# Browser Keeps Redirecting



## tdarron (Mar 4, 2009)

Seems this particular issue has hit many people as of late. For me it originally started with the 'Windows AntiVirus Pro' rogue program (the one that acts like its a virus scanner and shuts down access to just about any program). I fixed that particular issue, but the problem with the browser redirects is still plaguing me. Random links (usually on google) send me to advertisements, dead end sites and all the wonderful other sites that waste bandwidth. However, I have found that when typing a url into the address bar or pasting one in (from copy link location) is unaffected by the redirects, only when clicking.

Just like all the other issues, MBAM, Avira, and SUPERantispyware do not pick it up. I ran a HJT log which I will have at the end of this post, in particular the O17 lines look oddly suspicious, but I have not altered them yet and dont plan on doing so until suggested that I am correct.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:19 PM, on 8/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\The Skins Factory\Hyperdesk\Common\HdThemeEnabler.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\vVX6000.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\WINDOWS\system32\rundll32.exe
C:\program files\steam\steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\MultiKeyboard Driver\KbdDrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Thomas Darron\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SPIRun] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.02\RivaTuner.exe" /S
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: MutiKeyboard Driver.lnk = C:\Program Files\MultiKeyboard Driver\KbdDrv.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0AA3AE21-F5E2-4465-8031-FE6A669451F8}: NameServer = 68.105.28.11,68.105.29.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{0AA3AE21-F5E2-4465-8031-FE6A669451F8}: NameServer = 68.105.28.11,68.105.29.11
O17 - HKLM\System\CS2\Services\Tcpip\..\{0AA3AE21-F5E2-4465-8031-FE6A669451F8}: NameServer = 68.105.28.11,68.105.29.11
O17 - HKLM\System\CS3\Services\Tcpip\..\{0AA3AE21-F5E2-4465-8031-FE6A669451F8}: NameServer = 68.105.28.11,68.105.29.11
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - FirebirdSQL Project - C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - FirebirdSQL Project - C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Hyperdesk Theme Enabler (HdThemeEnabler) - The Skins Factory, Inc. - C:\Program Files\The Skins Factory\Hyperdesk\Common\HdThemeEnabler.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 10754 bytes


----------



## tdarron (Mar 4, 2009)

So, upon looking further, it seems one of the root problems with this particular bug is that it changes your DNS server address, which, sure enough I looked at my DNS through the tcp/ip properties and saw that the address in line O17 was the same as my DNS. So I am positive that line O17 should be fixed. I hope this helps you all solve my problem faster.


----------



## tdarron (Mar 4, 2009)

Huh, another oddity, although probably unrelated, is that I keep getting kicked off MSN messenger about a second after I log in. As I said, most likely unrelated, but I figured I would tack it on.


----------



## tdarron (Mar 4, 2009)

Im sure you all hate it when people bump, but I figure I would let you all know that I am still active on here so I wouldnt take up to much time.


----------



## tdarron (Mar 4, 2009)

Should be on for the rest of today (5-7 hours) so if anyone is able to help, I will be here.


----------



## tdarron (Mar 4, 2009)

Hurm, might be on for about 2-3 more hours.


----------



## tdarron (Mar 4, 2009)

Ive got classes this week and it would be great to have this all cleared up by then. So if any of you all have time I would be most appreciative. That and I usually do this sort of stuff fast.


----------



## tdarron (Mar 4, 2009)

bump


----------



## muppy03 (Jun 19, 2006)

Hello and welcome to *TSG*

*  IMPORTANT*

Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer. 
To make cleaning this machine easier:- 

Continue to respond to this thread until I give you the* All Clean!* 
Please *DO NOT* uninstall/install any programs unless asked to. It is more difficult when files/programs appear or disappear from the logs. 
Please *do not* run any scans other than those requested and *do not* post any logs/reports unless specifically requested to do so.
Please follow all instructions in the order posted. 
If you have any questions or do not understand instructions, please ask *before* continuing.
Please reply to this thread. *Do not* start a new topic. 



> For me it originally started with the 'Windows AntiVirus Pro' rogue program.I fixed that particular issue


What did you run to fix this? Was it *Malwarebytes' Anti-Malware*? If so please post the log it can be found here:-

C:\Documents and Settings\_Username_\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\*mbam-log-date (time).txt*

*Make an uninstall list using HijackThis*
To access the Uninstall Manager you would do the following:

Start *HijackThis*
Click on the *Config* button
Click on the *Misc Tools* button
Click on the *Open Uninstall Manager* button.
Click on the *Save list...* button and specify where you would like to save this file. When you press *Save* button a notepad will open with the contents of that file. Save the file to your desktop.

Please reply with:-

 MBAM log
 Uninstall list


----------



## tdarron (Mar 4, 2009)

It took me multiple attempts to clear it with MBAM. So let me post both logs, starting with the most recent.

Malwarebytes' Anti-Malware 1.40
Database version: 2631
Windows 5.1.2600 Service Pack 3

8/15/2009 6:19:37 PM
mbam-log-2009-08-15 (18-19-37).txt

Scan type: Quick Scan
Objects scanned: 101891
Time elapsed: 5 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\antippro2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\antippro2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\antippro2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Rogue.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\WINDOWS\system32\desot.exe "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dddesot.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bennuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bincd32.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\desot.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\onhelp.htm (Rogue.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp4.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\svchast.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


And now for the previous one.

Malwarebytes' Anti-Malware 1.34
Database version: 1826
Windows 5.1.2600 Service Pack 3

8/15/2009 5:16:07 PM
mbam-log-2009-08-15 (17-16-07).txt

Scan type: Quick Scan
Objects scanned: 73986
Time elapsed: 3 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\ (Broken.OpenCommand) -> Bad: (C:\WINDOWS\system32\desot.exe "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dddesot.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.


