View Full Version : Infected.
1. I have loads of keys in like HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\ .. like com.cn\www.hacker and 136136.net and trojanskiller.com. I have never even visited these sites. Also have keys in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\
2. My internet explorer hangs up, it doesn't load the page and when this happens, all pages from internet explorer start hanging up, only yahoomail continues to work, until i close all browsers.
3. Yahoo problems described in detail on WhatTheTetech forum http://forums.whatthetech.com/index.php?showtopic=114804
4. Computer alerts me of virtual memory too low, not always, even when i have just two browsers open and ive just switched on the computer 5 mins back.
5. There was an alert about more than 20 days ago that my antivirus needs to be updated. The alert did not belong to my antivirus and my antivirus doesn't alert such. Then it started downloading stuff without confirmation.
6. My scans come clean (except for green entries in Spybot S&D)
7. When i switch on the computer, it says no firewall turned on, whereas i have the windows firewall, whereas i have the windows firewall configured and the alert dissapears after a while.
8. There are (rare) popups while working on firefox even when i have blocked pop-ups for firefox.
9. I visit pages, and i get their ads on my cell when i havent given my number there.
10. Hidden hooked items are shown in the rootrepeal log.
11. Few more.
Malwarebytes,Spybot S&D,Safer-Networking Regalyzer,Avira,Rootrepeal.
Windows XP service pack 2.
DDS
DDS (Ver_10-03-17.01) - NTFSx86
Run by Antivirus at 16:36:35.89 on Wed 10/13/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.222.48 [GMT 5.5:30]
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Antivirus\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = about:blank
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: {7CC2FDD7-4E5F-41FE-93F0-688524BE22B2} = 202.56.215.54,202.56.215.55
Notify: igfxcui - igfxsrvc.dll
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\antivi~1\applic~1\mozilla\firefox\profiles\b335fjj7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-9-9 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-9-9 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-9-9 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-9-9 60936]
=============== Created Last 30 ================
2010-10-01 19:17:45 0 d-----w- c:\docume~1\antivi~1\applic~1\Safer Networking
2010-10-01 19:17:14 0 d-----w- c:\program files\Safer Networking
2010-09-30 15:03:55 441 ----a-w- c:\windows\wininit.ini
2010-09-30 05:53:10 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-09-30 05:53:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-09-27 13:39:51 0 d-sha-r- C:\cmdcons
2010-09-15 08:01:26 0 d-----w- c:\docume~1\antivi~1\applic~1\Malwarebytes
2010-09-15 08:01:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-15 08:01:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-15 08:01:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-15 08:01:10 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
==================== Find3M ====================
2010-09-07 10:27:45 21640 ----a-w- c:\windows\system32\emptyregdb.dat
============= FINISH: 16:37:23.93 ===============
I have had another topic earlier in this malware removal forum, and I have run combofix once as when i was adviced by my helper.
http://forums.spybot.info/showthread.php?t=59414
:snwelcome:
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware execpt for the programs we may run.
http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
Please download GMER from one of the following locations, and save it to your desktop:
Main Mirror (http://gmer.net/download.php)
This version will download a randomly named file (Recommended)
Zip Mirror (http://gmer.net/gmer.zip)
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
Extract the contents of the zipped file to desktop (applicable only to Zip mirror) .
Double click http://billy-oneal.com/forums/gmer/gmerRandomIcon.png or http://billy-oneal.com/forums/gmer/gmerDesktopIcon.png on your desktop.
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
http://billy-oneal.com/forums/gmer/gmerNoDialog.png
http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and attach it in your reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
Thnx
Below are the three logs.
Attached is the Gmer.txt.
OTL logfile created on: 10/19/2010 2:25:10 PM - Run 1
OTL by OldTimer - Version 3.2.15.2 Folder = C:\Documents and Settings\Antivirus\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
222.00 Mb Total Physical Memory | 102.00 Mb Available Physical Memory | 46.00% Memory free
698.00 Mb Paging File | 317.00 Mb Available in Paging File | 45.00% Paging File free
Paging file location(s): C:\pagefile.sys 336 672 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.53 Gb Total Space | 16.70 Gb Free Space | 85.48% Space Free | Partition Type: NTFS
Drive D: | 58.59 Gb Total Space | 58.45 Gb Free Space | 99.76% Space Free | Partition Type: NTFS
Computer Name: ANTIVIRU-47914D | User Name: Antivirus | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Antivirus\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing LP)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\Antivirus\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)
========== Win32 Services (SafeList) ==========
SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
========== Driver Services (SafeList) ==========
DRV - (catchme) -- C:\DOCUME~1\ANTIVI~1\LOCALS~1\Temp\catchme.sys File not found
DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)
DRV - (avgio) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (tifm21) -- C:\WINDOWS\system32\drivers\tifm21.sys (Texas Instruments)
DRV - (rtl8139) Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)
DRV - (CAMCHALA) -- C:\WINDOWS\system32\drivers\camchal.sys (Conexant Systems Inc.)
