# IE not connecting. homepage hijack



## hocapoca (Mar 26, 2010)

When I try to use internet explore 8, it shows connecting on the tab but the page is blank and never loads anything.
When click on tools/ internet option.. its not responding at all.
I can only open internet option from the control panel, when I look at the homepage it is http://www.1188.com not my default at google.com . I tried reset everything to default but nothing helps.

I can browse fine with firefox.
the ?÷D?3è±1 ó2?ì°? is a game in forign language. 
Thank you

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:48 PM, on 3/25/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\ASUS\ControlDeck\ControlDeckStartUp.exe
C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Common Files\PPLiveNetwork\PPAP.exe
C:\Program Files (x86)\GBM\GRemote Pro\GRemoteServer.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe
C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
C:\Program Files (x86)\Symantec AntiVirus\VPTray.exe
C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Winamp\winampa.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe
C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe
O4 - HKLM\..\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe
O4 - HKLM\..\Run: [Setwallpaper] c:\programdata\SetWallpaper.cmd
O4 - HKLM\..\Run: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~2\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PPS Accelerator] C:\Program Files (x86)\PPStream\ppsap.exe
O4 - HKCU\..\Run: [PPAP] "C:\Program Files (x86)\Common Files\PPLiveNetwork\PPAP.EXE" -background
O4 - HKCU\..\Run: [GRemoteServer Pro] C:\Program Files (x86)\GBM\GRemote Pro\GRemoteServer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: Skyscape SmartUpdate.lnk = C:\Program Files (x86)\Common Files\Skyscape\SmartUpdate.exe
O4 - Global Startup: 腾讯QQ.lnk = C:\Windows\System32\wscript.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: PP.tv Video-Search - {95B3F550-91C4-4627-BCC4-521288C52978} - http://www.pp.tv/?st=desk&rcc_id=615547 ... a00e664f58 (file missing)
O9 - Extra 'Tools' menuitem: PP.tv Video-Search - {95B3F550-91C4-4627-BCC4-521288C52978} - http://www.pp.tv/?st=desk&rcc_id=615547 ... a00e664f58 (file missing)
O9 - Extra button: PPLive Video Accelerator - {95B3F550-91C4-4627-BCC4-521288C52979} - C:\Program Files (x86)\PPLive\PPVA\PPLiveVA.exe
O9 - Extra 'Tools' menuitem: PPLive Video Accelerator - {95B3F550-91C4-4627-BCC4-521288C52979} - C:\Program Files (x86)\PPLive\PPVA\PPLiveVA.exe
O13 - Gopher Prefix: 
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O23 - Service: ADSM Service (ADSMService) - ASUSTek Computer Inc. - C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe
O23 - Service: AFBAgent - Unknown owner - C:\Windows\system32\FBAgent.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: ASLDR Service (ASLDRService) - ASUS - C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\Windows\SysWOW64\CSHelper.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files (x86)\Symantec AntiVirus\DefWatch.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: FastBootAgent - ASUSTeK Computer Inc. - C:\Windows\SysWOW64\Fast Boot\FastBootAgent.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NMSAccessU - Unknown owner - C:\Windows\SysWOW64\NMSAccessU.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files (x86)\Symantec AntiVirus\Rtvscan.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101  (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)


----------



## hocapoca (Mar 26, 2010)

bump


----------



## hocapoca (Mar 26, 2010)

72 hr bump


----------



## hocapoca (Mar 26, 2010)

bump


----------



## hocapoca (Mar 26, 2010)

bump


----------



## hocapoca (Mar 26, 2010)

10 day bump


----------



## SweetTech (Jan 1, 1970)

Hello and welcome to the forums! My name is *SweetTech*, it's a pleasure to meet you. 