Uninstall list:
Ad-Aware SE Personal
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 8.1.2
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Shockwave Player 11.5
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AIM 6
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
Audiosurf Demo
Avira AntiVir Personal - Free Antivirus
Bonjour
Business tycoon
CDisplay 1.8
Choice Guard
Command & Conquer 3
Command & Conquer Generals
Command & Conquer Red Alert 2
Command & Conquer&#8482; Red Alert&#8482; 3
Command and ConquerTM Generals Zero Hour
Company of Heroes
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Crayon Physics Deluxe Demo - release 52
Creative MediaSource 5
Creative Software AutoUpdate
Crysis(R)
Darwinia Demo
Dawn of War - Dark Crusade
Deathmatch Classic
Defcon
Defcon v1.43
Dev-C++ 4
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Download Updater (AOL LLC)
Dyson v1.20
East India Company and Pirate Bay Addon
Fallout Mod Manager 0.9.15
Firebird 2.1.0.16780 (Win32)
FL Studio 7
Fraps
FreeMind
Game Jackal v3.1.1.0 (32 bit)
Google Desktop
Google Earth
GreenLife Emerald Viewer 1.23.4 (577)
Guild Wars
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB938759)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hyperdesk - DarkMatter Gamma Ray
IL Download Manager
InterVideo WinDVD
ISO Recorder
iTunes
Java(TM) 6 Update 13
K-Lite Codec Pack 4.2.5 (Full)
Left 4 Dead
Linksys Wireless-G PCI Adapter
Malwarebytes' Anti-Malware
Medieval II Total War
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Age of Empires II
Microsoft Corporation
Microsoft DirectX SDK (August 2007)
Microsoft Games for Windows - LIVE 
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft LifeCam
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Reader
Microsoft Silverlight
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual J# .NET Redistributable Package 1.1
mIRC
Morphine
Mozilla Firefox (3.5.2)
Mozilla Thunderbird (2.0.0.22)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Multimedia Keyboard Driver
Natural Selection 3.2
Nero OEM
Nostromo Array Programming Software
NVIDIA Drivers
NVIDIA nTune
NVIDIA nView Desktop Manager
NVIDIA PhysX
OpenAL
Paint.NET v3.36
Pando Media Booster
PCFriendly
PDF Settings
Peggle Extreme
Phun beta 3.5
Portal
Prototype(TM)
PunkBuster Services
QuickTime
RivaTuner v2.02
Rosetta Stone Version 3
SAM Broadcaster (remove only)
SecondLife (remove only)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
Segoe UI
SHOUTcast DNAS (remove only)
SHOUTcast Source DSP 1.9.0 (remove only)
Skype&#8482; 4.0
Sound Blaster X-Fi
SpeedFan (remove only)
SPORE&#8482;
Steam
SUPERAntiSpyware Free Edition
System Requirements Lab
TBS WMP Plug-in
Team Fortress Classic
Unlocker 1.8.7
Unreal Tournament 3
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Uplink
Ventrilo Client
Versal FileDownload ActiveX Control Trial Version
VLC media player 0.9.9
Westwood Shared Internet Components
Winamp
Windows Installer Clean Up
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver


----------



## tdarron (Mar 4, 2009)

And thank you very much for taking up my issue.

Although I think I also used Avira to clean out the 'Windows Antivirus pro' as well. But I do not keep logs with avira, even though I should.


----------



## tdarron (Mar 4, 2009)

And speak of the devil, windows antivirus pro is back again, just got the popup. So I guess this calls for a new HJT log?


----------



## muppy03 (Jun 19, 2006)

Hi,



> in particular the O17 lines look oddly suspicious


The 017s are to do with Cox Communications. Is this your ISP?

NEXT *Download and Run: RSIT*


Download *random's system information tool (RSIT)* by *random/random* from *here* and save it to your desktop.
Double click on *RSIT.exe* to run *RSIT*.
Click *Continue* at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both *log.txt* (<<will be maximized) and *info.txt* (<<will be minimized)

*GMER*

Download *GMER* by GMER from one of the links below:
*Link1*
*Link2*
Unzip it to a folder on your desktop 
Double click on *gmer.exe* to launch *GMER* 
If asked, allow the gmer.sys driver load 
If it warns you about rootkit activity and asks if you want to run scan, click *OK* 
If you don't get a warning then 
Click the *rootkit* tab 
Click *Scan* 

Once the scan has finished, click *copy* 
Paste the log into *notepad* using *Ctrl+V* 
Save it to your desktop as *gmerrk.txt* 
Click on the *>>>* tab 
This will open up the rest of the tabs for you 
Click on the *Autostart* tab 
Click on *Scan* 
Once the scan has finished, click *copy* 
Paste the log into *notepad* using *Ctrl+V* 
Save it to your desktop as *gmerautos.txt* 
Copy and paste the contents of *gmerautos.txt* and *gmerrk.txt* as a reply to this topic 

Please reply with:-

 RSIT logs ( info.txt and log.txt)
 2 x GMER Logs


----------



## tdarron (Mar 4, 2009)

Yes, cox is my ISP, so I guess that is fine then. Did you see that windows antivirus is back?

RSIT logs and gmer logs will be added here in a bit.


----------



## muppy03 (Jun 19, 2006)

> Did you see that windows antivirus is back?


I saw your post about that. I shall wait on the logs.


----------



## tdarron (Mar 4, 2009)

So, while running gmer I crashed, so here are the RSIT logs and while you are looking those over I will try running gmer again.


----------



## muppy03 (Jun 19, 2006)

If GMER crashes just leave it for the time being.


----------



## muppy03 (Jun 19, 2006)

Ok lets do it this way!

*Download and run Combofix*
This tool is not a toy and not for everyday use.
ComboFix *SHOULD NOT* be used unless requested by a forum helper

Please download ComboFix from one of these locations:

*Link 1*
*Link 2*
*Link 3*

** IMPORTANT !!! Save ComboFix.exe to your Desktop*


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
If you need help to disable your protection programs see here.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.









Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:









Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the *C:\ComboFix.txt* in your next reply along with a fresh HijackThis log.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please reply with:-

 Combofix log
New HJT log


----------



## tdarron (Mar 4, 2009)

Combofix I am a tad more familiar with. So I will give it a go.


----------



## muppy03 (Jun 19, 2006)

Have 2 smokes , then run combofix as described in my last post :up:


----------



## tdarron (Mar 4, 2009)

Heh, had a really nice cigar earlier. So, you want me to run gmer and then combo once its done? Or would you rather me just run combo?


----------



## tdarron (Mar 4, 2009)

Guess I will take that as run gmer one more time. Time for crossing fingers.


----------



## muppy03 (Jun 19, 2006)

Sorry,doing laundry.

Forget GMER just run Combofix.


----------



## tdarron (Mar 4, 2009)

Heh, will do, tried doing gmer again and it actually finished, but it caused so many system errors that I couldnt do anything. So, onto combofix!


