Redirect Problems San Jose CA

Jack Fischer · Nov 27, 2010

Redirect Problems in San Jose, CA

Hi. OTL ran fine with your code pasted in, but I was not able to get GMER to run after multiple tries. I disabled Spybot, Avira and Malwarebyte and started in safe mode, but when I double clicked it to launch the GMER software it began to scan immediately without giving the the GUI interface or letting me uncheck any boxes. And then it crashed and gave me a blue screen that said:

A problem was detected and windows was shut down to prevent damage.

DRIVER_IRQL_NOT_LESS_OR_EQUAL

Technical info:

stop:0x000000D1 (0x3F3F3F, 0x00000002,0x00000000,0xF77c33ce)
IdeChnDr.Sys-Address F77C33CE base at F77C3000,DateStamp 3bd89c65

Beginning dump of physical memory...

Here's the text from OTL:

OTL logfile created on: 11/27/2010 12:14:44 PM - Run 2
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Joycellen Floyd\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 246.00 Mb Available Physical Memory | 24.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 47.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 11.75 Gb Free Space | 31.57% Space Free | Partition Type: NTFS
Drive D: | 7.41 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: DELL | User Name: Joycellen Floyd | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Custom Scans ==========

< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 03:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 03:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[2010/09/09 21:58:05 | 000,184,320 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\iepeers.dll

< C:\WINDOWS\system32\DRIVERS\avgntflt.sys /md5 >
[2010/11/22 18:18:34 | 000,061,960 | ---- | M] (Avira GmbH) MD5=47B879406246FFDCED59E18D331A0E7D -- C:\WINDOWS\system32\drivers\avgntflt.sys

< C:\WINDOWS\system32\drivers\wdmaud.sys /md5 >
[2008/04/13 11:17:18 | 000,083,072 | ---- | M] (Microsoft Corporation) MD5=6768ACF64B18196494413695F0C3A00F -- C:\WINDOWS\system32\drivers\wdmaud.sys

< C:\WINDOWS\System32\Drivers\IdeChnDr.sys /md5 >
[2001/11/06 00:00:00 | 000,087,018 | ---- | M] (Intel Corporation) MD5=B5E01B50B08B440018F437AEBED0BCCF -- C:\WINDOWS\system32\drivers\IdeChnDr.sys

< End of report >

Jack&Jill · Nov 28, 2010

Hello Jack

,

I need you to upload a few suspicious files to VirusTotal (VT) for an online scan. Click here.

Click on the Browse button or the white box beside it. A File Upload prompt will open.
Copy and paste the following file and its path to upload:
Code:
```
C:\WINDOWS\system32\DRIVERS\avgntflt.sys
```
Press Open, then Send file. The file will be uploaded for testing.
If there is any indication or prompt that the file has been scanned before, please proceed to have the file rescanned or reanalyzed.
Please wait for all the scanners to finish, then copy and paste the result into Notepad and save it to a convenient place.

Repeat for

Code:

C:\WINDOWS\System32\Drivers\IdeChnDr.sys
C:\WINDOWS\system32\dxtmsft.dll
C:\WINDOWS\system32\dxtrans.dll
C:\WINDOWS\system32\iepeers.dll

Post the results in your next response.

Alternatively, if VirusTotal is busy or inaccessible, you may try Jotti or VirScan (VS) with similar steps.

A result from either one of the above scanners would be sufficient.

--------------------

Please post back:
1. the VT / Jotti / VS results

Jack Fischer · Nov 30, 2010

Redirect Problems in San Jose, CA

Here's the result of the Virus total scans:

1)

Inbox
Virus Total
Virustotal is a service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...
0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
avgntflt.sys
Submission date:
2010-11-30 02:27:07 (UTC)
Current status:
queued (#1) queued (#1) analysing finished
Result:
0/ 43 (0.0%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.11.30.00 2010.11.29 -
AntiVir 7.10.14.136 2010.11.29 -
Antiy-AVL 2.0.3.7 2010.11.30 -
Avast 4.8.1351.0 2010.11.29 -
Avast5 5.0.677.0 2010.11.29 -
AVG 9.0.0.851 2010.11.30 -
BitDefender 7.2 2010.11.30 -
CAT-QuickHeal 11.00 2010.11.29 -
ClamAV 0.96.4.0 2010.11.30 -
Command 5.2.11.5 2010.11.30 -
Comodo 6896 2010.11.30 -
DrWeb 5.0.2.03300 2010.11.30 -
Emsisoft 5.0.0.50 2010.11.30 -
eSafe 7.0.17.0 2010.11.29 -
eTrust-Vet 36.1.8007 2010.11.29 -
F-Prot 4.6.2.117 2010.11.29 -
F-Secure 9.0.16160.0 2010.11.30 -
Fortinet 4.2.254.0 2010.11.29 -
GData 21 2010.11.30 -
Ikarus T3.1.1.90.0 2010.11.30 -
Jiangmin 13.0.900 2010.11.29 -
K7AntiVirus 9.69.3115 2010.11.29 -
Kaspersky 7.0.0.125 2010.11.29 -
McAfee 5.400.0.1158 2010.11.30 -
McAfee-GW-Edition 2010.1C 2010.11.29 -
Microsoft 1.6402 2010.11.29 -
NOD32 5659 2010.11.29 -
Norman 6.06.10 2010.11.29 -
nProtect 2010-11-29.01 2010.11.29 -
Panda 10.0.2.7 2010.11.29 -
PCTools 7.0.3.5 2010.11.30 -
Prevx 3.0 2010.11.30 -
Rising 22.75.06.04 2010.11.30 -
Sophos 4.60.0 2010.11.29 -
SUPERAntiSpyware 4.40.0.1006 2010.11.30 -
Symantec 20101.2.0.161 2010.11.29 -
TheHacker 6.7.0.1.093 2010.11.30 -
TrendMicro 9.120.0.1004 2010.11.29 -
TrendMicro-HouseCall 9.120.0.1004 2010.11.30 -
VBA32 3.12.14.2 2010.11.29 -
VIPRE 7450 2010.11.30 -
ViRobot 2010.11.29.4175 2010.11.29 -
VirusBuster 13.6.66.0 2010.11.29 -
Additional information
Show all
MD5 : 47b879406246ffdced59e18d331a0e7d
SHA1 : 839b4f08cae589f91cae2685e651926fed017706
SHA256: afe467f41eb8db905abe0478eaeb75ea16ee7b39470d56968210c191ed96418c
ssdeep: 1536:QBhB9hgPhAOoImEMuLQlstdoytJFAkNfD:6B9hoOOoDZuLQGtdoyVA2
File size : 61960 bytes
First seen: 2010-11-22 10:17:48
Last seen : 2010-11-30 02:27:07
TrID:
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Avira GmbH
copyright....: Copyright (c) 1996-2009 Avira GmbH. All rights reserved.
product......: AntiVir Workstation
description..: Avira Minifilter Driver
original name: avgntflt.sys
internal name: avgntflt.sys
file version.: 10.00.08.07
comments.....: Avira Minifilter Driver - fre_win7_x86
signers......: Avira GmbH
VeriSign Class 3 Code Signing 2004 CA
Class 3 Public Primary Certification Authority
signing date.: 6:05 PM 11/11/2010
verified.....: -
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x1174A
timedatestamp....: 0x4CDC11C7 (Thu Nov 11 15:54:47 2010)
machinetype......: 0x14c (I386)

[[ 8 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x7DBA, 0x7E00, 6.44, 7831b8ed2fbc42b8186a5f8a9872fe64
NONPAGED, 0x9000, 0x15, 0x200, 0.23, 2d3d4c9db47a525fab5be72a9b38f91a
.rdata, 0xA000, 0x694, 0x800, 3.57, 5c22563829ba936fc02ccc5255583112
.data, 0xB000, 0x36E0, 0x200, 1.37, de8cbc28c7e7d6ddccf7cc2dee8206c8
PAGE, 0xF000, 0x1832, 0x1A00, 6.09, 10b17bf5d26b5ecc3d20f466b42ed3bd
INIT, 0x11000, 0x17C4, 0x1800, 5.94, 8aeae19f5bd9f9602eb6403f893652e0
.rsrc, 0x13000, 0x538, 0x600, 3.07, eef6122de9431a83a9094c5c9a138fa9
.reloc, 0x14000, 0x1000, 0x1000, 5.96, 4881fe98a2293bb46f0f7f1af8fd054a

