.txt file I have posted my MBRCheck.txt for you. What would you like me to do next???

OTL logfile created on: 11/28/2010 7:48:14 AM - Run 2

OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\Tim\Desktop

64bit- An unknown product (Version = 6.1.7600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.7600.16385)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 0.00 Gb Available Physical Memory | 3.00% Memory free

8.00 Gb Paging File | 3.00 Gb Available in Paging File | 44.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 596.17 Gb Total Space | 229.01 Gb Free Space | 38.41% Space Free | Partition Type: NTFS

Drive E: | 3.72 Gb Total Space | 2.71 Gb Free Space | 72.89% Space Free | Partition Type: FAT32

Drive F: | 698.63 Gb Total Space | 99.54 Gb Free Space | 14.25% Space Free | Partition Type: NTFS

Computer Name: TIMPC | User Name: Tim | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/28 07:39:03 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Tim\Desktop\OTL.exe

PRC - [2010/11/26 19:56:10 | 000,928,496 | ---- | M] (Lavasoft) -- C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe

PRC - [2010/11/26 19:56:09 | 001,375,992 | ---- | M] (Lavasoft) -- C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe

PRC - [2010/11/18 15:29:05 | 001,242,448 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Valve\Steam\Steam.exe

PRC - [2010/09/07 07:12:02 | 002,838,912 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe

PRC - [2010/09/07 07:11:59 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

PRC - [2010/08/13 11:58:56 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

PRC - [2010/07/25 20:12:19 | 000,075,064 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrA.exe

PRC - [2010/07/20 09:09:40 | 000,080,384 | ---- | M] (ArcSoft, Inc.) -- C:\Program Files (x86)\Kodak\MediaImpression\ArcMonitor.exe

PRC - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

PRC - [2010/03/06 03:04:24 | 000,310,224 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe

PRC - [2009/11/18 10:50:40 | 000,668,912 | ---- | M] (Radialpoint Inc.) -- C:\Program Files (x86)\Verizon\VSP\ServicepointService.exe

PRC - [2009/11/18 10:50:32 | 000,468,208 | ---- | M] (Radialpoint Inc.) -- C:\Program Files (x86)\Verizon\VSP\VerizonServicepointComHandler.exe

PRC - [2009/11/18 10:50:30 | 004,269,296 | ---- | M] (Verizon) -- C:\Program Files (x86)\Verizon\VSP\VerizonServicepoint.exe

PRC - [2009/11/15 11:59:11 | 000,158,752 | ---- | M] (Applian Technologies, Inc.) -- C:\Program Files (x86)\Freecorder\FLVSrvc.exe

PRC - [2009/07/13 17:14:47 | 000,254,976 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\wbem\WmiPrvSE.exe

PRC - [2009/02/05 12:43:26 | 000,068,136 | ---- | M] () -- C:\Program Files (x86)\Gigabyte\EasySaver\essvr.exe

PRC - [2008/11/18 12:15:30 | 000,307,200 | ---- | M] (Creative Technology Ltd) -- C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe

PRC - [2008/06/24 15:06:06 | 001,840,424 | ---- | M] (Nero AG) -- C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe

PRC - [2008/03/25 16:21:56 | 000,219,656 | ---- | M] () -- C:\Program Files (x86)\Gigabyte\ET6\GUI.exe

PRC - [2005/02/16 15:15:20 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe

========== Modules (SafeList) ==========

MOD - [2010/11/28 07:39:03 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Tim\Desktop\OTL.exe

MOD - [2010/11/27 09:22:13 | 000,012,800 | -H-- | M] (Applian Technologies, Inc.) -- C:\Users\Tim\AppData\Local\FLVService\lib\FLVSrvLib.dll

MOD - [2010/08/20 21:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll

MOD - [2009/07/13 17:15:31 | 000,154,624 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\imagehlp.dll

MOD - [2009/07/13 17:09:00 | 000,002,048 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\normaliz.dll

========== Win32 Services (SafeList) ==========

SRV:64bit: - File not found [Auto | Running] -- C:\Windows\SysNative\PnkBstrA.exe -- (PnkBstrA)

SRV:64bit: - [2010/09/22 18:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)

SRV:64bit: - [2010/09/07 07:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)

SRV:64bit: - [2010/09/07 07:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)

SRV:64bit: - [2010/09/07 07:11:59 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)

SRV:64bit: - [2010/03/25 23:48:42 | 000,017,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)

SRV:64bit: - [2010/03/01 19:35:38 | 000,199,536 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft LifeCam\MSCamS64.exe -- (MSCamSvc)

SRV:64bit: - [2009/08/17 20:25:42 | 000,051,712 | ---- | M] (S

[Elise]

Hi, extra.txt only gets created on the first quick scan run. Please rerun OTL, click the NONE button, then change the value under extra registry to Use Safelist. Click Run scan and post me extra.txt

Did you try to uninstall the whitesmoke toolbar from add/remove programs? If it is not there, we'll do it with a script.