----------



## tdarron (Mar 4, 2009)

My computer bluescreened about 30 seconds after combofix's scan started (im on my other at the moment) and currently trying to get it to boot (bluescreened on boot) hopefully I can get it up again. Will keep you posted.


----------



## tdarron (Mar 4, 2009)

Bluescreened again (not the normal one, the dumping physical memory one).

So, I guess this time around I will try to launch from the system restore point that combo set up.


----------



## tdarron (Mar 4, 2009)

Im on in safe mode, can I run combofix while in safemode?


----------



## tdarron (Mar 4, 2009)

I hate to post for the 5th time in a row, but just got it to boot normally. I will wait for your suggestion on how to proceed.


----------



## muppy03 (Jun 19, 2006)

Hi ,

I am starting to have suspicions here that you might not like.

Ok lets go back to *MBAM*, run the *Quick* scan. Hopefully that will go ok.

Post the log it produces.


----------



## tdarron (Mar 4, 2009)

Hope that doesnt mean I will have to reformat >.>

Here is the MBAM, and I am restarting as it asks:
Malwarebytes' Anti-Malware 1.40
Database version: 2631
Windows 5.1.2600 Service Pack 3

8/22/2009 12:14:57 AM
mbam-log-2009-08-22 (00-14-57).txt

Scan type: Quick Scan
Objects scanned: 100520
Time elapsed: 3 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 3
Files Infected: 41

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\antippro2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\antippro2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\antippro2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Rogue.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{299d9fe4-4639-41ab-95e6-0aa3a1be8e05} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{299d9fe4-4639-41ab-95e6-0aa3a1be8e05} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\WINDOWS\system32\desot.exe "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Windows AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\dddesot.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\msvcm80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\msvcp80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\msvcr80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\Windows Antivirus Pro.exe (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\dbsinit.exe (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\wispex.html (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\i1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\i2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\i3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\j1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\j2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\j3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\jj1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\jj2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\jj3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\l1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\l2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\l3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\pix.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\t1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\t2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\up1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\up2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w11.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w3.jpg (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\wt1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\wt2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\wt3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bennuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bincd32.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\desot.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sys.dat (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp4.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\svchast.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


----------



## muppy03 (Jun 19, 2006)

Hopefully all restarted nicely! 

Ok, delete Combofix from your desk top and re-download. This time *re-name* it to *Combo-fix* include the hyphen.

Run as described earler.

Post the log it produces along with a *NEW* HJT log.


----------



## tdarron (Mar 4, 2009)

Alrighty, booted much much better. Hopefully that did enough that I can run it. I figured earlier that renaming it would have helped, dont know why I didnt go through with that. Anyway, downloading now, hopefully all goes well.


----------



## tdarron (Mar 4, 2009)

/sigh

Bluescreened again, waiting for it to finish dumping.


----------



## muppy03 (Jun 19, 2006)

> System drive C: has 34 GB (14%) free of 238 GB


This is something you should take note of. Might be time to go through your *add/remove* and uninstall those programs you no longer use or need.

Try *Combofix* in safemode.

If this does not work please run me a new *RSIT* log in normal mode. Only one log will be produced this time.


----------



## tdarron (Mar 4, 2009)

Hmm, should be some stuff I can get rid of, I am a bit of a hard drive pack rat, you should see the externals I have stored in my closet >.>

Anywho, I will get rid of whatever I can and then run combo in safemode.


----------



## tdarron (Mar 4, 2009)

so, computer bluscreens when it gets to the windows loading screen with the error: 'systemroot\system32\config\SOFTWARE is absent, corrupt or not writeable.' I doubt I can boot into safemode with that, but next time around I will try.


----------



## muppy03 (Jun 19, 2006)

Just post the RSIT log, Also when you finally ran GMER did you get the log. Post that IF you have it.


----------



## tdarron (Mar 4, 2009)

I cant get to either, my computer wont boot, and every time it does it bluescreens with that error.


----------



## tdarron (Mar 4, 2009)

Wont boot into safemode due to the same error with the systemroot file.


----------



## muppy03 (Jun 19, 2006)

Not good at all, I am hoping we dont have a case of Virut.

Did you try * Last Known Good Configuration*?

Do you have your windows disk?


----------



## tdarron (Mar 4, 2009)

Well, I went into the recovery console and fixed the config\software issue. Now I can log in, but then about a minute late I get a win32k.sys stop error. So I guess that I need the windows disk to repair, correct?

And oddly enough I havent heard of virut, but it has a nice ring to it


----------



## tdarron (Mar 4, 2009)

And I am able to get on again, so that is good.


----------



## tdarron (Mar 4, 2009)

Of course, right after my last post the power goes out and now I cant boot again. I think I am at a stopping point for the night and tomorrow I will try reinstalling windows, and if that fails I guess it is time to take it to the shop.


----------



## muppy03 (Jun 19, 2006)

Hi, What power?

I have one more thing I would like you to try when you have a chance.

Delete Combofix and re- download. This time Rename it to hitme.com ( remove the .exe). See if it runs?

I have been reading up, its a newie and you were the lucky one.


----------



## muppy03 (Jun 19, 2006)

Note: make sure it is downloaded to desk top and AV is disabled.


----------



## tdarron (Mar 4, 2009)

muppy03 said:


> Hi, What power?


Power to the house, we had a random thunderstorm and it knocked out power to the house. But if I am able to get my computer able to do anything I will try out your suggestion.

The only thing that is stopping the computer now is it thinks there is some hardware that needs installation, although the name of the hardware is 'unknown'. And when I try to do anything for the 'unknown' hardware I get a win32k.sys stop error screen. Tried booting in safemode to disable whatever hardware it was, but I got the same stop error. Also, I unplugged everything to make sure it wasnt my headset or webcam, but still got the unknown hardware.

So I guess first thing in the morning I will try to reinstall windows and we can go from there.

But thank you for helping me with this so far, I am sure this particular case is a real pain.


----------



## muppy03 (Jun 19, 2006)

As I mentioned it seems to be a new form of infection. I am hoping the .com will work, but am now reading about the win32k.sys(from the experts) as it seems to be part of the same problem. I will post as soon as I find out.

On saying that, there is no shame in re-formatting and reinstalling and I must give you this speech. There is a possibility that changes have been made that we will not find so consider what is below carefully.