[[ 3 import(s) ]]
ntoskrnl.exe: RtlCompareUnicodeString, ZwReadFile, memset, ZwSetInformationFile, ZwQueryInformationFile, RtlFreeUnicodeString, wcsncat, RtlAnsiStringToUnicodeString, RtlInitAnsiString, KeQuerySystemTime, RtlLengthSid, RtlValidSid, SeQueryInformationToken, IoIsSystemThread, PsGetCurrentProcessId, IoThreadToProcess, ExInitializePagedLookasideList, strncpy, MmMapLockedPagesSpecifyCache, RtlNtStatusToDosError, memmove, PsGetCurrentThreadId, ExDeletePagedLookasideList, ExDeleteResourceLite, RtlLookupElementGenericTableAvl, ObfDereferenceObject, KeBugCheckEx, IoGetTopLevelIrp, RtlInsertElementGenericTableAvl, PsRevertToSelf, SeImpersonateClientEx, KeWaitForMultipleObjects, ObReferenceObjectByHandle, PsCreateSystemThread, IoCreateSymbolicLink, IoCreateDevice, KeClearEvent, ExInitializeResourceLite, KeQueryTimeIncrement, MmGetSystemRoutineAddress, ZwWriteFile, ZwClose, IoDeleteDevice, IoDeleteSymbolicLink, KeTickCount, RtlUnwind, RtlDeleteElementGenericTableAvl, ZwOpenKey, PsSetCreateProcessNotifyRoutine, ZwQueryValueKey, ZwQuerySymbolicLinkObject, ZwOpenSymbolicLinkObject, IoWriteErrorLogEntry, IoAllocateErrorLogEntry, RtlCopyUnicodeString, RtlUpcaseUnicodeString, toupper, RtlCompareMemory, RtlEnumerateGenericTableWithoutSplayingAvl, IoGetDeviceObjectPointer, IofCallDriver, IoBuildDeviceIoControlRequest, RtlGetVersion, KeNumberProcessors, SeTokenType, PsDereferencePrimaryToken, PsDereferenceImpersonationToken, memcpy, _wcsupr, ExAcquireResourceSharedLite, IoGetCurrentProcess, KeWaitForSingleObject, KeResetEvent, KeEnterCriticalRegion, ExAcquireResourceExclusiveLite, ExReleaseResourceLite, KeLeaveCriticalRegion, KeSetEvent, PsTerminateSystemThread, RtlInitUnicodeString, IoCreateSynchronizationEvent, _allmul, KeDelayExecutionThread, RtlInitializeGenericTableAvl, ExFreePoolWithTag, ExAllocatePoolWithTag, SeCreateClientSecurity, IoGetStackLimits, KeGetCurrentThread, InterlockedPushEntrySList, InterlockedPopEntrySList, IofCompleteRequest, KeInitializeEvent
HAL.dll: ExAcquireFastMutex, ExReleaseFastMutex, KeGetCurrentIrql
FLTMGR.SYS: FltRegisterFilter, FltBuildDefaultSecurityDescriptor, FltCreateCommunicationPort, FltFreeSecurityDescriptor, FltStartFiltering, FltObjectReference, FltObjectDereference, FltCancelFileOpen, FltReferenceFileNameInformation, FltReferenceContext, FltCloseClientPort, FltCloseCommunicationPort, FltUnregisterFilter, FltDeleteContext, FltDoCompletionProcessingWhenSafe, FltGetFileNameInformation, FltParseFileNameInformation, FltSetStreamHandleContext, FltGetStreamHandleContext, FltGetInstanceContext, FltSendMessage, FltCreateFile, FltClose, FltGetVolumeProperties, FltAllocateContext, FltSetInstanceContext, FltReleaseContext, FltReleaseFileNameInformation, FltGetRoutineAddress

VT Community

0

This file has never been reviewed by any VT Community member. Be the first one to comment on it!

VirusTotal Team
Add your comment... Remember that when you write comments as an anonymous user they receive the lowest possible reputation. So if you have not signed in yet don't forget to do so. How to markup your comments?
You can add basic styles to your comments using the following accepted bbcode tags:

text -- bold
text -- italics
text -- underline
~~text~~ -- strikethrough

Code:

text

-- preformatted text

You can also address comments to particular users using the "@" twitter-like mode. By prepending a "#" symbol to a word you can add custom tags to your comment, tags that can then be searched for.

Goodware
Malware
Spam attachment/link

P2P download
Propagating via IM
Network worm

Drive-by-download

2)
Antivirus Version Last Update Result
AhnLab-V3 2010.11.30.00 2010.11.29 -
AntiVir 7.10.14.136 2010.11.29 -
Antiy-AVL 2.0.3.7 2010.11.30 -
Avast 4.8.1351.0 2010.11.29 -
Avast5 5.0.677.0 2010.11.29 -
AVG 9.0.0.851 2010.11.30 -
BitDefender 7.2 2010.11.30 -
CAT-QuickHeal 11.00 2010.11.29 -
ClamAV 0.96.4.0 2010.11.30 -
Command 5.2.11.5 2010.11.30 -
Comodo 6896 2010.11.30 -
DrWeb 5.0.2.03300 2010.11.30 -
Emsisoft 5.0.0.50 2010.11.30 -
eSafe 7.0.17.0 2010.11.29 -
eTrust-Vet 36.1.8007 2010.11.29 -
F-Prot 4.6.2.117 2010.11.29 -
Fortinet 4.2.254.0 2010.11.29 -
GData 21 2010.11.30 -
Ikarus T3.1.1.90.0 2010.11.30 -
Jiangmin 13.0.900 2010.11.29 -
K7AntiVirus 9.69.3115 2010.11.29 -
Kaspersky 7.0.0.125 2010.11.29 -
McAfee 5.400.0.1158 2010.11.30 -
McAfee-GW-Edition 2010.1C 2010.11.29 -
Microsoft 1.6402 2010.11.29 -
NOD32 5659 2010.11.29 -
Norman 6.06.10 2010.11.29 -
nProtect 2010-11-29.01 2010.11.29 -
Panda 10.0.2.7 2010.11.29 -
PCTools 7.0.3.5 2010.11.30 -
Prevx 3.0 2010.11.30 -
Rising 22.75.06.04 2010.11.30 -
Sophos 4.60.0 2010.11.30 -
SUPERAntiSpyware 4.40.0.1006 2010.11.30 -
Symantec 20101.2.0.161 2010.11.29 -
TheHacker 6.7.0.1.093 2010.11.30 -
TrendMicro 9.120.0.1004 2010.11.29 -
TrendMicro-HouseCall 9.120.0.1004 2010.11.30 -
VBA32 3.12.14.2 2010.11.29 -
VIPRE 7450 2010.11.30 -
ViRobot 2010.11.29.4175 2010.11.29 -
VirusBuster 13.6.66.0 2010.11.29 -
Additional information
Show all
MD5 : b5e01b50b08b440018f437aebed0bccf
SHA1 : f02673d227cf6c7497ab285313fd8a93768f5cf4
SHA256: d4d478743d0590595413afe4fe5d71e7c54c72fb947200987a8b6cdcd284e0d1

3)

user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
dxtmsft.dll
Submission date:
2010-11-30 02:56:43 (UTC)
Current status:
queued (#4) queued (#4) analysing finished
Result:
0/ 43 (0.0%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.11.30.00 2010.11.29 -
AntiVir 7.10.14.136 2010.11.29 -
Antiy-AVL 2.0.3.7 2010.11.30 -
Avast 4.8.1351.0 2010.11.29 -
Avast5 5.0.677.0 2010.11.29 -
AVG 9.0.0.851 2010.11.30 -
BitDefender 7.2 2010.11.30 -
CAT-QuickHeal 11.00 2010.11.29 -
ClamAV 0.96.4.0 2010.11.30 -
Command 5.2.11.5 2010.11.30 -
Comodo 6896 2010.11.30 -
DrWeb 5.0.2.03300 2010.11.30 -
Emsisoft 5.0.0.50 2010.11.30 -
eSafe 7.0.17.0 2010.11.29 -
eTrust-Vet 36.1.8007 2010.11.29 -
F-Prot 4.6.2.117 2010.11.29 -
F-Secure 9.0.16160.0 2010.11.30 -
Fortinet 4.2.254.0 2010.11.29 -
GData 21 2010.11.30 -
Ikarus T3.1.1.90.0 2010.11.30 -
Jiangmin 13.0.900 2010.11.29 -
K7AntiVirus 9.69.3115 2010.11.29 -
Kaspersky 7.0.0.125 2010.11.29 -
McAfee 5.400.0.1158 2010.11.30 -
McAfee-GW-Edition 2010.1C 2010.11.29 -
Microsoft 1.6402 2010.11.29 -
NOD32 5659 2010.11.29 -
Norman 6.06.10 2010.11.29 -
nProtect 2010-11-29.01 2010.11.29 -
Panda 10.0.2.7 2010.11.29 -
PCTools 7.0.3.5 2010.11.30 -
Prevx 3.0 2010.11.30 -
Rising 22.75.06.04 2010.11.30 -
Sophos 4.60.0 2010.11.30 -
SUPERAntiSpyware 4.40.0.1006 2010.11.30 -
Symantec 20101.2.0.161 2010.11.29 -
TheHacker 6.7.0.1.093 2010.11.30 -
TrendMicro 9.120.0.1004 2010.11.29 -
TrendMicro-HouseCall 9.120.0.1004 2010.11.30 -
VBA32 3.12.14.2 2010.11.29 -
VIPRE 7450 2010.11.30 -
ViRobot 2010.11.29.4175 2010.11.29 -
VirusBuster 13.6.66.0 2010.11.29 -