DRV - (CAMCAUD) -- C:\WINDOWS\system32\drivers\camcaud.sys (Conexant Systems Inc.)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
========== FireFox ==========
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://www.google.co.in/"
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/09 18:55:57 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/09/09 18:55:41 | 000,000,000 | ---D | M]
[2010/09/09 18:56:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Antivirus\Application Data\Mozilla\Extensions
[2010/09/09 18:56:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Antivirus\Application Data\Mozilla\Firefox\Profiles\b335fjj7.default\extensions
[2010/09/09 18:55:41 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
O1 HOSTS File: ([2010/09/30 16:15:57 | 000,420,575 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 14506 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing LP)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Antivirus\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Antivirus\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/09/07 16:01:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
NetSvcs: 6to4 - File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
========== Files/Folders - Created Within 30 Days ==========
[2010/10/19 14:13:37 | 000,574,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Antivirus\Desktop\OTL.exe
[2010/10/02 00:47:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Antivirus\Application Data\Safer Networking
[2010/10/02 00:47:14 | 000,000,000 | ---D | C] -- C:\Program Files\Safer Networking
[2010/09/30 11:23:10 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/09/30 11:23:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/09/27 22:29:25 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/09/27 19:14:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/09/27 19:09:51 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/09/20 12:16:47 | 000,157,232 | ---- | C] (Alwil Software) -- C:\Documents and Settings\Antivirus\Desktop\aswclear5.exe
[2010/09/20 02:07:43 | 000,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Antivirus\Desktop\RootRepeal.exe
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2010/10/19 14:13:45 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Antivirus\Desktop\OTL.exe
[2010/10/19 13:54:16 | 000,294,912 | ---- | M] () -- C:\Documents and Settings\Antivirus\Desktop\g21wkwff.exe
[2010/10/19 10:11:38 | 000,311,842 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/10/19 10:11:38 | 000,040,190 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/10/19 10:02:13 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/10/19 10:02:11 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/10/13 17:01:35 | 000,001,397 | ---- | M] () -- C:\Documents and Settings\Antivirus\Desktop\Attach.2.zip
[2010/10/02 12:25:24 | 000,000,441 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/09/30 16:15:57 | 000,420,575 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/09/30 15:33:47 | 000,420,575 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100930-161556.backup
[2010/09/30 15:31:49 | 000,420,575 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100930-153347.backup
[2010/09/30 14:10:10 | 000,000,981 | ---- | M] () -- C:\Documents and Settings\Antivirus\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/09/27 19:09:55 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2010/09/20 12:32:53 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/09/20 12:16:48 | 000,157,232 | ---- | M] (Alwil Software) -- C:\Documents and Settings\Antivirus\Desktop\aswclear5.exe
[2010/09/20 02:08:05 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Antivirus\Desktop\settings.dat
[2010/09/20 02:07:48 | 000,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Antivirus\Desktop\RootRepeal.exe
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files Created - No Company Name ==========
[2010/10/19 13:54:02 | 000,294,912 | ---- | C] () -- C:\Documents and Settings\Antivirus\Desktop\g21wkwff.exe
[2010/10/13 17:01:35 | 000,001,397 | ---- | C] () -- C:\Documents and Settings\Antivirus\Desktop\Attach.2.zip
[2010/09/30 20:33:55 | 000,000,441 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/09/30 11:23:25 | 000,000,981 | ---- | C] () -- C:\Documents and Settings\Antivirus\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/09/27 19:09:55 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/09/27 19:09:52 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/09/20 02:08:05 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Antivirus\Desktop\settings.dat
[2010/09/07 21:20:46 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/09/07 17:04:45 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/07/17 11:36:38 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