*IMPORTANT*
One or more of the identified infections that you have is a backdoor trojan.

This allows hackers to remotely control your computer, *steal critical system information* and *Download and Execute files*

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of its backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but I can't guarantee that it will be secure afterwards. The system will be extremely unlikely to be returned to its pre-infection state.


----------



## tdarron (Mar 4, 2009)

Thanks for that tidbit. I do all my financial stuff on the computer I am currently on (not the infected one). The infected is purely recreational, hence why I have all my high end equipment in it.

After I reformat, will that stop all the current problems or will I need to keep cleaning? Last time I reformatted was a good 5 or more years ago.


----------



## muppy03 (Jun 19, 2006)

Reformatting is basically wiping your hard disk of everything and re-installing the operating system and then the programs you need. That would be the end of current problems.

You would need to back up all important data as it will be lost.

I would still like to find out a couple of things (from the experts) first as we do not want to take the chance of "putting something back on that is infected".

You go to bed, I shall research and hopefully all will work out well in the end :up:


----------



## tdarron (Mar 4, 2009)

Hurm, trouble is I cant get to the information so that I can back it up. So perhaps instead of reformatting I can just do a simple repair and then we can delve into it more. Perhaps that would be best if its a new infection so I can be used as an example. Alright, last post for the night, thanks again.


----------



## muppy03 (Jun 19, 2006)

I don't think a repair will solve this problem.

As I said try combofix renamed to hitman.com ( remove the .exe). If not please post a new *RSIT* log and if you found the *GMER* log, post that also.


----------



## tdarron (Mar 4, 2009)

Well, I am in safemode now, found the 'unknown' hardware. Says it is in root\LEGACY_SKYNETTQGGKEAE\0000 which I remember from the gmer scans before the computer crashed. Any idea what that is? Also, I cant get the gmer log because I could never paste it from clipboard. But I will try running combo here in a bit.


----------



## tdarron (Mar 4, 2009)

Got combofix to run as hitman.com, said it needed to restart due to rootkit activity by legacyskynet. Restarting now and will keep you updated.


----------



## tdarron (Mar 4, 2009)

^_^ Combofix worked! Log is attached.


----------



## muppy03 (Jun 19, 2006)

> Got combofix to run as hitman.com, said it needed to restart due to rootkit activity by legacyskynet. Restarting now and will keep you updated.


Excellent work :up: I think we both deserve a gold star for this one. 
Skynet is a rootkit and one of the problems we were facing.

Could you please run me a *RSIT* log. I need to see that before we go on to the next step.

How is the computer behaving now? How is it starting, any BDODS or the win32k error?

Post RSIT log when you can.


----------



## tdarron (Mar 4, 2009)

Yeah, will run RSIT here in a bit. Computer is actually running pretty smoothly thusfar and has not crashed since combofix ran.


----------



## tdarron (Mar 4, 2009)

New RSIT log attached.


----------



## tdarron (Mar 4, 2009)

Oh, forgot to mention, whenever I right click on an exe a windows installer thing pops up saying prepairing to install. Any particular reason why?


----------



## muppy03 (Jun 19, 2006)

Hi, 


> Oh, forgot to mention, whenever I right click on an exe a windows installer thing pops up saying prepairing to install. Any particular reason why?


Good chance it is part of the infection, so dont worry at this stage. When you run *Kaspersky* (below) use *IE* and be prepared for it to take ages.

Open *Hijack This * and select *Do a System Scan Only* place a check next to the below lines if still present 


* O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab*

Once selected close all windows except HJT an click on *Fix Checked*

*TFC(Temp File Cleaner):*


Please download TFC to your desktop, 
Save any unsaved work. *TFC* will close all open application windows.
Double-click *TFC.exe* to run the program.
If prompted, click "*Yes*" to reboot.

*Note:* _Save your work._ TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

Please go to *Virus Total <http://www.virustotal.com/>* or *Jotti*
and upload * C:\WINDOWS\system32\drivers\aw2ki6iq.sys * for scanning.
*For Virus Total*
1.	Please copy and paste * C:\WINDOWS\system32\drivers\aw2ki6iq.sys * in the text box next to the Browse button. 
2.	Click on *Send File.*
*For Jotti*
1.	Please copy and paste * C:\WINDOWS\system32\drivers\aw2ki6iq.sys * in the text box next to the Browse button. 
2.	Click on *Submit.*

Repeat for the below file/s:
* c:\windows\S168938C6.tmp
c:\documents and settings\Thomas Darron\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe *

Please post back the results of the scan in your next post.

*Kaspersky Online Scan*
Do an online scan with *>Kaspersky Online Scanner<*

Read through the requirements and privacy statement and click on *Accept* button
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click *Run*
When the downloads have finished, click on *Settings*
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the *Save* button:
*Spyware, Adware, Dialers, and other potentially dangerous programs 
Archives
Mail databases*

Click on *My Computer* under *Scan*
Once the scan is complete, it will display the results. Click on *View Scan Report*
You will see a list of infected items there. Click on *Save Report As...*
Save this report to a convenient place. Change the *Files of type* to *Text file (.txt)* before clicking on the *Save* button
Please post this log in your next reply

Please reply with:-

 Kaspersky report
 Virustotal/jotti results
New HJT log


----------



## muppy03 (Jun 19, 2006)

If you have problems with *Kaspersky* (it seems to be playing up lately) run *ESET*. I would prefer Kaspersky, so make sure you try it first.

NOTE I only want Kaspersky *OR* ESET. *DONT RUN BOTH*

*ESET Online Scanner*

*Note:* You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

*Vista users:* You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select *Run as Administrator* from the context menu.


Please go here then click on:










> *Note:* If using Mozilla Firefox you will need to download *esetsmartinstaller_enu.exe* when prompted then double click on it to install.
> _All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox._



Select the option *YES, I accept the Terms of Use* then click on:








When prompted allow the *Add-On/Active X* to install.
Make sure that the option *Remove found threats* is *NOT* checked, and the option *Scan archives* is checked.
Now click on Advanced Settings and select the following:


*Scan for potentially unwanted applications*
*Scan for potentially unsafe applications*
*Enable Anti-Stealth Technology*

Now click on:








The *virus signature database... *will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the* Online Scan* will begin automatically. 
*Do no*t touch either the Mouse or keyboard during the scan otherwise it may stall. 
When completed select *Uninstall application on close* if you so wish, *make sure you copy the logfile first!*
Now click on:








Use notepad to open the logfile located at *C:\Program Files\ESET\EsetOnlineScanner\log.txt*.
Copy and paste that log as a reply to this topic.
*Note:* Do not forget to re-enable your Anti-Virus application after running the above scan!