[parkway233]

Hi, extra.txt only gets created on the first quick scan run. Please rerun OTL, click the NONE button, then change the value under extra registry to Use Safelist. Click Run scan and post me extra.txt

Did you try to uninstall the whitesmoke toolbar from add/remove programs? If it is not there, we'll do it with a script.

Elise,

Reran OTL, here is the extra.txt. And I also included the OTL that also was generated, just in case. I did unistall the whitesmoke toolbar from add and remove programs, but it still shows as an option when I right click the menu bar in IE. I just don't have it checked. Do I just ignore that??? Or is there a way to remove it completely from my toolbar options? It kinda scares me that it is still there. Thanks.

Here is the Extra.txt

OTL Extras logfile created on: 11/28/2010 8:46:36 AM - Run 4

OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\Tim\Desktop

64bit- An unknown product (Version = 6.1.7600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.7600.16385)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 14.00% Memory free

8.00 Gb Paging File | 3.00 Gb Available in Paging File | 43.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 596.17 Gb Total Space | 229.01 Gb Free Space | 38.41% Space Free | Partition Type: NTFS

Drive E: | 3.72 Gb Total Space | 2.71 Gb Free Space | 72.89% Space Free | Partition Type: FAT32

Drive F: | 698.63 Gb Total Space | 99.54 Gb Free Space | 14.25% Space Free | Partition Type: NTFS

Computer Name: TIMPC | User Name: Tim | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.url[@ = InternetShortcut] -- C:\Windows\system32\ieframe.DLL (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

.url [@ = InternetShortcut] -- C:\Windows\system32\ieframe.DLL (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3192640116-2428559058-3270897266-1000\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %* File not found

cmdfile [open] -- "%1" %* File not found

comfile [open] -- "%1" %* File not found

exefile [open] -- "%1" %* File not found

helpfile [open] -- Reg Error: Key error.

htmlfile [edit] -- Reg Error: Key error.

htmlfile [print] -- "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

InternetShortcut [open] -- "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\ieframe.dll",OpenURL %l (Microsoft Corporation)

InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)

piffile [open] -- "%1" %* File not found

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1" File not found

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S File not found

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found

Directory [bridge] -- C:\Program Files (x86)\Adobe\Adobe Bridge CS5\Bridge.exe "%L" (Adobe Systems, Inc.)

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [explore] -- Reg Error: Value error.

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

htmlfile [edit] -- Reg Error: Key error.

htmlfile [print] -- "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

InternetShortcut [open] -- "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\ieframe.dll",OpenURL %l (Microsoft Corporation)

InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [bridge] -- C:\Program Files (x86)\Adobe\Adobe Bridge CS5\Bridge.exe "%L" (Adobe Systems, Inc.)

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [explore] -- Reg Error: Value error.

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

========== Authorized Applications List ==========

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)

"{0B034DB4-9D1A-4BC2-B885-9F7D05DFB056}" = mcShoutCast

"{1AAF3A3B-7B32-4DDF-8ABB-438DAEB46EEC}" = Windows Live Family Safety

"{1B8ABA62-74F0-47ED-B18C-A43128E591B8}" = Windows Live ID Sign-in Assistant

"{1E9FC118-651D-4934-97BE-E53CAE5C7D45}" = Microsoft_VC80_MFCLOC_x86_x64

"{23170F69-40C1-2702-0465-000001000000}" = 7-Zip 4.65 (x64 edition)

"{2931F734-260D-4E83-87B3-A9FE8E873192}_is1" = PDF-XChange Shell Extensions

"{33EB1061-ABF1-4470-A540-32E97A610536}" = Apple Mobile Device Support

"{393ADA10-CEC5-47E7-AE6D-A9591C125EEF}" = Microsoft LifeCam

"{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll

"{41BF0DE4-5BAE-4B88-AFD3-86A30B222186}" = Bonjour

"{4569AD91-47F4-4D9E-8FC9-717EC32D7AE1}" = Microsoft_VC80_CRT_x86_x64

"{46A5FBE9-ADB3-4493-A1CC-B4CFFD24D26A}" = Windows Live Family Safety

"{55D55008-E5F6-47D6-B16F-B2A40D4D145F}" = 64 Bit HP CIO Components Installer

"{5AEBB4A3-6878-4CEE-AD34-0F6958A983F0}" = HP Deskjet F4400 Printer Driver Software 13.0 Rel .5