========== LOP Check ==========
[2010/09/07 18:49:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/10/02 00:47:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Antivirus\Application Data\Safer Networking
========== Purity Check ==========
========== Custom Scans ==========
< %SYSTEMDRIVE%\*.exe >
< MD5 for: AGP440.SYS >
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
< MD5 for: ATAPI.SYS >
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys
< MD5 for: EVENTLOG.DLL >
[2004/08/04 00:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2004/08/04 00:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2004/08/04 00:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll
< MD5 for: NETLOGON.DLL >
[2004/08/04 00:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2004/08/04 00:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2004/08/04 00:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll
< MD5 for: SCECLI.DLL >
[2004/08/04 00:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2004/08/04 00:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\dllcache\scecli.dll
[2004/08/04 00:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
< %systemroot%\*. /mp /s >
< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]
< %systemroot%\Tasks\*.job /lockedfiles >
< %systemroot%\system32\drivers\*.sys /lockedfiles >
< %systemroot%\System32\config\*.sav >
[2010/09/07 21:18:43 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2010/09/07 21:18:43 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2010/09/07 21:18:43 | 000,884,736 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
< End of report >
OTL Extras logfile created on: 10/19/2010 2:25:10 PM - Run 1
OTL by OldTimer - Version 3.2.15.2 Folder = C:\Documents and Settings\Antivirus\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
222.00 Mb Total Physical Memory | 102.00 Mb Available Physical Memory | 46.00% Memory free
698.00 Mb Paging File | 317.00 Mb Available in Paging File | 45.00% Paging File free
Paging file location(s): C:\pagefile.sys 336 672 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.53 Gb Total Space | 16.70 Gb Free Space | 85.48% Space Free | Partition Type: NTFS
Drive D: | 58.59 Gb Total Space | 58.45 Gb Free Space | 99.76% Space Free | Partition Type: NTFS
Computer Name: ANTIVIRU-47914D | User Name: Antivirus | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
========== System Restore Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{296B2D8E-CE82-92AF-B2E8-A646E7CB78A2}_is1" = RegAlyzer
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics 2 Driver
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{96C0E73B-8813-4F4A-9EA1-D407C27AA1A1}" = TIxx21
"{AC76BA86-7AD7-1033-7B44-A80000000002}" = Adobe Reader 8
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter
"Conexant PCI Audio" = Conexant AC-Link Audio
"ERUNT_is1" = ERUNT 1.1j
"ie8" = Windows Internet Explorer 8
"InstallShield_{96C0E73B-8813-4F4A-9EA1-D407C27AA1A1}" = Texas Instruments PCIxx21/x515 drivers.
"Kundli for Windows (Professional Edition)" = Kundli for Windows (Professional Edition)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.6.9)" = Mozilla Firefox (3.6.9)
"MSNINST" = MSN
"VLC media player" = VideoLAN VLC media player 0.8.1
"WinRAR archiver" = WinRAR archiver
"WinZip" = WinZip
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 9/19/2010 2:50:38 AM | Computer Name = ANTIVIRU-47914D | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module flash.ocx, version 6.0.79.0, fault address 0x00027100.
Error - 9/19/2010 9:13:37 AM | Computer Name = ANTIVIRU-47914D | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module flash.ocx, version 6.0.79.0, fault address 0x00027100.
Error - 9/19/2010 9:15:58 AM | Computer Name = ANTIVIRU-47914D | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module flash.ocx, version 6.0.79.0, fault address 0x0001cfd6.
Error - 9/19/2010 9:16:14 AM | Computer Name = ANTIVIRU-47914D | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module flash.ocx, version 6.0.79.0, fault address 0x00027100.
Error - 9/19/2010 9:20:30 AM | Computer Name = ANTIVIRU-47914D | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module flash.ocx, version 6.0.79.0, fault address 0x00027100.
Error - 9/19/2010 9:20:46 AM | Computer Name = ANTIVIRU-47914D | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module flash.ocx, version 6.0.79.0, fault address 0x0001cfd6.
Error - 9/19/2010 11:04:12 AM | Computer Name = ANTIVIRU-47914D | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module flash.ocx, version 6.0.79.0, fault address 0x00027100.
Error - 9/19/2010 11:04:32 AM | Computer Name = ANTIVIRU-47914D | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module flash.ocx, version 6.0.79.0, fault address 0x00027100.