4)

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
dxtrans.dll
Submission date:
2010-11-30 03:00:30 (UTC)
Current status:
queued (#1) queued (#1) analysing finished
Result:
0/ 43 (0.0%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.11.30.00 2010.11.29 -
AntiVir 7.10.14.136 2010.11.29 -
Antiy-AVL 2.0.3.7 2010.11.30 -
Avast 4.8.1351.0 2010.11.29 -
Avast5 5.0.677.0 2010.11.29 -
AVG 9.0.0.851 2010.11.30 -
BitDefender 7.2 2010.11.30 -
CAT-QuickHeal 11.00 2010.11.29 -
ClamAV 0.96.4.0 2010.11.30 -
Command 5.2.11.5 2010.11.30 -
Comodo 6896 2010.11.30 -
DrWeb 5.0.2.03300 2010.11.30 -
Emsisoft 5.0.0.50 2010.11.30 -
eSafe 7.0.17.0 2010.11.29 -
eTrust-Vet 36.1.8007 2010.11.29 -
F-Prot 4.6.2.117 2010.11.29 -
F-Secure 9.0.16160.0 2010.11.30 -
Fortinet 4.2.254.0 2010.11.29 -
GData 21 2010.11.30 -
Ikarus T3.1.1.90.0 2010.11.30 -
Jiangmin 13.0.900 2010.11.29 -
K7AntiVirus 9.69.3115 2010.11.29 -
Kaspersky 7.0.0.125 2010.11.29 -
McAfee 5.400.0.1158 2010.11.30 -
McAfee-GW-Edition 2010.1C 2010.11.29 -
Microsoft 1.6402 2010.11.29 -
NOD32 5659 2010.11.29 -
Norman 6.06.10 2010.11.29 -
nProtect 2010-11-29.01 2010.11.29 -
Panda 10.0.2.7 2010.11.29 -
PCTools 7.0.3.5 2010.11.30 -
Prevx 3.0 2010.11.30 -
Rising 22.75.06.04 2010.11.30 -
Sophos 4.60.0 2010.11.30 -
SUPERAntiSpyware 4.40.0.1006 2010.11.30 -
Symantec 20101.2.0.161 2010.11.29 -
TheHacker 6.7.0.1.093 2010.11.30 -
TrendMicro 9.120.0.1004 2010.11.29 -
TrendMicro-HouseCall 9.120.0.1004 2010.11.30 -
VBA32 3.12.14.2 2010.11.29 -
VIPRE 7450 2010.11.30 -
ViRobot 2010.11.29.4175 2010.11.29 -
VirusBuster 13.6.66.0 2010.11.29 -
Additional information
Show all
MD5 : 5e1a0476e009a1930a524dff4ca13982
SHA1 : e43784c51aa4a14122c5e880059c145609ddf0c2
SHA256: 02635287787412c2075f48a1bba60b2705c13f5e0d82f82c8c048ed9d8ab5f26

5)

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
iepeers.dll
Submission date:
2010-11-30 03:03:14 (UTC)
Current status:
queued (#16) queued (#6) analysing finished
Result:
0/ 43 (0.0%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.11.30.00 2010.11.29 -
AntiVir 7.10.14.136 2010.11.29 -
Antiy-AVL 2.0.3.7 2010.11.30 -
Avast 4.8.1351.0 2010.11.29 -
Avast5 5.0.677.0 2010.11.29 -
AVG 9.0.0.851 2010.11.30 -
BitDefender 7.2 2010.11.30 -
CAT-QuickHeal 11.00 2010.11.29 -
ClamAV 0.96.4.0 2010.11.30 -
Command 5.2.11.5 2010.11.30 -
Comodo 6896 2010.11.30 -
DrWeb 5.0.2.03300 2010.11.30 -
Emsisoft 5.0.0.50 2010.11.30 -
eSafe 7.0.17.0 2010.11.29 -
eTrust-Vet 36.1.8007 2010.11.29 -
F-Prot 4.6.2.117 2010.11.29 -
F-Secure 9.0.16160.0 2010.11.30 -
Fortinet 4.2.254.0 2010.11.29 -
GData 21 2010.11.30 -
Ikarus T3.1.1.90.0 2010.11.30 -
Jiangmin 13.0.900 2010.11.29 -
K7AntiVirus 9.69.3115 2010.11.29 -
Kaspersky 7.0.0.125 2010.11.29 -
McAfee 5.400.0.1158 2010.11.30 -
McAfee-GW-Edition 2010.1C 2010.11.29 -
Microsoft 1.6402 2010.11.29 -
NOD32 5659 2010.11.29 -
Norman 6.06.10 2010.11.29 -
nProtect 2010-11-29.01 2010.11.29 -
Panda 10.0.2.7 2010.11.29 -
PCTools 7.0.3.5 2010.11.30 -
Prevx 3.0 2010.11.30 -
Rising 22.76.00.01 2010.11.30 -
Sophos 4.60.0 2010.11.30 -
SUPERAntiSpyware 4.40.0.1006 2010.11.30 -
Symantec 20101.2.0.161 2010.11.29 -
TheHacker 6.7.0.1.093 2010.11.30 -
TrendMicro 9.120.0.1004 2010.11.29 -
TrendMicro-HouseCall 9.120.0.1004 2010.11.30 -
VBA32 3.12.14.2 2010.11.29 -
VIPRE 7450 2010.11.30 -
ViRobot 2010.11.29.4175 2010.11.29 -
VirusBuster 13.6.66.0 2010.11.29 -
Additional information
Show all
MD5 : 9544f6b5812a7634747020e4a6d4d2a5
SHA1 : be22d5142a0102c29520b7b30dc24f3e2a904779
SHA256: 375d91765e08f981f12e28b254adad0bb32eecc722e767f4795aeca348378972
ssdeep: 3072:ndxZT3IHHLyyXwHDV0Lp1eIIEnE9Fuut9WQd0MlPGMUdjsnWQHS81yBI5M:/+NXwHJ0LWI
IEeHt9WuPpnWgk9
File size : 184320 bytes
First seen: 2010-10-12 17:10:16
Last seen : 2010-11-30 03:03:14
TrID:
Windows OCX File (71.0%)
Win32 Executable MS Visual C++ (generic) (21.6%)
Win32 Executable Generic (4.9%)
Generic Win/DOS Executable (1.1%)
DOS Executable Generic (1.1%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Windows_ Internet Explorer
description..: Internet Explorer Peer Objects
original name: iepeers.dll
internal name: iepeers.dll
file version.: 8.00.6001.18968 (longhorn_ie8_gdr.100824-1830)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x1589
timedatestamp....: 0x4C89C8ED (Fri Sep 10 05:58:05 2010)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x1DC38, 0x1DE00, 6.35, 184789ca29255fe79b117100e3eecc88
.data, 0x1F000, 0xCE0, 0xE00, 1.53, 1c72698ab4fc2415819a5c41d4af08d7
.rsrc, 0x20000, 0xC4D0, 0xC600, 4.71, 2dd7d48a351da7de5bda739400446f86
.reloc, 0x2D000, 0x19D8, 0x1A00, 6.59, 0b28464b56662ee60a1cdcc4fca9ab0f