"{5EB6F3CB-46F4-451F-A028-7F6D8D35D7D0}" = Windows Live Language Selector

"{5F02C14D-A630-4771-8409-0BA89FCCA8D6}" = iTunes

"{656DEEDE-F6AC-47CA-A568-A1B4E34B5760}" = Windows Live Remote Service Resources

"{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1" = Revo Uninstaller Pro 2.4.3

"{6ACE7F46-FACE-4125-AE86-672F4F2A6A28}" = Bing Maps 3D

"{81F34816-37DA-4A0A-A97E-598748D9E09C}" = HeatWave

"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17

"{847B0532-55E3-4AAF-8D7B-E3A1A7CD17E5}" = Windows Live Remote Client Resources

"{8557397C-A42D-486F-97B3-A2CBC2372593}" = Microsoft_VC90_ATL_x86_x64

"{8D273DE5-ABFA-4BD0-A9D7-EE9C971438C4}_is1" = PDF-Viewer

"{92A3CA0D-55CD-4C5D-BA95-5C2600C20F26}" = Microsoft_VC90_CRT_x86_x64

"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting

"{95C9C76F-ECF3-40FA-94F8-5DDFB6BAF40D}" = Microsoft Security Essentials

"{99999999-9999-9999-9999-999999999999}" = HP Photosmart Cameras 9.0

"{9C5A08BF-BB99-4998-81BD-F6CC32483B34}" = Microsoft Corporation

"{A472B9E4-0AFF-4F7B-B25D-F64F8E928AAB}" = Microsoft_VC90_MFC_x86_x64

"{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053

"{C8C1BAD5-54E6-4146-AD07-3A8AD36569C3}" = Microsoft_VC80_MFC_x86_x64

"{D1399216-81B2-457C-A0F7-73B9A2EF6902}" = PDFill PDF Editor with FREE Writer and FREE Tools

"{DA54F80E-261C-41A2-A855-549A144F2F59}" = Windows Live MIME IFilter

"{DC9C8BC1-72CE-B5FE-EA4F-6D9127E51746}" = ATI Catalyst Install Manager

"{DF6D988A-EEA0-4277-AAB8-158E086E439B}" = Windows Live Remote Client

"{E02A6548-6FDE-40E2-8ED9-119D7D7E641F}" = Windows Live Remote Service

"{E62A1F01-07B7-4541-A835-EE5B0BF064C2}" = Microsoft Antimalware

"{EE936C7A-EA40-31D5-9B65-8E3E089C3828}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148

"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile

"C-Media PCI Audio Driver" = C-Media PCI Audio Device

"CPUID CPU-Z_is1" = CPUID CPU-Z 1.52.2

"CutePDF Writer Installation" = CutePDF Writer 2.8

"HP Imaging Device Functions" = HP Imaging Device Functions 13.0

"HP Photosmart Essential" = HP Photosmart Essential 2.01

"HP Print Projects" = HP Print Projects 1.0

"HP Smart Web Printing" = HP Smart Web Printing 4.60

"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0

"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

"Microsoft Security Essentials" = Microsoft Security Essentials

"NVIDIA Display Control Panel" = NVIDIA Display Control Panel

"NVIDIA Drivers" = NVIDIA Drivers

"SAMSUNG Mobile Modem" = SAMSUNG Mobile Modem Driver Set

"Samsung Mobile phone USB driver Drive" = Samsung Mobile phone USB driver Drive Software

"SAMSUNG Mobile USB Modem" = SAMSUNG Mobile USB Modem Software

"SAMSUNG Mobile USB Modem 1.0" = SAMSUNG Mobile USB Modem 1.0 Software

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

"{024521CF-C07E-4F8E-8481-0D75695E03AF}" = PxMergeModule

"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86

"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam

"{049D96D7-E082-4FB5-BF64-CD3460E6877C}_is1" = RootsMagic 4.0.8.4

"{06A1D88C-E102-4527-AF70-29FFD7AF215A}" = Scan

"{07300F01-89CA-4CF8-92BD-2A605EB83C95}" = EasySaver B9.0205.1

"{07FB17D8-7DB6-4F06-80C4-8BE1719CB6A1}" = hpWLPGInstaller

"{08234a0d-cf39-4dca-99f0-0c5cb496da81}" = Bing Bar

"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86

"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer

"{0D2DBE8A-43D0-7830-7AE7-CA6C99A832E7}" = Adobe Community Help

"{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}" = Microsoft_VC80_ATL_x86