Error - 9/19/2010 11:06:54 AM | Computer Name = ANTIVIRU-47914D | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module flash.ocx, version 6.0.79.0, fault address 0x0001cfd6.
Error - 9/19/2010 11:07:38 AM | Computer Name = ANTIVIRU-47914D | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module flash.ocx, version 6.0.79.0, fault address 0x00027100.
[ System Events ]
Error - 9/20/2010 3:02:41 AM | Computer Name = ANTIVIRU-47914D | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31
Error - 9/20/2010 3:02:41 AM | Computer Name = ANTIVIRU-47914D | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss ssmdrv Tcpip
Error - 9/20/2010 3:03:54 AM | Computer Name = ANTIVIRU-47914D | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
Error - 9/20/2010 11:57:40 PM | Computer Name = ANTIVIRU-47914D | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.2 for the Network Card with network
address 0014A56756A6 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).
Error - 9/22/2010 12:00:55 AM | Computer Name = ANTIVIRU-47914D | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.2 for the Network Card with network
address 0014A56756A6 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).
Error - 9/23/2010 12:55:20 AM | Computer Name = ANTIVIRU-47914D | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.2 for the Network Card with network
address 0014A56756A6 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).
Error - 12/31/2003 2:36:13 PM | Computer Name = ANTIVIRU-47914D | Source = W32Time | ID = 39452706
Description = The time service has detected that the system time needs to be changed
by +212602548 seconds. The time service will not change the system time by more
than +54000 seconds. Verify that your time and time zone are correct, and that
the time source time.windows.com (ntp.m|0x1|192.168.1.2:123->207.46.197.32:123)
is working properly.
Error - 9/26/2010 7:56:23 AM | Computer Name = ANTIVIRU-47914D | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.
Error - 9/27/2010 12:13:11 AM | Computer Name = ANTIVIRU-47914D | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.2 for the Network Card with network
address 0014A56756A6 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).
Error - 9/27/2010 12:15:42 AM | Computer Name = ANTIVIRU-47914D | Source = Service Control Manager | ID = 7022
Description = The Avira AntiVir Guard service hung on starting.
< End of report >
Hi,
Lets do this to clean up your system and see whats removed
Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean
Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
hi the TFC cleaned 56.0 MB.
Malwarebytes i already had. I updated it (came to database version 4880). Then scanned. The log is.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4880
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702
10/19/2010 5:20:56 PM
mbam-log-2010-10-19 (17-20-56).txt
Scan type: Quick scan
Objects scanned: 137546
Time elapsed: 6 minute(s), 28 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Addition: Malwarebytes i had downloaded from the link i got from my previous helper in this forum, must be same link as yours.
Lets do this
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
I downloaded ComboFix.exe, but it asked me if i wanted to update first, it said there is a newer version, i said no, because i didnt know, and i was not sure if i could open other programs to find this while i had already double clicked the icon.
It did'nt disconnect me from internet throughout.
Heres the report:
ComboFix 10-10-18.03 - Antivirus 10/19/2010 19:10:39.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.222.104 [GMT 5.5:30]
Running from: c:\documents and settings\Antivirus\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((( Files Created from 2010-09-19 to 2010-10-19 )))))))))))))))))))))))))))))))
.
2010-10-01 19:17 . 2010-10-01 19:17 -------- d-----w- c:\documents and settings\Antivirus\Application Data\Safer Networking
2010-10-01 19:17 . 2010-10-01 19:17 -------- d-----w- c:\program files\Safer Networking
2010-09-30 05:53 . 2010-09-30 09:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-30 05:53 . 2010-09-30 08:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-22 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-22 126976]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-9-7 122880]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/9/2010 1:12 PM 135336]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {7CC2FDD7-4E5F-41FE-93F0-688524BE22B2} = 202.56.215.54,202.56.215.55
FF - ProfilePath - c:\documents and settings\Antivirus\Application Data\Mozilla\Firefox\Profiles\b335fjj7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
- - - - - - - > 'explorer.exe'(2396)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-10-19 19:16:27
ComboFix-quarantined-files.txt 2010-10-19 13:46
ComboFix2.txt 2010-09-27 13:44
Pre-Run: 17,999,699,968 bytes free
Post-Run: 17,994,158,080 bytes free
- - End Of File - - 3E2A0AE8DEF5D4151088C86354ECFF99
Addition: The bleeping computer site didnt open atall (still so) so i could read/ revise the instructions. I did it from what i remembered from last time.