----------



## tdarron (Mar 4, 2009)

Ive done everything thus far except the new HJT and kaspersky. While uploading to virustotal, the first two were not on my computer and so could not be uploaded. The results for the last are as follows:
MD5: 5a0cd869c004ffcc7fafe43f1c60090a First received: 2009.02.25 13:36:22 UTC Date: 2009.07.02 12:14:14 UTC [>51D] Results: 0/41 Permalink: analisis/cc2a8301c5376dc7cf7ecbec6ae240c8152f737f4db6cb0639da922530a202c4-1246536854


----------



## tdarron (Mar 4, 2009)

And I have to update java to run the kaspersky scanner, so im doing that now.


----------



## tdarron (Mar 4, 2009)

Which it says windows installer wont work properly because I am either in safemode (which I am not) or windows installer is not installed properly.


----------



## tdarron (Mar 4, 2009)

Yeah, still not letting me install java, so I guess I am going to have to repair windows installer, which I dont know how to do.


----------



## muppy03 (Jun 19, 2006)

Hi I would like you to run the following, then forget *Kaspersky* and try *ESET*

Download the file UnHookExec.inf and save it to your Windows desktop.

Note: The tool has a .inf file extension.

Locate the download file,on the Windows desktop. And *Right-click* and choose install. (This is a small file. It does not display any notice or boxes when you run it.)

Follow any other instructions for the threat that you are trying to remove.


----------



## tdarron (Mar 4, 2009)

installed the inf and scanning now.


----------



## tdarron (Mar 4, 2009)

ESET says I am clean. Although I cannot update avira or turn it back on, but that is likely due to the repair I did from console. And whenever I right click it still takes me to windows installer, which is also installed improperly. Which I am guessing is also from the repair.


----------



## muppy03 (Jun 19, 2006)

Lets go through a couple of things.

1.	What problems are you facing at this stage? The windows installer error?

Can you explain exactly what is happening there.

2.	Did ESET produce a log, even if clean? Can I see it please.
3. Can you post a new HJT and an uninstall list.


----------



## tdarron (Mar 4, 2009)

1) The windows install error, which is two parts. First, when I right click something windows installer pops up and tries to install it twice, I of course cancel and eventually it gives me the right click menu. When I actually try to install something, such as updating java, it says it cannot install because windows installer was not installed properly. The other problem is that avira will not turn on and will not update because the scheduler is not loaded. Both of these issues came after I had to repair the system. (which was done by the recovery console and using software.bak to fix the failed boot issue from earlier.)
2) Did not produce a log that I saw, said I was clean, probably should have screenshot it.
3) Will do, just a second.


----------



## tdarron (Mar 4, 2009)

Sorry for the stupid question, but how would I go about making the uninstall list?
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:45:42 AM, on 8/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\The Skins Factory\Hyperdesk\Common\HdThemeEnabler.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\MultiKeyboard Driver\KbdDrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Thomas Darron\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SPIRun] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.02\RivaTuner.exe" /S
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: MutiKeyboard Driver.lnk = C:\Program Files\MultiKeyboard Driver\KbdDrv.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0AA3AE21-F5E2-4465-8031-FE6A669451F8}: NameServer = 68.105.28.11,68.105.29.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{0AA3AE21-F5E2-4465-8031-FE6A669451F8}: NameServer = 68.105.28.11,68.105.29.11
O17 - HKLM\System\CS2\Services\Tcpip\..\{0AA3AE21-F5E2-4465-8031-FE6A669451F8}: NameServer = 68.105.28.11,68.105.29.11
O17 - HKLM\System\CS3\Services\Tcpip\..\{0AA3AE21-F5E2-4465-8031-FE6A669451F8}: NameServer = 68.105.28.11,68.105.29.11
O17 - HKLM\System\CS4\Services\Tcpip\..\{0AA3AE21-F5E2-4465-8031-FE6A669451F8}: NameServer = 68.105.28.11,68.105.29.11
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - FirebirdSQL Project - C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - FirebirdSQL Project - C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Hyperdesk Theme Enabler (HdThemeEnabler) - The Skins Factory, Inc. - C:\Program Files\The Skins Factory\Hyperdesk\Common\HdThemeEnabler.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 9499 bytes


----------



## muppy03 (Jun 19, 2006)

*Make an uninstall list using HijackThis*
To access the Uninstall Manager you would do the following:

Start *HijackThis*
Click on the *Config* button
Click on the *Misc Tools* button
Click on the *Open Uninstall Manager* button.
Click on the *Save list...* button and specify where you would like to save this file. When you press *Save* button a notepad will open with the contents of that file. Save the file to your desktop.

I would like you to also uninstall SUPERAntiSpyware. You can re-install later if you need or want to.

*Go to* Start-Settings-Control Panel, click on Add remove *Programs*. *If any of the following* *programs* *are listed there*, click on the program *to* highlight it, and click on *remove*. Then close the Control Panel.