"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{1F4BF9EA-847E-44FB-A728-C456116E6CEF}" = InstantShareDevicesMFC

"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update

"{1FDA5A37-B22D-43FF-B582-B8964050DC13}" = Microsoft Games for Windows - LIVE Redistributable

"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions

"{21A2F5EE-1DC5-488A-BE7E-E526F8C61488}" = DeviceDiscovery

"{23F79416-CAD1-41BF-99A3-040F6C814AAA}" = NVIDIA Photoshop Plug-ins

"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java 6 Update 20

"{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections

"{2B59AB31-EBD0-45E4-A725-7112904DA605}" = Family Tree Maker Version 16

"{2D974D26-BA8F-4A0B-B7EE-3F563AF79746}" = Quicken 2003 Deluxe

"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm

"{32A3A4F4-B792-11D6-A78A-00B0D0160180}" = Java SE Development Kit 6 Update 18

"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery

"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery

"{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}" = Gigabyte Raid Configurer

"{3B3D2CFD-3C21-4AA0-94DE-45577B5BAB16}" = Family Tree Maker 2011

"{3EF8B5AA-7B82-4945-941D-A6BC24325F00}" = CameraUserGuides

"{40C03514-89C3-41BA-0090-3B440256DB87}" = The Sims 2

"{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth

"{43CDF946-F5D9-4292-B006-BA0D92013021}" = WebReg

"{44EAFE3D-09A9-4478-A2BF-0EED22F4E49F}" = The Sims

[Elise]

Please let me know how things are after the following fix.

OTL FIX

------------

We need to run an OTL Fix

1. Please reopen on your desktop.
   
2. Copy and Paste the following code into the textbox.
   

   :otl
   IE - HKU\S-1-5-21-3192640116-2428559058-3270897266-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
   O3 - HKLM\..\Toolbar: (WhiteSmoke Toolbar) - {52794457-af6c-4c50-9def-f2e24f4c8889} - C:\Program Files (x86)\whitesmoketoolbar\whitesmoketoolbarX.dll ()
   O4 - HKU\.DEFAULT..\Run: [MqmP0Z] C:\Windows\TEMP\system.exe File not found
   O4 - HKU\.DEFAULT..\Run: [MqmPb] C:\Windows\TEMP\mdm.exe File not found
   O4 - HKU\.DEFAULT..\Run: [MqsZ] C:\Windows\mdm.exe File not found
   O4 - HKU\.DEFAULT..\Run: [uPc+kt0NaPJsiv] C:\Windows\SysWow64\ji90z.DLL File not found
   O4 - HKU\S-1-5-18..\Run: [MqmP0Z] C:\Windows\TEMP\system.exe File not found
   O4 - HKU\S-1-5-18..\Run: [MqmPb] C:\Windows\TEMP\mdm.exe File not found
   O4 - HKU\S-1-5-18..\Run: [MqsZ] C:\Windows\mdm.exe File not found
   O4 - HKU\S-1-5-18..\Run: [uPc+kt0NaPJsiv] C:\Windows\SysWow64\ji90z.DLL File not found
   
   :commands
   [emptytemp]

   
   

3. Push
   
4. OTL may ask to reboot the machine. Please do so if asked.
   
5. Click .
   
6. A report will open. Copy and Paste that report in your next reply.
   

[parkway233]

Please let me know how things are after the following fix.