[[ 13 import(s) ]]
msvcrt.dll: _adjust_fdiv, _amsg_exit, _initterm, wcstol, wcschr, _wcsicmp, free, malloc, __dllonexit, _wcsnicmp, _ltow, _purecall, _vsnwprintf, __2@YAPAXI@Z, bsearch, wcsncmp, memset, memcpy, memmove, realloc, _unlock, _lock, _onexit, _XcptFilter, _wtoi, __3@YAXPAX@Z
KERNEL32.dll: LocalAlloc, ReleaseActCtx, ActivateActCtx, DeactivateActCtx, InitializeCriticalSectionAndSpinCount, SetLastError, FindResourceExW, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, SearchPathW, CreateActCtxW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, RtlUnwind, InterlockedCompareExchange, Sleep, InterlockedExchange, GetTimeFormatW, GetDateFormatW, GetLocalTime, GetProcAddress, LoadLibraryW, GetLocaleInfoW, MulDiv, GlobalUnlock, GlobalLock, LocalFree, GetDiskFreeSpaceA, WriteFile, GetSystemTimeAsFileTime, GetLastError, InterlockedDecrement, InterlockedIncrement, FileTimeToSystemTime, SystemTimeToFileTime, CompareStringW, LoadLibraryA, GetModuleFileNameA, GetFullPathNameA, SearchPathA, LoadLibraryExA, GetVersionExW, GetModuleFileNameW, lstrlenW, LoadLibraryExW, FindResourceW, LoadResource, SizeofResource, lstrlenA, FreeLibrary, CreateFileW, CreateFileMappingW, CloseHandle, MapViewOfFile, UnmapViewOfFile, MultiByteToWideChar, EnterCriticalSection, LeaveCriticalSection, GetCurrentThreadId, GetModuleHandleW, InitializeCriticalSection, DeleteCriticalSection, HeapDestroy, DisableThreadLibraryCalls, GetUserDefaultLCID, GlobalAlloc, GlobalFree, CompareFileTime
ADVAPI32.dll: GetUserNameW, RegEnumKeyExW, RegOpenKeyExW, RegCreateKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegQueryValueExW, RegSetValueExW, RegQueryInfoKeyW
SHLWAPI.dll: -, StrCmpW, -, PathAddBackslashW, SHRegGetValueW, StrCpyW, -, -, -, StrCmpIW, StrCpyNW, PathFindFileNameW, -, wnsprintfW, PathCombineA, PathAppendA, StrCmpNIW, StrDupW, SHGetValueW
ole32.dll: CreateBindCtx, CoCreateInstance, CoTaskMemFree, CoTaskMemAlloc, CoTaskMemRealloc, CLSIDFromProgID, CLSIDFromString, CreateStreamOnHGlobal
OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
GDI32.dll: EndPage, StartDocW, EndDoc, CreateICW, GetDeviceCaps, SetViewportOrgEx, AbortDoc, StartPage, DeleteDC, CreateDCW
USER32.dll: GetDesktopWindow, CharNextW, MessageBoxW, LoadStringW
urlmon.dll: FaultInIEFeature, CoInternetParseUrl, CreateUri, CoInternetCombineUrlEx, RegisterBindStatusCallback, CoInternetCreateSecurityManager
WININET.dll: CreateUrlCacheContainerA, InternetCombineUrlW, InternetQueryOptionW, InternetGetConnectedStateExW, RetrieveUrlCacheEntryStreamW, GetUrlCacheEntryInfoW, FindCloseUrlCache, FindNextUrlCacheEntryW, FindFirstUrlCacheEntryW, InternetCrackUrlW, CommitUrlCacheEntryW, CreateUrlCacheEntryW, UnlockUrlCacheEntryStream, ReadUrlCacheEntryStream, DeleteUrlCacheEntryW
SHELL32.dll: -, SHGetFolderPathA, -, -, SHGetDesktopFolder
WINSPOOL.DRV: OpenPrinterW, GetPrinterW, DocumentPropertiesW, DeviceCapabilitiesW, ClosePrinter
iertutil.dll: -, -, -, -, -

[[ 5 export(s) ]]
DllCanUnloadNow, DllEnumClassObjects, DllGetClassObject, DllRegisterServer, DllUnregisterServer
ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 122368
CompanyName: Microsoft Corporation
EntryPoint: 0x1589
FileDescription: Internet Explorer Peer Objects
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 180 kB
FileSubtype: 0
FileType: Win32 DLL
FileVersion: 8.00.6001.18968 (longhorn_ie8_gdr.100824-1830)
FileVersionNumber: 8.0.6001.18968
ImageVersion: 6.0
InitializedDataSize: 60928
InternalName: iepeers.dll
LanguageCode: English (U.S.)
LegalCopyright: Microsoft Corporation. All rights reserved.
LinkerVersion: 8.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 6.0
ObjectFileType: Dynamic link library
OleSelfRegister:
OriginalFilename: iepeers.dll
PEType: PE32
ProductName: Windows Internet Explorer
ProductVersion: 8.00.6001.18968
ProductVersionNumber: 8.0.6001.18968
Subsystem: Windows GUI
SubsystemVersion: 5.1
TimeStamp: 2010:09:10 07:58:05+02:00
UninitializedDataSize: 0

VT Community

Jack&Jill · Nov 30, 2010

Hello Jack

,

We need to disable Spybot S&D's Teatimer real-time protection temporarily as it will interfere with the fix. Please minimize going online when your security softwares are disabled or not active.

First step:

Right click the Spybot icon that looks like a blue/white calendar with a padlock symbol in the System Tray (lower right corner where the clock is situated).
For version 1.6, the steps are similar to either one of the below.
If you have version 1.5, click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now unchecked (unticked). The Spybot icon should now be colorless.
If you have Version 1.4, click on Exit Spybot S&D Resident.

Second step, for either version:

Open Spybot S&D.
Click Mode, choose Advanced Mode.
Go to the bottom of the vertical panel on the left, click Tools.
Then, also in left panel, click on Resident that shows a red/white shield.
If your firewall raises a question, say OK.
In the Resident protection status frame, uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active.
OK any prompts.
Exit Spybot S&D and reboot your machine for the changes to take effect.

Remember to enable it after the fix.

--------------------

Please download ComboFix© by sUBs from one of the links below and save it to your desktop.

Link 1
Link 2

Do not mouse click on ComboFix while it is running. That may cause it to stall. ComboFix is a powerful tool and must not be used without supervision.

Install Recovery Console and run ComboFix

Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
If you need help to disable your protection programs see here and here.
Double click on ComboFix.exe and follow the prompts.
As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. You will be asked to install it if it is not present in your computer. Click Yes to proceed.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, click on Yes to continue scanning for malware.
When finished, a log will be produced as C:\ComboFix.txt. Please post this log in your next reply.
If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
Enable back your security softwares as soon as you completed the ComboFix steps.

A detailed step by step tutorial to run ComboFix can be found here if you need help.

--------------------

Please post back:
1. the ComboFix log

Jack Fischer · Dec 1, 2010

Redirect Problems in San Jose, CA

Please don't close this thread. I was unable to work on this last night, but I'll dive in tonight.

Cheers,

jack fischer

:

Jack Fischer · Dec 2, 2010

Redirect Problems in San Jose, CA

Hi.

I turned off spybot and my Avira software and downloaded and ran Combofix. It installed Microsoft Windows Recovery Console but when it began to scan for malware it again crashed and gave me a blue screen with this:

A problem was detected and windows was shut down to prevent damage.

DRIVER_IRQL_NOT_LESS_OR_EQUAL

Technical info:

stop:0x000000D1 (0x3F3F3F, 0x00000002,0x00000000,0xF77c33ce)
IdeChnDr.Sys-Address F77C33CE base at F77C3000,DateStamp 3bd89c65

Beginning dump of physical memory...

What now?

Thanks very much for all your patience with this. I can't believe what a pain it is.:red:

jack

Jack&Jill · Dec 2, 2010

Hello Jack

,

Is there a log produced, C:\ComboFix.txt?

--------------------

The file IdeChnDr.sys is related to Intel's Application Accelerator. Is your hard drive RAID configured?

Check for RAID via Disk Management

Go to Start > Run.... Copy and paste the following text into the white box:
Code:
```
diskmgmt.msc
```
Click OK. A Disk Management window will open.
At the bottom pane under Disk 0, do you see the word Basic or Dynamic?
At the lowest portion of the window where legend of the disk type is shown, do you observe any of these five words: simple, spanned, striped, mirrored or RAID-5?
Post back the information and close the Disk Management window.

--------------------

Check IdeChnDr.sys with OTL

Double click on OTL.exe to run it.
Make sure all the None options is checked (ticked). There are eight of them.
Copy and paste the following into the white box under Custom Scans/Fixes:
Code:
```
/md5start
IdeChnDr.sys
/md5stop
```
Click on Run Scan at the top left hand corner. This might take a while.
When done, the OTL.txt file will open. Please post back the contents of this log.

--------------------

Please post back:
1. ComboFix log, if any
2. information about you hard drive and from the Disk Management
3. OTL log

Jack Fischer · Dec 2, 2010

Redirect Problems in San Jose, CA

Okay:

1) No log generated. It crashed pretty quickly.

2) Disk management returns the following info:

Under Disk 0 it says "basic". Under that it says 37.24Gb, online. To the right of that in a small box it says 31MB FAT. To the right Of that, in a small box it says (C

and then 37.21GB NTFS.

I don't see any of the five words you were seeking.

3) OTL Log:

OTL logfile created on: 12/2/2010 3:29:44 PM - Run 3
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Joycellen Floyd\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 555.00 Mb Available Physical Memory | 54.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 68.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 11.56 Gb Free Space | 31.06% Space Free | Partition Type: NTFS
Drive D: | 7.41 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: DELL | User Name: Joycellen Floyd | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Custom Scans ==========

< MD5 for: IDECHNDR.SYS >
[2001/11/06 00:00:00 | 000,087,018 | ---- | M] (Intel Corporation) MD5=B5E01B50B08B440018F437AEBED0BCCF -- C:\Program Files\Intel\Intel Application Accelerator\Driver\idechndr.sys
[2001/11/06 00:00:00 | 000,087,018 | ---- | M] (Intel Corporation) MD5=B5E01B50B08B440018F437AEBED0BCCF -- C:\WINDOWS\system32\drivers\IdeChnDr.sys

< End of report >

Jack

Jack&Jill · Dec 3, 2010

Hello Jack

,

Based on the information I see, it should be alright to try uninstalling the Intel Application Accelerator via Control Panel > Add/Remove Programs. However, just to be safe, please backup all your important data to a CD before you do that.