It says.. Firefox can't establish a connection to the server at www.bleepingcomputer.com.
sorry.i misspelled.
i meant .... could NOT* read / revise the instructions.
You know what.... I doubt this...
"All-new yahoo mail doesn't function without javascript"
Thats what my yahoomail says. As soon as i login, i get this text page with 6 to 9 lines to switch on my javascript or else switch to lower yahoo mail classic. So i've been working in yahoo mail classic to be secure.
Today i just selected the whole page (supoosed to be only text) and it highlighted areas which did not have any text written. Large blank area. Because it had a lot of empty space below. It highlighted 2 large blank squares. And a series of line breaks (return charecter/ newline charecter). Can be this guy is trying to locate my IP from my visits on this page by invisible images (tracking images).
Heres the attached image of the page...I've blanked out my userid.
Even the signout link doesnt click.
Hey for several days since i installed the spybot search&destroy, i wasn't getting that ad at http://www.google.co.in/ for google chrome on the top-right corner. Today i got it after combofix / or the other runs.
Hi,
Combofix didn't find or remove anything. As far as all the script you posted, I am not a web designer and have no idea what that all means.
All the scans are coming up clean
Copy and paste these lines into Note pad.
@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0
Save as flush.bat to your desktop. Double click to run.
*** note: Win Vista and Win 7 need to right click and choose to "run as Administrator" .. the computer will reboot itself.
Download the HostsXpert 4.3 - Hosts File Manager (http://www.funkytoad.com/download/HostsXpert.zip).
Unzip HostsXpert 4.2.0.0 - Hosts File Manager to a convenient folder such as C:\HostsXpert
Click HostsXpert.exe to Run HostsXpert - Hosts File Manager from its new home
Click "Make Hosts Writable?" in the upper left corner.
Click Restore Microsoft's Hosts file and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply .
When i ran the HostsXpert.exe from its location, it says "your hosts file is marked as a system file, and cannot be manipuated. Click continue to remove this attribute or press cancel to exit".
So i pressed cancel. What do i do? Should i continue. I haven't run the kaspersky yet. I wanted to go in sequence to avoid any clashes.
I have not made changes to hosts file on my own but i think spybot S&D could be making to prevent browser redirects. (My default IP is i think 127.0.0.2).
Yes go ahead and change it, all were doing is setting the hosts file back to default. I am on a computer right now that does not have Spybot so I cant see where to change it but there is an option to unblock Spybot from locking the hosts file, try to find it and uncheck it, also disable the Teatimer
I ran flush.bat and have now recovered the microsoft's host file through HostsXpert .
I dont know if my localhost or default IP is 127.0.0.1 or 127.0.0.2 or what, but the host file it recovered to wrote 127.0.0.1 in front of the localhost.
But the Kaspersky link you gave me had the accept button greyed out, it said
"Kaspersky Online Scanner 7.0 download and operation require Java framework version 1.5 or later. "
So now..
OK, try this one
Please run this free online virus scanner from ESET (http://www.eset.com/onlinescan/)
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
I did the ESET online scan and took a screenshot of the report before clicking finish.
Later after clicking finish, i went to see.
I dont have any such folder C:\Program Files\EsetOnlineScanner
So i checked C:\Program Files\ESET\ESET Online Scanner .
There is no file called log.txt or any report or log in C:\Program Files\ESET\ESET Online Scanner.
The screenshot of the report (must be just a overview what they must be showing there) is attached.
To be safe meanwhile, Can i / Should i re-lock the hosts file through spybot S&D?(since i have restored the microsoft's hosts file).
Should i not enable tea-timer currently?
Can i request to have the 3 posts on the source code of the yahoo-on-signin page, removed (if its not in use here).
All your posts for the source code have been removed as per your request.
Yes, I would lock the hosts file and turn the TeaTimer back on.
How are things running now ?
Some problems which i listed in the first post (post to start thread) are still there. Here's below a list of the diffrences that has come in the situation of each point.
1. I still have loads of keys in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\ and in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ , but could be less because when i made a search on the word "hack" under folder HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ , it brought 4 sites, whearas earlier it was bringing 8 sites in this folder.