OTL FIX

------------

We need to run an OTL Fix

1. Please reopen on your desktop.
   
2. Copy and Paste the following code into the textbox.
   

   :otl
   IE - HKU\S-1-5-21-3192640116-2428559058-3270897266-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
   O3 - HKLM\..\Toolbar: (WhiteSmoke Toolbar) - {52794457-af6c-4c50-9def-f2e24f4c8889} - C:\Program Files (x86)\whitesmoketoolbar\whitesmoketoolbarX.dll ()
   O4 - HKU\.DEFAULT..\Run: [MqmP0Z] C:\Windows\TEMP\system.exe File not found
   O4 - HKU\.DEFAULT..\Run: [MqmPb] C:\Windows\TEMP\mdm.exe File not found
   O4 - HKU\.DEFAULT..\Run: [MqsZ] C:\Windows\mdm.exe File not found
   O4 - HKU\.DEFAULT..\Run: [uPc+kt0NaPJsiv] C:\Windows\SysWow64\ji90z.DLL File not found
   O4 - HKU\S-1-5-18..\Run: [MqmP0Z] C:\Windows\TEMP\system.exe File not found
   O4 - HKU\S-1-5-18..\Run: [MqmPb] C:\Windows\TEMP\mdm.exe File not found
   O4 - HKU\S-1-5-18..\Run: [MqsZ] C:\Windows\mdm.exe File not found
   O4 - HKU\S-1-5-18..\Run: [uPc+kt0NaPJsiv] C:\Windows\SysWow64\ji90z.DLL File not found
   
   :commands
   [emptytemp]

   
   

3. Push
   
4. OTL may ask to reboot the machine. Please do so if asked.
   
5. Click .
   
6. A report will open. Copy and Paste that report in your next reply.
   

I ran the OTL with the Custom Scan/Fix you provided. I ran it when IE was running. I hope that was not a problem. Here is the report. Whitesmoke toolbar option is gone from IE. Yay! Did this fix also take care of the browser hijacking? Seems to have with the few searches I did just now. But not totally sure.

All processes killed

========== OTL ==========

HKU\S-1-5-21-3192640116-2428559058-3270897266-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{52794457-af6c-4c50-9def-f2e24f4c8889} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52794457-af6c-4c50-9def-f2e24f4c8889}\ deleted successfully.

C:\Program Files (x86)\whitesmoketoolbar\whitesmoketoolbarX.dll moved successfully.

Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\MqmP0Z deleted successfully.

Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\MqmPb deleted successfully.

Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\MqsZ deleted successfully.

Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\uPc+kt0NaPJsiv deleted successfully.

Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\MqmP0Z not found.

Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\MqmPb not found.

Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\MqsZ not found.

Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\uPc+kt0NaPJsiv not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Allyson

User: Allyson.TimPC

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: AppData

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Public

User: Spencer

User: Tim

->Temp folder emptied: 1911481 bytes

->Temporary Internet Files folder emptied: 7181856 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 23985624 bytes

->Google Chrome cache emptied: 0 bytes

->Flash cache emptied: 489 bytes

%systemdrive% .tmp files removed: 5253316 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 261811 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32902 bytes

RecycleBin emptied: 3981232 bytes

Total Files Cleaned = 41.00 mb

OTL by OldTimer - Version 3.2.17.3 log created on 11282010_092715

Files\Folders moved on Reboot...

C:\Users\Tim\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

C:\Users\Tim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PDI3BD6L\search[1].htm moved successfully.

C:\Users\Tim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0T3YWP2P\iframe[1].htm moved successfully.

C:\Users\Tim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0T3YWP2P\index[8].htm moved successfully.

File\Folder C:\Windows\temp\_avast5_\Webshlock.txt not found!

Registry entries deleted on Reboot...

[Elise]

Please use the internet a bit and see how the browser hijacks are.

UPDATE JAVA

------------------

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  
• Look for "JDK 6 Update 22 (JDK or JRE)".
  
• Click the "Download JRE" button to the right.
  
• Select your Platform: "Windows".
  
• Select your Language: "Multi-language".
  
• Read the License Agreement, and then check the box that says: "Accept License Agreement".
  
• Click Continue and the page will refresh.
  
• Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  
• Close any programs you may have running - especially your web browser.
  

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  
• Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u22-windows-i586.exe to install the newest version.
  
• If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  
• When the Java Setup - Welcome window opens, click the Install > button.
  
• If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  

-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.

-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

MALWAREBYTES ANTIMALWARE

-------------------------------------------

Please launch MBAM and update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  

On the Scanner tab:

• Make sure the "Perform Full Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.
  

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  
• Exit MBAM when done.
  

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

[parkway233]

Sadly, My browser is still being hijacked. Every so often it redirects me to a site that I did not request. What do I do next??

[parkway233]

Sorry, let me update Java first and then I will let you know if it is still being hijacked.

[parkway233]

I am sorry would I download the Windows version for Java or the WindowsX64 since I am running windows 7 64 bit?

[parkway233]

or the i586 Java since I run IE 32 bit?

[parkway233]

Well I just did the Java x64 instead of i586 since the x64 version installed easily and I couldn't get the installer for i586 to come up easily. Let me know if this I should do something different. I have Java 6 update 22 (64 bit) installed. Let me know if I need to remove that and install the Java i586. Running a full scan now on the infected computer with MBAM will let you know results when done. Thanks!