Do a reboot and let me know how it goes, then we will move to the next step.

Jack Fischer · Dec 3, 2010

Redirect Problems in San Jose, CA

Okay, intell accelerator uninstalled. When it rebooted it repeatedly gave me a message saying " windows has recovered from a serious error. Send report?" About ten times and then it stopped.

What next?

Best,

jack

Jack&Jill · Dec 3, 2010

Hello Jack

,

Reset paging file

Go to Start, then right click on My Computer. Select Properties. You can also do the same via the My Computer icon on the desktop.
Click on the Advanced tab, then Settings under the Performance section.
Go to the Advanced tab in this new window. Click Change under the Virtual Memory section.
Take note which is the original setting; Custom size or System managed size. If it is the former, write down the figures in the two white boxes.
Select No paging file and press Set. You will be prompted, click Yes. OK your way out.
You will be requested to restart the computer. Please do.
Once rebooted, go to the Virtual Memory section again and put back the original setting, press Set, and finally OK your way out.

Did this clear off the error message in your next reboot?

--------------------

Please run ComboFix and post back the result.

--------------------

Please post back:
1. any more error message?
2. ComboFix log

Jack Fischer · Dec 4, 2010

Redirect Problems in San Jose, CA

The error messages were gone when I rebooted after changing the settings as suggested. :thanks:

Combofix ran this time. Here is the log:

ComboFix 10-12-03.01 - Joycellen Floyd 12/03/2010 21:15:28.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.588 [GMT -8:00]
Running from: c:\documents and settings\Joycellen Floyd\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Joycellen Floyd\Favorites\biointensive gardening supplies, seeds, garden tools, books, Bountiful Gardens, growbiointensive.ur
c:\documents and settings\Joycellen Floyd\Recent\energy.tmp
c:\documents and settings\Joycellen Floyd\Recent\FS.tmp
c:\documents and settings\Joycellen Floyd\Recent\kernel32.tmp
C:\Thumbs.db
c:\windows\Downloaded Program Files\RdxIE.dll
c:\windows\patch.exe
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2010-11-04 to 2010-12-04 )))))))))))))))))))))))))))))))
.

2010-11-27 20:38 . 2010-11-27 20:38 -------- d-----w- c:\documents and settings\Joycellen Floyd\Application Data\Avira
2010-11-20 19:13 . 2010-11-20 19:13 -------- d-----w- c:\program files\7-Zip
2010-11-20 07:38 . 2010-11-20 07:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-11-06 19:37 . 2010-11-06 19:37 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-11-06 19:37 . 2010-11-06 19:37 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2010-11-06 01:18 . 2010-11-06 01:18 -------- d-----w- c:\program files\Common Files\SWiSHzone.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-23 02:18 . 2009-06-10 05:28 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-09-18 19:23 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2001-08-18 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2001-08-18 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 11:50 . 2010-07-14 05:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 09:29 . 2010-07-14 05:33 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-10 05:58 . 2005-06-18 06:49 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-01-08 16:52 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-01-08 16:50 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 18:17 . 2010-09-08 18:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 18:17 . 2010-09-08 18:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-08-23 05:28 . 2006-04-29 06:48 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-13 67128]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-10 68856]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-09-02 13351304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]
"DellTouch"="c:\windows\DELLMMKB.EXE" [2001-09-23 163840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-23 30192]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2001-10-06 00:34 24576 ----a-w- c:\program files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/9/2009 9:28 PM 135336]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [1/4/2004 10:43 PM 28672]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [1/4/2004 10:43 PM 6942]
R3 RRNetCapMP;RRNetCapMP;c:\windows\system32\drivers\rrnetcap.sys [3/4/2010 4:13 PM 31848]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/27/2010 11:24 PM 135664]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [4/28/2006 10:46 PM 30192]
S3 RRNetCap;RRNetCap Service;c:\windows\system32\drivers\rrnetcap.sys [3/4/2010 4:13 PM 31848]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2}]
2010-02-17 03:02 114688 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2010-11-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-12-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-09 01:48]

2010-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 07:24]

2010-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 07:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nytimes.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {60F5C72D-84E8-445A-94E7-F84C3A33E924} - hxxp://haserv1.liveglobalbid.com/lgbmpr.cab
FF - ProfilePath - c:\documents and settings\Joycellen Floyd\Application Data\Mozilla\Firefox\Profiles\q8ifr7p2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/
FF - plugin: c:\documents and settings\Joycellen Floyd\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Joycellen Floyd\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Joycellen Floyd\Application Data\Mozilla\Firefox\Profiles\q8ifr7p2.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\documents and settings\Joycellen Floyd\Application Data\Mozilla\Firefox\Profiles\q8ifr7p2.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Joycellen Floyd\Application Data\Move Networks

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
HKLM-Run-Logitech Hardware Abstraction Layer - KHALMNPR.EXE
MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1136874479\ee\AOLSoftware.exe
MSConfigStartUp-Kernel and Hardware Abstraction Layer - KHALMNPR.EXE
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
AddRemove-{E1E502E2-C006-49DB-9C0C-F2196E51826F}_is1 - c:\docume~1\JOYCEL~1\LOCALS~1\Temp\7zOD7.tmp\MustBeRandomlyNamed\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-03 21:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2904)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\ArcSoft\Magic-i 3\uMgiSvr.exe
c:\program files\Netropa\OSD.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\Skype\Phone\Skype.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\locator.exe
.
**************************************************************************
.
Completion time: 2010-12-03 21:35:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-04 05:35

Pre-Run: 12,674,293,760 bytes free
Post-Run: 12,791,783,424 bytes free

- - End Of File - - 024818BB221DE4DBB1D08E068E601985

What's next?

Best,

jack

Jack&Jill · Dec 5, 2010

Hello Jack

,

Do an online scan with ESET Online Scanner.
Please be patient as scanning will take quite some time. If you have problem running the scan, you might want to disable any real time protection that you have.

Click here to go to ESET Online Scanner page.
Click on ESET Online Scanner. A new window will open.
For FireFox user, you will need to download and install esetsmartinstaller_enu.exe. Click on it and save the file to a convenient location. Double click on it to install and a new window will open.
After reading through the Terms of Use, check YES, I accept the Terms of Use and click Start to begin scan.
You will be prompted to install an ActiveX Control from ESET. Please install.
At the Computer scan settings section, uncheck (untick) Remove found threats and then check Scan archives.
Now, click on Advanced settings and make sure all these are checked:
- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth technology
Click on Scan to proceed.
When done, the scan result will be shown. Look for C:\Program Files\ESET\ESET Online Scanner\log.txt and open the file.
Post the contents in your reply.

If the contents of log.txt do not reflect what is shown in the result window, click on List of found threats, then Export to text file..., save a file and post that instead.

--------------------

Does the redirect happen when you use both Firefox and Internet Explorer? Or only specific one browser?

You missed this question earlier. Is the redirect still happening?

--------------------

Please post back:
1. the ESET online scan result
2. the answer to my question about the redirect

Jack Fischer · Dec 6, 2010

Redirect Problems in San Jose, CA

Here's the scan results from ESET. It found 13 threats.

C:\Documents and Settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\18\66ebb892-36f79909 a variant of Java/Rowindal.A trojan
C:\Documents and Settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\2\72e3a02-3b65c4e5 probably a variant of Win32/Agent.FXHNPDJ trojan
C:\Documents and Settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\26\2fe9a31a-6f441726 multiple threats
C:\Documents and Settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\29\218affdd-22b23cb5 a variant of Java/Rowindal.A trojan
C:\Documents and Settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\29\5363d3dd-36bf6409 multiple threats
C:\Documents and Settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\31\f29bcdf-369b161c multiple threats
C:\Documents and Settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\48\6eeafe70-562fa418 probably a variant of Win32/Agent.FXHNPDJ trojan
C:\Documents and Settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\5\232ff0c5-79650f5d multiple threats
C:\Documents and Settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\50\555c00b2-5e2c97cd a variant of Java/Rowindal.A trojan
C:\Documents and Settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\56\64916bb8-60247aaa multiple threats
C:\Documents and Settings\Joycellen Floyd\My Documents\Downloads\registrybooster.exe Win32/RegistryBooster application
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll probably a variant of Win32/Adware.Toolbar.Visicom.AB application
C:\Program Files\MusicMatch\MusicMatch Jukebox\HWUpdateMove.exe Win32/Adware.HiWire application

What now?

Jack&Jill · Dec 6, 2010

Hello Jack

,

Does the redirect happen when you use both Firefox and Internet Explorer? Or only specific one browser?

Click to expand...

You missed this question earlier. Is the redirect still happening?

This is the second time you miss my questions. Please read my instructions slowly and carefully. If you do not provide such information, I will not be able to help you. Please provide them. Thanks.

--------------------

You have Malwarebytes' Anti-Malware (MBAM) on your machine. I wish to take a look at the most recent log file. Open MBAM and click on the Logs tab. Open the file at the bottom of the list and post the contents back here. If there is no log or you have yet to run MBAM, please let me know.