* SUPERAntiSpyware *


----------



## tdarron (Mar 4, 2009)

Uninstalling SUPERAntiSpyware as we speak

Uninstall list:
3DMark06
Ad-Aware SE Personal
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player
Age of Empires III
AGEIA PhysX v7.09.13
AGEIA PhysX v7.11.13
AIM 6
Apple Mobile Device Support
Apple Software Update
Blender (remove only)
Command & Conquer 3
Command & Conquer Generals
Command & Conquer Red Alert 2
Command and ConquerTM Generals Zero Hour
Company of Heroes
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Counter-Strike: Source
Creative MediaSource 5
Creative Software AutoUpdate
Dark Messiah Singleplayer Demo
Dawn of War - Dark Crusade
Day of Defeat
Deathmatch Classic
Defcon
Defcon v1.43
FEAR
FEAR Perseus Mandate Demo
FL Studio 7
Fraps
Game Jackal v3.0.0.6 (32 bit)
Gears of War
Google Desktop
Google Earth
GPGNet
Half-Life 2
Half-Life 2: Episode One
Half-Life 2: Episode Two
Half-Life 2: Lost Coast
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
IL Download Manager
InterVideo WinDVD
iTunes
J2SE Runtime Environment 5.0 Update 8
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Linksys Wireless-G PCI Adapter
Medieval II Total War
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Age of Empires II
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft DirectX SDK (August 2007)
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# .NET Redistributable Package 1.1
mIRC
Morphine
Mozilla Firefox (3.0)
Mozilla Thunderbird (2.0.0.23)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Multimedia Keyboard Driver
Natural Selection 3.2
Nero OEM
Nostromo Array Programming Software
NVIDIA Drivers
NVIDIA nTune
Oblivion
Paint.NET v3.35
PCFriendly
Peggle Extreme
Phun beta 3.5
Portal
QuickTime
RivaTuner v2.02
SecondLife (remove only)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Serious Sam: The Second Encounter
SHOUTcast DNAS (remove only)
SHOUTcast Source DSP 1.9.0 (remove only)
Skype&#8482; 3.6
Sound Blaster X-Fi
SpeedFan (remove only)
Steam
System Requirements Lab
Team Fortress 2
Team Fortress Classic
Trend Micro PC-cillin Internet Security 2007
Unreal Tournament 3
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Uplink
Ventrilo Client
Versal FileDownload ActiveX Control Trial Version
Westwood Shared Internet Components
Winamp
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver


----------



## tdarron (Mar 4, 2009)

While uninstalling, I got the windows installer error again, but it appears that it successfully uninstalled. Here is a screenshot of the error I keep getting.


----------



## muppy03 (Jun 19, 2006)

.

You appear to have installed *Trend Micro PC-cillin Internet Security 2007*. This was not on your first uninstall list. The reason?



> Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash. Please remove one of them NOW.


*COMBOFIX-Script*
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


 Please open *Notepad* (Start -> Run -> type *notepad* in the Open field -> OK) and copy and paste the text present *inside* the code box below:


```
File::
c:\documents and settings\Thomas Darron\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
c:\documents and settings\Thomas Darron\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
 

Folder::
c:\documents and settings\Thomas Darron\Application Data\SUPERAntiSpyware.com
c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
c:\program files\SUPERAntiSpyware


Driver::
SASDIFSV
SASKUTIL
SASENUM
```

 Save this as *CFScript.txt* and change the "*Save as type*" to "*All Files*" and place it on your desktop.










*Very Important!* Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
If you need help to disable your protection programs see here.
 Referring to the screenshot above, *drag CFScript.txt into ComboFix.exe.* 
 ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
 When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. 
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please reply with:-

 Combofix log
New HJT log


----------



## tdarron (Mar 4, 2009)

Huh, I had that installed a while ago. Dont know why it came back, probably came back when I did the system repair.

Running the Combofix script now.


----------



## tdarron (Mar 4, 2009)

Sorry about the long response, I fell asleep at the computer.


----------



## muppy03 (Jun 19, 2006)

> Sorry about the long response, I fell asleep at the computer.


You should have gone to bed, computer can wait.

Have you got the CF log?


----------



## tdarron (Mar 4, 2009)

Yeah, sorry, uploaded the wrong log.


----------



## muppy03 (Jun 19, 2006)

Hi, How is it all going now? Same errors?

Since it is outdated, please go to Add/remove and uninstall *Trend Micro*.

*Download and Run OTM.exe*

*Download* *OTM.exe* *by Old Timer* and save it to your Desktop.

Double-click *OTM.exe*. (Vista users, please right click on *OTM.exe* and select *"Run as an Administrator"*)
Copy the lines in the codebox below.


```
:Files
C:\found.001

:Commands
[EmptyTemp]
[Start Explorer]
[Reboot]
```

 Return to OTM.exe, right click in the *Paste Instructions for Items to be Moved* window (under the yellow bar) and choose *Paste*.
Click the red *Moveit!* button.
*Copy everything in the Results window (under the green bar), and paste it in your next reply.*
Close *OTM.exe*

Please reply with:-

 OTM log
New HJT log


----------



## tdarron (Mar 4, 2009)

Yeah, still have the windows installer errors. Also, trend micro is not in the add/remove programs list. Will run OTM here in a bit.


----------



## tdarron (Mar 4, 2009)

OTM log:
All processes killed
========== FILES ==========
C:\found.001\dir0002.chk moved successfully.
C:\found.001\dir0001.chk moved successfully.
C:\found.001\dir0000.chk moved successfully.
C:\found.001 moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32835 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32835 bytes

User: Thomas Darron
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 49286 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 84771992 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 80.95 mb

OTM by OldTimer - Version 3.0.0.6 log created on 08232009_215342

Files moved on Reboot...

Registry entries deleted on Reboot...

HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:01:38 PM, on 8/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\The Skins Factory\Hyperdesk\Common\HdThemeEnabler.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\program files\steam\steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\MultiKeyboard Driver\KbdDrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Thomas Darron\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SPIRun] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.02\RivaTuner.exe" /S
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: MutiKeyboard Driver.lnk = C:\Program Files\MultiKeyboard Driver\KbdDrv.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0AA3AE21-F5E2-4465-8031-FE6A669451F8}: NameServer = 68.105.28.11,68.105.29.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{0AA3AE21-F5E2-4465-8031-FE6A669451F8}: NameServer = 68.105.28.11,68.105.29.11
O17 - HKLM\System\CS2\Services\Tcpip\..\{0AA3AE21-F5E2-4465-8031-FE6A669451F8}: NameServer = 68.105.28.11,68.105.29.11
O17 - HKLM\System\CS3\Services\Tcpip\..\{0AA3AE21-F5E2-4465-8031-FE6A669451F8}: NameServer = 68.105.28.11,68.105.29.11
O17 - HKLM\System\CS4\Services\Tcpip\..\{0AA3AE21-F5E2-4465-8031-FE6A669451F8}: NameServer = 68.105.28.11,68.105.29.11
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - FirebirdSQL Project - C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - FirebirdSQL Project - C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Hyperdesk Theme Enabler (HdThemeEnabler) - The Skins Factory, Inc. - C:\Program Files\The Skins Factory\Hyperdesk\Common\HdThemeEnabler.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 9531 bytes


----------



## tdarron (Mar 4, 2009)

On a positive note, I am not getting any more redirects!


----------



## muppy03 (Jun 19, 2006)

> On a positive note, I am not getting any more redirects!