[Elise]

No, this is okay, I'll wait for the MBAM results.

[parkway233]

Hi Elise,

Well here it is. I ran a full scan with Malwarebytes Anti-Malware and no infections noted. I just went into IE googled "browser hijack" and tried to access Microsoft's information webpage and was unfortunately redirected to another site. Same problem if I try Bing and try to access reviews of a DVD player at Walmart.

Sigh.

Here is the log MBAM log. Any thoughts on what to do next??

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5207

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

11/28/2010 12:33:41 PM

mbam-log-2010-11-28 (12-33-41).txt

Scan type: Full scan (C:\|F:\|)

Objects scanned: 456879

Time elapsed: 1 hour(s), 45 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[Elise]

Please run a new OTL quick scan and post me the log.

[parkway233]

Here you go. I ran it with both IE and FF closed. But I can run it again with them opened if that helps.

OTL logfile created on: 11/28/2010 1:23:27 PM - Run 5

OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\Tim\Desktop

64bit- An unknown product (Version = 6.1.7600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.7600.16385)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 16.00% Memory free

8.00 Gb Paging File | 4.00 Gb Available in Paging File | 44.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 596.17 Gb Total Space | 229.09 Gb Free Space | 38.43% Space Free | Partition Type: NTFS

Drive F: | 698.63 Gb Total Space | 99.54 Gb Free Space | 14.25% Space Free | Partition Type: NTFS

Computer Name: TIMPC | User Name: Tim | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/28 07:39:03 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Tim\Desktop\OTL.exe

PRC - [2010/11/26 19:56:10 | 000,928,496 | ---- | M] (Lavasoft) -- C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe

PRC - [2010/11/26 19:56:09 | 001,375,992 | ---- | M] (Lavasoft) -- C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe

PRC - [2010/11/18 15:29:05 | 001,242,448 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Valve\Steam\Steam.exe

PRC - [2010/09/07 07:12:02 | 002,838,912 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe

PRC - [2010/09/07 07:11:59 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

PRC - [2010/08/13 11:58:56 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

PRC - [2010/07/25 20:12:19 | 000,075,064 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrA.exe

PRC - [2010/07/20 09:09:40 | 000,080,384 | ---- | M] (ArcSoft, Inc.) -- C:\Program Files (x86)\Kodak\MediaImpression\ArcMonitor.exe

PRC - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

PRC - [2010/03/06 03:04:24 | 000,310,224 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe

PRC - [2009/11/18 10:50:40 | 000,668,912 | ---- | M] (Radialpoint Inc.) -- C:\Program Files (x86)\Verizon\VSP\ServicepointService.exe

PRC - [2009/11/18 10:50:32 | 000,468,208 | ---- | M] (Radialpoint Inc.) -- C:\Program Files (x86)\Verizon\VSP\VerizonServicepointComHandler.exe

PRC - [2009/11/18 10:50:30 | 004,269,296 | ---- | M] (Verizon) -- C:\Program Files (x86)\Verizon\VSP\VerizonServicepoint.exe

PRC - [2009/11/15 11:59:11 | 000,158,752 | ---- | M] (Applian Technologies, Inc.) -- C:\Program Files (x86)\Freecorder\FLVSrvc.exe

PRC - [2009/02/05 12:43:26 | 000,068,136 | ---- | M] () -- C:\Program Files (x86)\Gigabyte\EasySaver\essvr.exe

PRC - [2008/11/18 12:15:30 | 000,307,200 | ---- | M] (Creative Technology Ltd) -- C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe

PRC - [2008/06/24 15:06:06 | 001,840,424 | ---- | M] (Nero AG) -- C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe

PRC - [2008/03/25 16:21:56 | 000,219,656 | ---- | M] () -- C:\Program Files (x86)\Gigabyte\ET6\GUI.exe

PRC - [2005/02/16 15:15:20 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe

========== Modules (SafeList) ==========

MOD - [2010/11/28 07:39:03 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Tim\Desktop\OTL.exe

MOD - [2010/11/27 09:22:13 | 000,012,800 | -H-- | M] (Applian Technologies, Inc.) -- C:\Users\Tim\AppData\Local\FLVService\lib\FLVSrvLib.dll

MOD - [2010/08/20 21:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll

MOD - [2009/07/13 17:15:31 | 000,154,624 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\imagehlp.dll