--------------------

Please post back:
1. the answer to my questions
2. old MBAM report

Jack Fischer · Dec 6, 2010

Redirect Problems in San Jose, CA

The redirect happens with both browsers.

The redirect was still happening earlier today. I have not seen it in the past half hour or so since I ran ESET, but sometimes it takes longer than that to open another window. I can tell you with more certainty in a day or so.

Here's the most recent log from malwarebytes:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5118

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/15/2010 12:05:00 AM
mbam-log-2010-11-15 (00-05-00).txt

Scan type: Full scan (C:\|)
Objects scanned: 219836
Time elapsed: 1 hour(s), 25 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Note that it showed no malicous items even though ESET found several.

What about the results from ESET? It showed 13 threats.

Best,

jack

Jack&Jill · Dec 6, 2010

Hello Jack

,

The redirect happens with both browsers.
The redirect was still happening earlier today. I have not seen it in the past half hour or so since I ran ESET, but sometimes it takes longer than that to open another window. I can tell you with more certainty in a day or so.

I need more details and symptoms. Does it happen when you click on a link? What sites does it go to? Please use such method to state the websites: badsite[dot]com.

Note that it showed no malicous items even though ESET found several.
What about the results from ESET? It showed 13 threats.

We will deal with them in due course. One of them is a false positive and will be excluded from our fix. Infections nowadays are getting tougher, so sometimes identifying them may need some extra efforts. It would be good to know what we are up against before making any further moves because such enthusiasm may result in an unbootable machine. Hope you will be patient.

--------------------

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use. Do not mouse click on ComboFix while it is running. That may cause it to stall.

Run ComboFix script

Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
If you need help to disable your protection programs see here and here.

Open Notepad. Copy and paste the following text into it:

Code:

File::
C:\Documents and Settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\18\66ebb892-36f79909
C:\Documents and Settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\2\72e3a02-3b65c4e5
C:\Documents and Settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\26\2fe9a31a-6f441726
C:\Documents and Settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\29\218affdd-22b23cb5
C:\Documents and Settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\29\5363d3dd-36bf6409
C:\Documents and Settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\31\f29bcdf-369b161c
C:\Documents and Settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\48\6eeafe70-562fa418
C:\Documents and Settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\5\232ff0c5-79650f5d
C:\Documents and Settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\50\555c00b2-5e2c97cd
C:\Documents and Settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\56\64916bb8-60247aaa
C:\Documents and Settings\Joycellen Floyd\My Documents\Downloads\registrybooster.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\HWUpdateMove.exe

FileLook::
c:\windows\System32\locator.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000

Firefox::
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

Save it as CFScript.txt at the desktop. Make sure the Save as type: is All Files (*.*).
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix may request an update, please allow it.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, a log will be produced as C:\ComboFix.txt. Copy and paste the contents of the log in your next reply.
If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
Enable back your security softwares as soon as you completed the ComboFix steps.

--------------------

I want you to update MBAM and run a scan.

Open MBAM and click on the Update tab, then Check for Updates.
When completed, go to back to the Scanner tab and select Perform full scan. Click Scan.
Leave the default options as it is and click on Start Scan.
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process.
When done, you will be prompted. Click OK, then click on Show Results.
Check (tick) all items except items in the C:\System Volume Information folder and click on Remove Selected.
After it has removed the items, a log in Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware. If you receive an (Error Loading) error on reboot, please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it returns on future reboots.

--------------------

Some of the previous scans I asked you to run were not successful due BSODs, thus we will need to try running some of them again. This means you will be running a series of tools to post back the logs. Let start with DDS. Please rerun DDS and post back the logs (DDS.txt and Attach.txt).

--------------------

Rerun OTL

Double click on OTL.exe to run it.
Make sure all the Use SafeList options is checked (ticked). There are six of them.
Check Scan All Users.
At the lower right corner, check LOP Check and Purity Check.
Click on Run Scan at the top left hand corner. This might take a while.
When done, two Notepad files will open. Please post the contents of these 2 Notepad files in your next reply. One log per reply please.
Note: These files are saved as OTL.txt and Extras.txt on the desktop.

--------------------

Rerun GMER

Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running GMER. They may cause the computer to freeze.
If you need help to disable your protection programs see here and here.
Double click the .exe file. If asked to allow the gmer driver file with a sys extension to load, please consent.
If it gives you a warning about rootkit activity and asks if you want to run scan, click on No.
In the right panel, you will see several boxes that have been checked (ticked).
- Uncheck IAT/EAT
- Uncheck All other Drives/Partitions except C:\ (leave C:\ checked)
- Uncheck Show All (don't miss this one)
Then click the Scan button and wait for it to finish.
Once done, click on the Save... button and save it as "Gmer.txt" at a convenient location. Post the contents of that report.
Enable back your security softwares as soon as you completed the GMER steps.
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.

--------------------

Please post back:
1. more information about the redirect
2. ComboFix log
3. new MBAM report
4. new DDS logs (DDS.txt and Attach.txt)
5. OTL log (OTL.txt only)
6. GMER result

Jack Fischer · Dec 7, 2010

Redirect Problems in San Jose, CA

Hi Jack and/or Jill.

:

It does, indeed happen when I click on a link, but no always and there is no pattern I can see as to when it happens. It usually seems to take me to a site that says the computer is infected with viruses and asking if I want to do something about it. I don't have the URL now, but will save and send one as soon as I get it. The malware also randomly throws open new windows. Sometimes these go to legitimate seeming sites, like Lycos. Other times commercial sites. One I recall that came up repeatedly for a while was for China TV. Still other times the site fails to load.

I will save and send some specific bad sites as soon as I get more.

Here is the new log from combofix:

ComboFix 10-12-04.06 - Joycellen Floyd 12/06/2010 17:50:26.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.573 [GMT -8:00]
Running from: c:\documents and settings\Joycellen Floyd\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Joycellen Floyd\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\documents and settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\18\66ebb892-36f79909"
"c:\documents and settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\2\72e3a02-3b65c4e5"
"c:\documents and settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\26\2fe9a31a-6f441726"
"c:\documents and settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\29\218affdd-22b23cb5"
"c:\documents and settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\29\5363d3dd-36bf6409"
"c:\documents and settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\31\f29bcdf-369b161c"
"c:\documents and settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\48\6eeafe70-562fa418"
"c:\documents and settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\5\232ff0c5-79650f5d"
"c:\documents and settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\50\555c00b2-5e2c97cd"
"c:\documents and settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\56\64916bb8-60247aaa"
"c:\documents and settings\Joycellen Floyd\My Documents\Downloads\registrybooster.exe"
"c:\program files\MusicMatch\MusicMatch Jukebox\HWUpdateMove.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\18\66ebb892-36f79909
c:\documents and settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\2\72e3a02-3b65c4e5
c:\documents and settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\26\2fe9a31a-6f441726
c:\documents and settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\29\218affdd-22b23cb5
c:\documents and settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\29\5363d3dd-36bf6409
c:\documents and settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\31\f29bcdf-369b161c
c:\documents and settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\48\6eeafe70-562fa418
c:\documents and settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\5\232ff0c5-79650f5d
c:\documents and settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\50\555c00b2-5e2c97cd
c:\documents and settings\Joycellen Floyd\Application Data\Sun\Java\Deployment\cache\6.0\56\64916bb8-60247aaa

.
((((((((((((((((((((((((( Files Created from 2010-11-07 to 2010-12-07 )))))))))))))))))))))))))))))))
.

2010-12-06 01:05 . 2010-12-06 01:05 -------- d-----w- c:\program files\ESET
2010-11-27 20:38 . 2010-11-27 20:38 -------- d-----w- c:\documents and settings\Joycellen Floyd\Application Data\Avira
2010-11-20 19:13 . 2010-11-20 19:13 -------- d-----w- c:\program files\7-Zip
2010-11-20 07:38 . 2010-11-20 07:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-23 02:18 . 2009-06-10 05:28 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-09-18 19:23 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2001-08-18 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2001-08-18 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 11:50 . 2010-07-14 05:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 09:29 . 2010-07-14 05:33 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-10 05:58 . 2005-06-18 06:49 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-01-08 16:52 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-01-08 16:50 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 18:17 . 2010-09-08 18:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 18:17 . 2010-09-08 18:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-08-23 05:28 . 2006-04-29 06:48 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\System32\locator.exe ---
Company: Microsoft Corporation
File Description: Rpc Locator
File Version: 5.1.2600.5512 (xpsp.080413-2108)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: locator.exe
File size: 75264
Created time: 2002-12-04 02:50
Modified time: 2008-04-14 00:12
MD5: AAED593F84AFA419BBAE8572AF87CF6A
SHA1: 7E2CC7D2DA54EE5D36FF5BC95972232983C076BB