Well thats good, because I am just about done with you. (Malware Wise)

Check the Windows Installer service is not *disabled* on the machine. From the Start menu select Run and type *services.msc*. Double-click on the service named "Windows Installer". Check the value in the 'Startup type:' field. If it's currently set to "Disabled", then this is the problem. Change it by selecting "Manual" from the drop-down box.

Update *Java Runtime*

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: *Java Runtime Environment Version 6 Update 16*. 

Go to Java Site
Click to Download *Java SE Runtime Environment (JRE) 6 Update 16*
In Platform box choose Windows.
Check the box to *Accept License Agreement* and click Continue.
Click on *Windows Offline Installation, * click on the link under it which says *"jre-6u16-windows-i586.exe"* and save the downloaded file to your desktop. 
Go to *Start* => *Control Panel* => *Add or Remove Programs* 
Uninstall *all* old versions of *Java* (Java 3 Runtime Environment, JRE or JSE) 
Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions. 
Reboot your computer 
Update *Adobe Reader*
Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version. Adobe Reader 9.
You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest *Adobe Reader*, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed *UN*check the box which says Also Download Adobe Photoshop® Album Starter Edition.

Let me know when the above is done, and the out come of the *Installer Service*


----------



## tdarron (Mar 4, 2009)

> Well thats good, because I am just about done with you. (Malware Wise)


Sweet.



> Check the Windows Installer service is not *disabled* on the machine. From the Start menu select Run and type *services.msc*. Double-click on the service named "Windows Installer". Check the value in the 'Startup type:' field. If it's currently set to "Disabled", then this is the problem. Change it by selecting "Manual" from the drop-down box.


It was set to manual already. So I guess that is next on the list of things to fix.

I will try going about the java and adobe update here in a moment. Im finishing up a paper.


----------



## tdarron (Mar 4, 2009)

Cant uninstall either programs (adobe or java) because of the windows installer error. And, as such I still have the older versions of each.


----------



## tdarron (Mar 4, 2009)

Yeah, still no luck installing or uninstalling either due to the windows installer error.


----------



## muppy03 (Jun 19, 2006)

Ok lets try this!

*Dial-A-Fix*


Please download *Dial-A-Fix* from one of the following mirrors:
Primary Mirror
Secondary Mirror

Extract the zip file to your desktop.
Double click Dial-a-Fix.exe to start the program.
Check (tick) *Fix Windows Installer*
click on go
Exit/Close Dial-A-Fix

*After you have done all this please reboot  your computer*, and try uninstalling the old Javas


----------



## tdarron (Mar 4, 2009)

Huh, well I figured now that I rebooted after running that program that I would try right clicking something. I think I now figured out what is going on. My computer thinks that PC-cillin is still on it due to me recovering my computer when it would not boot. I am guessing it reset some values and that being one of them. And so every time I right click something it is trying to add in the 'scan this item' feature that PC-cillin has. So in other words, it is trying to access a feature of a program that isnt there, and that is causing me the problem.

And, to further back up my idea is the new screens that come up whenever I right click a document. (its attached)

And I am trying java and adobe again here in a moment.


----------



## tdarron (Mar 4, 2009)

Of course, I forget to attach it.


----------



## tdarron (Mar 4, 2009)

Attempting to uninstall J2SE Runtime Environment 5.0 Update 8 gives me the attached error on the left. And attempting to uninstall Java 6 Update 2, 3, and 5 gives me the error on the right.


----------



## muppy03 (Jun 19, 2006)

Are you still getting the original windows installer error? The ones you posted are different.

*JavaRa*

Please download *JavaRa* and unzip it to your desktop.

****Please close any instances of Internet Explorer before continuing!****


Double-click on *JavaRa.exe* to start the program.
From the drop-down menu, choose *English* and click on *Select*.
JavaRa will open; click on *Remove Older Versions* to remove the older versions of Java installed on your computer.
Click *Yes* when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click *OK*.
A logfile will pop up. Please save it to a convenient location, and copy/paste it back in this topic.
In case the logfile doesn't pop up, you can find it here: *C:\JavaRa.log*

Please reply with log


----------



## tdarron (Mar 4, 2009)

Went to add remove programs after it was completed and I dont see any java entries, so it looks like it did its job, installing the new java now. And no, I am not getting the original windows installer error. What I am guessing is that we fixed one problem and now we have found the root cause of the issue if that makes sense.

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Mon Aug 24 16:36:36 2009

Found and removed: C:\Program Files\Java\jre1.6.0_07

Found and removed: C:\Documents and Settings\Thomas Darron\Application Data\Sun\Java\jre1.6.0_11

Found and removed: C:\Documents and Settings\Thomas Darron\Application Data\Sun\Java\jre1.6.0_12

Found and removed: C:\Documents and Settings\Thomas Darron\Application Data\Sun\Java\jre1.6.0_13

Found and removed: C:\Documents and Settings\Thomas Darron\Application Data\Sun\Java\jre1.6.0_14

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_08\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_02\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_05\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_02\bin\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\bin\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_05\bin\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_03.b05\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_05.b13\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core1.zip

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core2.zip

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core3.zip

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Mon Aug 24 16:37:04 2009

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D510008

Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510008

Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D510008

Found and removed: SOFTWARE\Classes\JavaPlugin.150_08

Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.5.0_08

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5.0_08

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D510008

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D510008

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0150080}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}

Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D610002

Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D610005

Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610002

Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610005

Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610002

Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610005

Found and removed: SOFTWARE\Classes\JavaPlugin.160_02

Found and removed: SOFTWARE\Classes\JavaPlugin.160_03

Found and removed: SOFTWARE\Classes\JavaPlugin.160_05

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_02

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_03

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_05

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_02

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_03

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_05

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610002

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610005

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610002

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610003

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610005

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610002

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610005

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160020}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160030}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160050}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.5.0_08

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_05

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}

------------------------------------

Finished reporting.


----------



## tdarron (Mar 4, 2009)

Bleh, error installing the new java, window is attached. My computer is a mess >_>


----------



## muppy03 (Jun 19, 2006)

Did you use the link and directions I gave you for Java?

Lets get Trend removed, reboot and then try again.

*Backup the Registry*


Download ERUNT
Save it to your desktop. Right click on the downloaded file(erunt.zip) and click *Extract.*Follow the prompts to extract the file. 
Now click on the folder "erunt" and find and double click on the file called *Erunt.exe*
Click OK. Then Click OK again.
Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.