MOD - [2009/07/13 17:09:00 | 000,002,048 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\normaliz.dll

========== Win32 Services (SafeList) ==========

SRV:64bit: - File not found [Auto | Running] -- C:\Windows\SysNative\PnkBstrA.exe -- (PnkBstrA)

SRV:64bit: - [2010/09/22 18:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)

SRV:64bit: - [2010/09/07 07:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)

SRV:64bit: - [2010/09/07 07:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)

SRV:64bit: - [2010/09/07 07:11:59 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)

SRV:64bit: - [2010/03/25 23:48:42 | 000,017,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)

SRV:64bit: - [2010/03/01 19:35:38 | 000,199,536 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft LifeCam\MSCamS64.exe -- (MSCamSvc)

SRV:64bit: - [2009/08/17 20:25:42 | 000,051,712 | ---- | M] (S

[Elise]

Please reset your router and see if that fixes the issue. Typically you can do that by pressing the reset button for about ten seconds when the router is powered off.

[parkway233]

Elise,

Unfortunately, nope that did not solve my issue. I powered off the modem/router, reset and went through the Verizon setup for internet and I am still getting the redirects. Any other ideas or logs I can provide that might help?

[Elise]

Can you please verify what browser is redirecting you? Firefox, IE or both?

[parkway233]

Elise,

Both Browsers. Firefox and IE, are definately being redirected at times. Most of the time it happens when I am trying to get to a site I want and it redirects me to another random type site. Sometimes it just opens a new browser window with a random site. But in both cases it happens with Firefox and IE.

[Elise]

Please right click on your Internet Connection icon in the System Tray and select Status. In the Status window click the Options button.

Look under "this connection uses the following items" and highlight Internet Protocol (TCP/IP). Click Properties.

On the General tab, make sure "Obtain an IP address automatically" and "Obtain DNS server address automatically" are both ticked.

On the Alternate Configuration tab, make sure "Automatic private IP address" is ticked.

Click OK to exit the Properties and OK to exit the other windows as well.

Now, click Start > Run and type cmd in the runbox.

A command window will open. Type ipconfig /flushdns and press enter.

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

@echo off
(ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print) >>Log1.txt
start notepad Log1.txt
del %0

Go to the File menu at the top of the Notepad and select Save as.

Select save in: desktop

Fill in File name: test.bat

Save as type: All file types (*.*)

Click save.

Close the Notepad.

Locate and double-click tast.bat on the desktop.

A notepad opens, copy and paste the content it (log1.txt) to your reply.

OTL FIX

------------

We need to run an OTL Fix

1. Please reopen on your desktop.
   
2. Copy and Paste the following code into the textbox.
   

   :files
   c:\windows\tasks\at*.job
   
   :commands
   [emptytemp]

   
   

3. Push
   
4. OTL may ask to reboot the machine. Please do so if asked.
   
5. Click .
   
6. A report will open. Copy and Paste that report in your next reply.
   

[parkway233]

I'm running Windows 7 64 bit and I could find the TCP/IP in the Control Panel - Network and Sharing Center, Local Area Connection Status and under this I clicked properties and got the attached panel. There were two TCP/IPs a version 6 and a version 4. Under properties both obtain the IP and DNS address automatically. Version 6 does not have an alternate config tab so I can't specify atuomatic private ip address but I can for version 4 so I did.

Here is the results of test.bat

Windows IP Configuration

Host Name . . . . . . . . . . . . : TimPC

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : domain_not_set.invalid

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : domain_not_set.invalid

Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)

Physical Address. . . . . . . . . : 00-24-1D-7D-67-C5

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Link-local IPv6 Address . . . . . : fe80::e067:62c3:b139:fc99%10(Preferred)

IPv4 Address. . . . . . . . . . . : 192.168.1.64(Preferred)

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Lease Obtained. . . . . . . . . . : Sunday, November 28, 2010 1:56:26 PM

Lease Expires . . . . . . . . . . : Tuesday, November 30, 2010 2:04:09 AM

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DHCPv6 IAID . . . . . . . . . . . : 167781405

DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-3A-F4-3C-00-24-1D-7D-67-C5

DNS Servers . . . . . . . . . . . : 192.168.1.1

68.238.64.12

NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.domain_not_set.invalid:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . : domain_not_set.invalid

Description . . . . . . . . . . . : Microsoft ISATAP Adapter

Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface

Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

IPv6 Address. . . . . . . . . . . : 2001:0:ce2e:e837:2c70:399c:3f57:febf(Preferred)