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-13 67128]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-10 68856]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-09-02 13351304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]
"DellTouch"="c:\windows\DELLMMKB.EXE" [2001-09-23 163840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-23 30192]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2001-10-06 00:34 24576 ----a-w- c:\program files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/9/2009 9:28 PM 135336]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [1/4/2004 10:43 PM 6942]
R3 RRNetCapMP;RRNetCapMP;c:\windows\system32\drivers\rrnetcap.sys [3/4/2010 4:13 PM 31848]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/27/2010 11:24 PM 135664]
S2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [1/4/2004 10:43 PM 28672]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [4/28/2006 10:46 PM 30192]
S3 RRNetCap;RRNetCap Service;c:\windows\system32\drivers\rrnetcap.sys [3/4/2010 4:13 PM 31848]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - WMIAPSRV

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2}]
2010-02-17 03:02 114688 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2010-11-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-12-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-09 01:48]

2010-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 07:24]

2010-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 07:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nytimes.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {60F5C72D-84E8-445A-94E7-F84C3A33E924} - hxxp://haserv1.liveglobalbid.com/lgbmpr.cab
FF - ProfilePath - c:\documents and settings\Joycellen Floyd\Application Data\Mozilla\Firefox\Profiles\q8ifr7p2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/
FF - plugin: c:\documents and settings\Joycellen Floyd\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Joycellen Floyd\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Joycellen Floyd\Application Data\Mozilla\Firefox\Profiles\q8ifr7p2.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\documents and settings\Joycellen Floyd\Application Data\Mozilla\Firefox\Profiles\q8ifr7p2.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Joycellen Floyd\Application Data\Move Networks

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-06 17:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-12-06 18:02:45
ComboFix-quarantined-files.txt 2010-12-07 02:02
ComboFix2.txt 2010-12-04 05:35

Pre-Run: 12,640,014,336 bytes free
Post-Run: 12,621,516,800 bytes free

- - End Of File - - 17827C9C4D02B3770870499D16DB86DB

That was pretty long so I'll open a new reply for the rest.

Jack Fischer · Dec 7, 2010

Redirect Problems in San Jose, CA

Here's the new log for MBAM:

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5259

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/6/2010 8:29:05 PM
mbam-log-2010-12-06 (20-29-05).txt

Scan type: Full scan (C:\|)
Objects scanned: 211902
Time elapsed: 1 hour(s), 15 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Here's the new DDS text:

DDS (Ver_10-11-10.01) - NTFSx86
Run by Joycellen Floyd at 20:31:49.78 on Mon 12/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.323 [GMT -8:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\E_S00RP2.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\ArcSoft\Magic-i 3\uMgiSvr.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Netropa\OSD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\System32\NOTEPAD.EXE
C:\Documents and Settings\Joycellen Floyd\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.nytimes.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [DellTouch] c:\windows\DELLMMKB.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: &AOL Toolbar search
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/download/ipixx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://dev-www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aol.com/computercheckup/qdiagcc.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
DPF: {60F5C72D-84E8-445A-94E7-F84C3A33E924} - hxxp://haserv1.liveglobalbid.com/lgbmpr.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124349026031
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} - hxxp://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
DPF: {E856B973-45FD-4559-8F82-EAB539144667} - hxxp://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2} - c:\program files\pixiepack codec pack\InstallerHelper.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joycel~1\applic~1\mozilla\firefox\profiles\q8ifr7p2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/
FF - plugin: c:\documents and settings\joycellen floyd\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\joycellen floyd\application data\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPUploader.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-9 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-9 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-9 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-9 61960]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2004-1-4 28672]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [2004-1-4 6942]
R3 RRNetCapMP;RRNetCapMP;c:\windows\system32\drivers\rrnetcap.sys [2010-3-4 31848]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-27 135664]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-4-28 30192]
S3 RRNetCap;RRNetCap Service;c:\windows\system32\drivers\rrnetcap.sys [2010-3-4 31848]

=============== Created Last 30 ================

2010-12-07 02:17:45 709456 ----a-w- c:\windows\isRS-000.tmp
2010-12-06 01:05:52 -------- d-----w- c:\program files\ESET
2010-12-02 05:33:55 -------- d-sha-r- C:\cmdcons
2010-12-02 05:30:13 98816 ----a-w- c:\windows\sed.exe
2010-12-02 05:30:13 89088 ----a-w- c:\windows\MBR.exe
2010-12-02 05:30:13 256512 ----a-w- c:\windows\PEV.exe
2010-12-02 05:30:13 161792 ----a-w- c:\windows\SWREG.exe
2010-11-27 20:38:06 -------- d-----w- c:\docume~1\joycel~1\applic~1\Avira

==================== Find3M ====================

2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 11:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 09:29:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 18:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 18:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts

============= FINISH: 20:33:47.82 ===============

And the attach text:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-10.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 1/4/2004 10:22:13 PM
System Uptime: 12/6/2010 6:18:39 PM (2 hours ago)

Motherboard: Intel Corporation | | D845PT
Processor: Intel(R) Pentium(R) 4 CPU 1.60GHz | J1E1 | 1594/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 11.762 GiB free.
D: is CDROM (UDF)

==== Disabled Device Manager Items =============

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Microsoft PS/2 Port Mouse (IntelliPoint)
Device ID: ACPI\PNP0F03\4&268D196D&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Port Mouse (IntelliPoint)
PNP Device ID: ACPI\PNP0F03\4&268D196D&0
Service: i8042prt

==== System Restore Points ===================

RP1629: 10/3/2010 12:57:54 PM - System Checkpoint
RP1630: 10/4/2010 6:57:08 PM - System Checkpoint
RP1631: 10/5/2010 7:33:51 PM - System Checkpoint
RP1632: 10/6/2010 7:57:57 PM - System Checkpoint
RP1633: 10/6/2010 11:31:58 PM - Software Distribution Service 3.0
RP1634: 10/8/2010 2:16:36 AM - System Checkpoint
RP1635: 10/8/2010 3:00:20 AM - Software Distribution Service 3.0
RP1636: 10/9/2010 10:23:16 AM - System Checkpoint
RP1637: 10/10/2010 2:00:24 PM - System Checkpoint
RP1638: 10/11/2010 8:03:15 PM - System Checkpoint
RP1639: 10/13/2010 7:24:18 AM - System Checkpoint
RP1640: 10/13/2010 10:15:11 PM - Software Distribution Service 3.0
RP1641: 10/14/2010 7:49:46 AM - Installed Connect Service
RP1642: 10/15/2010 8:41:25 PM - System Checkpoint
RP1643: 10/17/2010 12:00:28 AM - System Checkpoint
RP1644: 10/18/2010 1:44:49 AM - System Checkpoint
RP1645: 10/19/2010 5:44:43 AM - System Checkpoint
RP1646: 10/20/2010 8:33:58 AM - System Checkpoint
RP1647: 10/21/2010 8:23:28 PM - System Checkpoint
RP1648: 10/22/2010 9:28:40 PM - System Checkpoint
RP1649: 10/24/2010 9:08:58 AM - System Checkpoint
RP1650: 10/25/2010 8:05:20 PM - System Checkpoint
RP1651: 10/27/2010 7:14:52 AM - System Checkpoint
RP1652: 10/28/2010 9:14:24 AM - System Checkpoint
RP1653: 10/29/2010 12:05:32 PM - System Checkpoint
RP1654: 10/30/2010 3:00:59 PM - System Checkpoint
RP1655: 10/31/2010 3:01:20 PM - System Checkpoint
RP1656: 11/1/2010 7:18:55 PM - System Checkpoint
RP1657: 11/3/2010 7:13:39 AM - System Checkpoint
RP1658: 11/4/2010 11:11:10 AM - System Checkpoint
RP1659: 11/5/2010 7:11:47 PM - System Checkpoint
RP1660: 11/6/2010 3:49:20 PM - Installed Java(TM) 6 Update 22
RP1661: 11/7/2010 2:49:41 PM - System Checkpoint
RP1662: 11/8/2010 2:57:39 PM - System Checkpoint
RP1663: 11/10/2010 7:51:12 AM - System Checkpoint
RP1664: 11/10/2010 9:40:49 PM - Software Distribution Service 3.0
RP1665: 11/12/2010 1:00:05 PM - System Checkpoint
RP1666: 11/13/2010 1:06:03 PM - System Checkpoint
RP1667: 11/14/2010 6:44:05 PM - System Checkpoint
RP1668: 11/15/2010 10:18:07 PM - System Checkpoint
RP1669: 11/17/2010 8:04:40 AM - System Checkpoint
RP1670: 11/18/2010 9:00:16 PM - System Checkpoint
RP1671: 11/20/2010 1:02:39 AM - System Checkpoint
RP1672: 11/21/2010 10:02:42 AM - System Checkpoint
RP1673: 11/22/2010 6:33:02 PM - System Checkpoint
RP1674: 11/22/2010 9:19:12 PM - Removed Microsoft Office Professional Edition 2003
RP1675: 11/22/2010 9:25:44 PM - Removed Microsoft Office Word Viewer 2003
RP1676: 11/23/2010 6:12:46 PM - Installed Connect Service
RP1677: 11/24/2010 6:47:09 PM - System Checkpoint
RP1678: 11/25/2010 9:19:26 PM - System Checkpoint
RP1679: 11/26/2010 10:02:10 PM - System Checkpoint
RP1680: 11/27/2010 10:47:34 PM - System Checkpoint
RP1681: 11/29/2010 6:48:37 PM - System Checkpoint
RP1682: 11/30/2010 9:30:13 PM - System Checkpoint
RP1683: 12/2/2010 4:08:17 PM - System Checkpoint
RP1684: 12/3/2010 4:10:59 PM - System Checkpoint
RP1685: 12/4/2010 4:59:18 PM - System Checkpoint
RP1686: 12/5/2010 6:35:44 PM - System Checkpoint