Double-click *OTM.exe*. (Vista users, please right click on *OTM.exe* and select *"Run as an Administrator"*)
Copy the lines in the codebox below.


```
:Files
c:\program files\trend micro
c:\windows\system32\drivers\tmcomm.sys
c:\documents and settings\Thomas Darron\.housecall6.6

:Reg
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]


:Commands
[EmptyTemp]
[Start Explorer]
[Reboot]
```

 Return to OTM.exe, right click in the *Paste Instructions for Items to be Moved* window (under the yellow bar) and choose *Paste*.
Click the red *Moveit!* button.
*Copy everything in the Results window (under the green bar), and paste it in your next reply.*
Close *OTM.exe*

Please post the OTM log.

.


----------



## tdarron (Mar 4, 2009)

muppy03 said:


> Did you use the link and directions I gave you for Java?


Yep, and I tried again, still no luck, says that unzipping the core files has failed.

Here is the OTM log, although I still get the 'find disk for trend micro' window even after I ran OTM.
All processes killed
========== FILES ==========
c:\program files\trend micro moved successfully.
c:\windows\system32\drivers\tmcomm.sys moved successfully.
c:\documents and settings\Thomas Darron\.housecall6.6\Update\AU_Cache\housecall65.trendmicro.com moved successfully.
c:\documents and settings\Thomas Darron\.housecall6.6\Update\AU_Cache moved successfully.
c:\documents and settings\Thomas Darron\.housecall6.6\Update moved successfully.
c:\documents and settings\Thomas Darron\.housecall6.6\Quarantine moved successfully.
c:\documents and settings\Thomas Darron\.housecall6.6\Pattern moved successfully.
c:\documents and settings\Thomas Darron\.housecall6.6\log moved successfully.
c:\documents and settings\Thomas Darron\.housecall6.6\Licences moved successfully.
c:\documents and settings\Thomas Darron\.housecall6.6\jars moved successfully.
c:\documents and settings\Thomas Darron\.housecall6.6\AU_Temp moved successfully.
c:\documents and settings\Thomas Darron\.housecall6.6\AU_Log moved successfully.
c:\documents and settings\Thomas Darron\.housecall6.6 moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall\ deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 1464 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: Thomas Darron
File delete failed. C:\Documents and Settings\Thomas Darron\Local Settings\Temp\Perflib_Perfdata_408.dat scheduled to be deleted on reboot.
->Temp folder emptied: 20304 bytes
->Temporary Internet Files folder emptied: 7886616 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 86699870 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 59352 bytes
RecycleBin emptied: 588727 bytes

Total Files Cleaned = 90.91 mb

OTM by OldTimer - Version 3.0.0.6 log created on 08242009_192146

Files moved on Reboot...
File C:\Documents and Settings\Thomas Darron\Local Settings\Temp\Perflib_Perfdata_408.dat not found!

Registry entries deleted on Reboot...


----------



## tdarron (Mar 4, 2009)

So, quick recap, still get the windows when I try to right click something, still cant install java due to 'unzipping core files failed'

Want me to try the online installation of java?


----------



## muppy03 (Jun 19, 2006)

tdarron said:


> So, quick recap, still get the windows when I try to right click something, still cant install java due to 'unzipping core files failed'
> 
> Want me to try the online installation of java?


Hi, "The windows when I right click?" Do you mean the trend asking for disk window?

With the java, which option did you try to download? The *Orange bar* or the file direct?

Is everything else running ok?


----------



## tdarron (Mar 4, 2009)

> Hi, "The windows when I right click?" Do you mean the trend asking for disk window?


Yes.



> With the java, which option did you try to download? The *Orange bar* or the file direct?


The offline installation, whichever one that is. Not quite sure what you mean.



> Is everything else running ok?


Yes, although skype and itunes says it isnt installed when I try to use the shortcuts (in start menu and desktop). However it runs fine when I run them from their own folder, which I can live with. Just find strange.

Wish I could stick around, but ive got an early class tomorrow, so I have to head to bed.


----------



## muppy03 (Jun 19, 2006)

On the Java Page once you select the offline installation there is an orange bar to start the download. This is Suns download manager. If you chose that last time, next time actually click on jre-6u16-windows-i586.exe to download and not the orange bar.

You can also try this


> 1: click the "Change destination folder" checkbox at the bottom left of the Java Setup welcome screen (this is the same screen that has the "accept" button).
> 
> 2: after pressing "accept", change the "Install to" folder to something other than what it currently is (ie: pick a new non-default folder to install Java to)


 see if that works.

*BEFORE YOU TRY AGAIN, RUN JAVA RA AND REBOOT BEFORE RE-DOWNLOADING*

As for the *Shortcuts*. Try deleting them and making new ones.

Please run a new *RSIT* log and I will see what parts of trend we missed uninstalling.

Do this tomorrow, go to bed.

Just a side note. You might have to take these problems to a *General Tech* forum. Unfortunately I do not know enough about the inner workings of windows. I am only trained in *Malware*. If the above does not help, I will guide you in removing the tools we downloaded and cleaning out all the quarantine files. You must also realize that the infection you had possibly changed system settings.


----------



## muppy03 (Jun 19, 2006)

Hi,How did it all go?


----------



## tdarron (Mar 4, 2009)

muppy03 said:


> Hi,How did it all go?


Still have yet to do it. Hopefully I get around to it tonight, these past couple of days I have been horribly busy.


----------



## tdarron (Mar 4, 2009)

Ight, so its been forever since I last posted, and I am going to just go ahead and reformat this week. Its about due for a routine reformat anyway.


----------



## tdarron (Mar 4, 2009)

Reformatting went wonderfully and system is running much faster, and as an added benefit, I now keep my programs and applications on one hard drive and all my music and whatnot on my brand new hard drive.

So, I am going to go ahead and mark this solved. Thanks Muppy for the help, got me to a stable position so that I could safely get to my data.


----------



## muppy03 (Jun 19, 2006)

tdarron said:


> Reformatting went wonderfully and system is running much faster, and as an added benefit, I now keep my programs and applications on one hard drive and all my music and whatnot on my brand new hard drive.
> 
> So, I am going to go ahead and mark this solved. Thanks Muppy for the help, got me to a stable position so that I could safely get to my data.


:up: Good luck and surf safely


----------