Link-local IPv6 Address . . . . . : fe80::2c70:399c:3f57:febf%12(Preferred)

Default Gateway . . . . . . . . . : ::

NetBIOS over Tcpip. . . . . . . . : Disabled

Server: dslmodem.domain

Address: 192.168.1.1

Name: google.com

Addresses: 66.102.7.104

66.102.7.99

Server: dslmodem.domain

Address: 192.168.1.1

Name: yahoo.com

Addresses: 69.147.125.65

72.30.2.43

98.137.149.56

209.191.122.70

67.195.160.76

Pinging google.com [66.102.7.99] with 32 bytes of data:

Reply from 66.102.7.99: bytes=32 time=28ms TTL=55

Reply from 66.102.7.99: bytes=32 time=27ms TTL=55

Ping statistics for 66.102.7.99:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 27ms, Maximum = 28ms, Average = 27ms

Pinging yahoo.com [69.147.125.65] with 32 bytes of data:

Reply from 69.147.125.65: bytes=32 time=113ms TTL=54

Reply from 69.147.125.65: bytes=32 time=104ms TTL=54

Ping statistics for 69.147.125.65:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 104ms, Maximum = 113ms, Average = 108ms

===========================================================================

Interface List

10...00 24 1d 7d 67 c5 ......Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)

1...........................Software Loopback Interface 1

11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter

12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface

===========================================================================

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.64 20

127.0.0.0 255.0.0.0 On-link 127.0.0.1 306

127.0.0.1 255.255.255.255 On-link 127.0.0.1 306

127.255.255.255 255.255.255.255 On-link 127.0.0.1 306

192.168.1.0 255.255.255.0 On-link 192.168.1.64 276

192.168.1.64 255.255.255.255 On-link 192.168.1.64 276

192.168.1.255 255.255.255.255 On-link 192.168.1.64 276

224.0.0.0 240.0.0.0 On-link 127.0.0.1 306

224.0.0.0 240.0.0.0 On-link 192.168.1.64 276

255.255.255.255 255.255.255.255 On-link 127.0.0.1 306

255.255.255.255 255.255.255.255 On-link 192.168.1.64 276

===========================================================================

Persistent Routes:

None

IPv6 Route Table

===========================================================================

Active Routes:

If Metric Network Destination Gateway

12 58 ::/0 On-link

1 306 ::1/128 On-link

12 58 2001::/32 On-link

12 306 2001:0:ce2e:e837:2c70:399c:3f57:febf/128

On-link

10 276 fe80::/64 On-link

12 306 fe80::/64 On-link

12 306 fe80::2c70:399c:3f57:febf/128

On-link

10 276 fe80::e067:62c3:b139:fc99/128

On-link

1 306 ff00::/8 On-link

12 306 ff00::/8 On-link

10 276 ff00::/8 On-link

===========================================================================

Persistent Routes:

None

And I ran OTL with the scan/fix you recommended and my computer crashed on re-boot twice!. I'm not sure where the OTL log is. It was on my computer screen but then the computer crashed Blue Screen of Death before I could cut and paste it somewhere. Not sure where to search for it. Should I run it again and log??? With or without the custom scan/fix??

BTW I noticed another query similar to mine just posted today. The post says Redirect searches/hijack problems whitesmoke installed/possible rootkit posted by Ranulf. Sounds just like my problem only I think he/she is running XP.

Let me know what to do next. Still getting the redirects.

Thanks

[Elise]

You need to copy/paste the script, then click the Run Fix button. Make sure to copy all text, starting with the :

[parkway233]

Okay. I re-ran OTL a second time with the fix (a second time) and this time my computer did not crash and I was able to copy/paste the log. Here it is.

All processes killed

========== FILES ==========

File\Folder c:\windows\tasks\at*.job not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Allyson

User: Allyson.TimPC

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: AppData

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Public

User: Spencer

User: Tim

->Temp folder emptied: 402545 bytes

->Temporary Internet Files folder emptied: 3090413 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 0 bytes

->Google Chrome cache emptied: 0 bytes

->Flash cache emptied: 456 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 121902 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32902 bytes

RecycleBin emptied: 8052962 bytes

Total Files Cleaned = 11.00 mb

OTL by OldTimer - Version 3.2.17.3 log created on 11292010_103213

Files\Folders moved on Reboot...

C:\Users\Tim\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

File\Folder C:\Windows\temp\_avast5_\Webshlock.txt not found!

Registry entries deleted on Reboot...