==== Installed Programs ======================

3D Groove Playback Engine
7-Zip 9.20
Actiontec Gateway
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Product/Adobe Studio Update 10/2001
Adobe Reader 7.0.7
Adobe Reader 9.4.1
Adobe Shockwave Player
Adobe Stock Photos 1.0
Adobe® Photoshop® Album Starter Edition 3.0
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft Magic-i 3
ArcSoft WebCam Companion 2
ATI Display Driver
Avery® Wizard 2.1 for Microsoft® Word 2002
Avira AntiVir Personal - Free Antivirus
Bonjour
Canon iP1800 series
Compatibility Pack for the 2007 Office system
Conexant HSF V92 56K Data Fax PCI Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell Digital Jukebox Driver
Dell ResourceCD
DellTouch
Elf Bowling 3 (remove only)
EPSON CardMonitor
EPSON PictureMate User's Guide
EPSON Printer Software
ERUNT 1.1j
ESET Online Scanner v3
FreshDiagnose
FUJIFILM USB Driver
Google Chrome
Google Desktop
Google Desktop Plugin - eBay Watcher
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
hp deskjet 5550 series
ICC Color Profiles
Ink Monitor
iPod for Windows User Guide
iPod System Software Updater 2.0.1
iTunes
Java Auto Updater
Java(TM) 6 Update 22
Lame ACM MP3 Codec
Learn2 Player (Uninstall Only)
Logitech Desktop Messenger
Malwarebytes' Anti-Malware
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft IntelliPoint 4.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
Minolta DiMAGE Scan Dual3 ver 1.0
Move Media Player
Mozilla Firefox (3.6.12)
Mozilla Thunderbird (3.1.6)
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML4 Parser
MUSICMATCH iPod Plug-in
MUSICMATCH® Jukebox
PixiePack Codec Pack
QTRgui
Quicken 2007
QuickTime
Real Estate Transaction Viewer
RealPlayer
REAP LITE
Safari
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Shockwave
Shutterfly Plugin
Sierra On-Line Games (Remove only)
Skype Toolbars
Skype™ 4.2
SoundMAX
Spybot - Search & Destroy
Tunebite
ubi.com
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB Driver Vers. 3.2
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Service Pack 3
WinZip
Works Suite OS Pack
Works Synchronization

==== Event Viewer Messages From Past Week ========

12/6/2010 5:31:34 PM, error: Print [6161] - The document Chiropractic - Wikipedia, t... owned by Joycellen Floyd failed to print on printer Canon iP1800 series. Data type: NT EMF 1.008. Size of the spool file in bytes: 0. Number of bytes printed: 0. Total number of pages in the document: 0. Number of pages printed: 0. Client machine: \\DELL. Win32 error code returned by the print processor: 259 (0x103).
12/3/2010 9:33:19 PM, error: Service Control Manager [7016] - The EPSON V3 Service2(02) service has reported an invalid current state 0.
12/3/2010 9:25:59 PM, error: Print [19] - Sharing printer failed + 1722, Printer hp deskjet 5550 series share name hpdeskje.
12/3/2010 6:17:12 PM, error: NetBT [4321] - The name "MSHOME :1d" could not be registered on the Interface with IP address 192.168.1.5. The machine with the IP address 192.168.1.3 did not allow the name to be claimed by this machine.
12/2/2010 10:56:28 PM, error: System Error [1003] - Error code 100000d1, parameter1 0a050017, parameter2 00000005, parameter3 00000000, parameter4 f77c6e3e.
12/2/2010 10:56:26 PM, error: System Error [1003] - Error code 100000d1, parameter1 021f0017, parameter2 00000005, parameter3 00000000, parameter4 f77c6e3e.
12/2/2010 10:56:22 PM, error: System Error [1003] - Error code 100000d1, parameter1 00030017, parameter2 00000005, parameter3 00000000, parameter4 f77c6e3e.
12/2/2010 10:56:19 PM, error: System Error [1003] - Error code 100000d1, parameter1 00000003, parameter2 00000005, parameter3 00000000, parameter4 f77c6e3e.
12/2/2010 10:56:15 PM, error: System Error [1003] - Error code 100000d1, parameter1 3f3f3f3f, parameter2 00000002, parameter3 00000000, parameter4 f77c33ce.
12/2/2010 10:55:27 PM, error: System Error [1003] - Error code 100000d1, parameter1 0a0a0003, parameter2 00000005, parameter3 00000000, parameter4 f77c6e3e.
12/2/2010 10:55:08 PM, error: System Error [1003] - Error code 100000d1, parameter1 0a140017, parameter2 00000005, parameter3 00000000, parameter4 f77c6e3e.
12/2/2010 10:54:23 PM, error: System Error [1003] - Error code 100000d1, parameter1 0a040017, parameter2 00000005, parameter3 00000000, parameter4 f77c6e3e.
12/1/2010 9:35:58 PM, error: Service Control Manager [7034] - The Netropa NHK Server service terminated unexpectedly. It has done this 1 time(s).
11/29/2010 6:31:39 PM, error: Print [6161] - The document VirusTotal - Free Online Vi... owned by Joycellen Floyd failed to print on printer Canon iP1800 series. Data type: NT EMF 1.008. Size of the spool file in bytes: 1301380. Number of bytes printed: 1030720. Total number of pages in the document: 3. Number of pages printed: 0. Client machine: \\DELL. Win32 error code returned by the print processor: 13 (0xd).
11/29/2010 6:06:36 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.

==== End Of File ===========================

I'll start another new reply.

Jack Fischer · Dec 7, 2010

Redirect Problems in San Jose, CA

And here's the new OTL text:

OTL logfile created on: 12/6/2010 8:37:04 PM - Run 4
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Joycellen Floyd\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 321.00 Mb Available Physical Memory | 31.00% Memory free
926.00 Mb Paging File | 367.00 Mb Available in Paging File | 40.00% Paging File free
Paging file location(s): [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 11.76 Gb Free Space | 31.61% Space Free | Partition Type: NTFS
Drive D: | 7.41 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: DELL | User Name: Joycellen Floyd | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== LOP Check ==========

[2008/12/14 14:33:55 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2009/11/15 14:52:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2010/03/07 17:48:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FileCure
[2008/10/14 21:27:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCSettings
[2010/03/07 17:59:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RapidSolution
[2006/01/18 21:26:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2010/06/05 14:43:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/03/23 17:33:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2010/04/12 21:19:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/11/09 22:11:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/04/06 20:55:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2006/01/11 22:49:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joycellen Floyd\Application Data\Acoustica
[2009/09/11 20:31:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joycellen Floyd\Application Data\Amazon
[2010/08/02 07:47:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joycellen Floyd\Application Data\Cisco
[2006/01/18 19:47:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joycellen Floyd\Application Data\Digital Photo Slide Show
[2005/04/14 18:39:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joycellen Floyd\Application Data\ICAClient
[2004/01/05 21:12:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joycellen Floyd\Application Data\Leadertech
[2004/05/19 12:34:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joycellen Floyd\Application Data\Learn2.com
[2006/01/20 19:26:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joycellen Floyd\Application Data\Netscape
[2008/05/01 20:45:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joycellen Floyd\Application Data\Opera
[2009/11/14 11:12:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joycellen Floyd\Application Data\QuadToneRIP
[2010/10/10 11:00:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joycellen Floyd\Application Data\Thunderbird
[2004/05/30 15:18:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joycellen Floyd\Application Data\ubi.com
[2006/01/18 21:17:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joycellen Floyd\Application Data\Ulead Systems
[2010/06/05 14:43:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joycellen Floyd\Application Data\Uniblue

========== Purity Check ==========

< End of report >

I can't find the extras file. The machine crashed once during GMER and I hadn't yet saved extras.

It's late here now. I'll rerun OTL and GMER tomorrow and send them to you.

Thanks!

jack

Redirect Problems San Jose CA

New member

Security Expert- Emeritus

New member

Security Expert- Emeritus

New member

New member

Security Expert- Emeritus

New member

Security Expert- Emeritus

New member

Security Expert- Emeritus

New member

Security Expert- Emeritus

New member

Security Expert- Emeritus

New member

Security Expert- Emeritus

New member

New member

New member