2. Internet explorer stiall hangs up sometimes.
3. All yahoo problems still exist.
4. Computer is still alerting me of virtual memory too low when i just dont have much load on RAM. Infact today i left my computer idle with the internet connection on, because of sudden guests, and when i returned, there was an alert of virtual memory too low.
5. Dont know how my antivirus is functioning. Haven't scanned with it since 10 days.
6. Scans are still coming clean (like you told me)
7. The firewall alert when i switch on the computer, is not always there. I notice its there when my antivirus shield/ gaurd is not enabled. When my computer starts, my antivirus usualy starts immediatey, but the gaurd takes a while to start. The alert dissapears when the gaurd comes on. This was always the case.
8. Rare pop-ups are still there on firefox. I see them come when i click a button for a process to run the process, then the ad popsup alongside. For example, on raaga.com, when clicking on play button to play music. This could be even normal but im doubtful.
9. Ads still reaching my cell, of the pages i visit.
10. Hooked items in root repeal logs, i cant say now because i haven't tried running rootrepeal without your permission.
11. I cant say if this is virus, sometimes, when i search on google, and click search, or some other sites some buttons, it says "You are sending information over an unencrypted connection,do you want to continue?" I hit continue. Few more issues.
Since i have run the scans, internet explorer shows the ad for google chrome at the top right. Is it normal. I dont get it in firefox.
Is it that i should'nt immunise in spybot S&D. It may be adding sites to 127.0.0.1 and the recover microsoft's hosts file thing which we did is to clean that.
Hi,
This is kind of hard to explain , 127.0.0.1 is the address of your own computer but the sites that Spybot add to it are bad sites, what happens is if you should access one of those sites, the site goes to 127.0.0.1 to look for malicious files to download to your computer ( instead of going to there own server, Spybot is sending them to 127.0.0.1 ) when it cant find the files it needs it just goes away, its just one more layer of protection.
Virtual Memory, you may have a buggy program installed, think back to what you installed prior to getting this message and uninstall it. If you cant find it when where done here I can link you to a windows support forum that can help you as we just do malware removal on this one
http://www.askdavetaylor.com/how_can_i_fix_too_little_virtual_memory_in_windows.html
Download and Run SystemLook
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
You may have signed up for something on your computer and it required you to list your phone number, not sure exactly what you done
Open Internet Explorer and to to Tools > Internet Options > Advanced Tab > Reset Internet Explorer Setting > Reset...........Let it do its thing, takes just a few seconds, when its done , ok your way out. Close IE and then reopen it and see if this helped
Its in parts.
SystemLook 04.09.10 by jpshortstuff
Log created at 08:20 on 21/10/2010 by Antivirus
Administrator - Elevation successful
========== reg ==========
Removed Entries
Post to see page 5. [Ignore]
Post to make previous post visible.
Those are all bad sites that where placed there when you ran the immunization feature with Spybot Search and Destroy, your being protected against those bad sites. My fault for not telling you but when you have such a large report to post you need to zip it and attach it, all that you posted just gummed up this thread and made it unreadable. I had to remove them all so I could post
OK, there were several others but i couldn't complete the report because the posts began to become invisible.
Just after the last entry, the report ends with:
-= EOF =-
I see, the sites were added for immunization. But I have them in the \Domains folder as well, not just \EscDomains . (Same rest of the path).
I reset the internet explorer settings but the same chrome ad at top-left corner of google.com page.
Its not redirection right?
Maybe i installed flash plugin for firefox or adobe reader 8 before i started getting that virtual memory alert. Will it be ok to uninstall them if its a virus or a bug? I mean won't thier uninstall.exe's invite further virus?
I would try uninstalling them and see if it helps
I uninstalled adobe reader which was on my list of ad-remove programs, but adobe acrobat reader is not showing on my list of add-remove programs inspite of my having its files and folder on my user.
( Adobe reader is free one.
Adobe acrobat reader is paid one.)
This is not ok right? Its not because of malware/virus right? Its a computer problem?
Also, the chrome ad on the top-right corner of gogle.com page still is there. Its not redirection right?
What about the yahoo issues? They are just restricted to my mail? But some of them appear before i login or enter my username even.
------------------------------------------------
Edit
http://forums.spybot.info/showthread.php?t=59414&page=5
Your logs are clean, you need to post in the windows forum for those other issues
http://forums.whatthetech.com/index.php?showforum=123