I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

*If you have already received help elsewhere please inform me so that this topic can be closed.*

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


Logs from malware removal programs (DDS is one of them) can take some time to analyze. I need you to be *patient* while I analyze any logs you post.
Please make sure to *carefully read* any instruction that I give you.
Reading too lightly will cause you to miss important steps, which could have *destructive* effects.
*If you're not sure, or if something unexpected happens, do NOT continue!* Stop and ask!
These instructions have been specifically tailored to your computer and the issues you are experiencing with your computer. It's important to note that these instructions are not suitable for any other computer, even if the issues are fairly similar.
*Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!*
If I instruct you to download a specific tool in which you already have, _please delete the copy that you have and re-download the tool._ The reason I ask you to do this is because these tools are updated fairly regularly.
*In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!*
Please do _*not use*_ the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this *together  
Because of this, you must reply within five days*. I will post a reminder should you seem to fail to do this, *however*, if you fail to reply within two days then, 
unless I have been notified of your absence in advance, *the topic shall be closed!*
*Please do not PM me directly for help.* If you have any questions, post them in this topic. *The only time you can and should PM me is when I have not been replying to you for several days (usually around 4 days)* and you need an explanation. If that's the case, just send me a message to me on here. 
Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system. 
_Don't worry_, this only happens in severe cases, but it sadly does happen. *Be prepared to back up your data. Have means of backing up your data available.*

____________________________________________________

*Running OTS*
To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download *OTS* to your Desktop


Close *ALL OTHER PROGRAMS*.
Double-click on *OTS.exe* to start the program.
Check the box that says *Scan All Users*
Under Additional Scans click the *"Extras"* button
In the custom scans section copy and paste in the following
*
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
*​
Now click the *Run Scan* button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete *Notepad* will open with the report file loaded in it.
Click the *Format* menu and make sure that *Wordwrap* is not checked. If it is then click on it to uncheck it.

Please *attach* the log in your next post.

To attach a file, do the following:

Click *Add Reply*
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green *Upload* button
Once it has uploaded, click the *Manage Current Attachments* drop down box
Click on







to insert the attachment into your post

*NEXT:*

*Scanning with GMER*

Please download *GMER* from one of the following locations and save it to your desktop:

Main Mirror
_This version will download a randomly named file (Recommended)_
Zipped Mirror
_This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop._


Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
Double-click on the *randomly named* GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
_Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe._










GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. _(do not use the computer while the scan is in progress)_
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click *NO*.
Now click the *Scan* button. If you see a rootkit warning window, click OK.
When the scan is finished, click the *Save...* button to save the scan results to your Desktop. Save the file as *gmer.log*.
Click the *Copy* button and paste the results into your next reply.
Exit GMER and be sure to *re-enable* your anti-virus, Firewall and any other security programs you had disabled.
_-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, *uncheck* Devices on the right side before scanning_.

*NEXT:*

*Please make sure you include the following items in your next post:*
*1.* Any comments or questions you may have that you'd like for me to answer in my next post to you.
*2.* The log that was produced after running the OTS scan.
*3.* The log that was produced after running GMER
*4.* An update on how your computer is currently running.​*It would be helpful if you could answer each question in the order asked, as well as numbering your answers.*


----------



## hocapoca (Mar 26, 2010)

I post it the following logs you requested.

Questions

1. When try to run GMER with as Administrator with all active program closed, it give me error message
C:\Windows\system32\config\system: The system cannot find the file specified

After click scan on the right side, another error message
C:\Windows\system32\config\system: The process cannot access the file becaure it is being used by another process

It is the same result even run in safe mode.

2. When I click shortcut for IE from the windows button, the IE is not functional at all. It shows connecting with blank screen and non-responsive if click on internet option.
However If you go into program and open Internet Explore (64 bit), the browser works but it stuck with www.1188.com as homepage. Both Firefox and Google Chrome works fine.

3. When trying to open a link from msn messenger, no IE window shows up at all.

Thank you for your help

OTS Log
http://www.mediafire.com/?wnjxktzemlj

GMER

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-04 15:13:31
Windows 6.1.7600 
Running: 69ed4u0q.exe

---- Files - GMER 1.0.15 ----

File C:\ADSM_PData_0150 0 bytes

---- EOF - GMER 1.0.15 ----


----------



## SweetTech (Jan 1, 1970)

Don't worry about the GMER scan.*

Running OTS Fix*
Start OTS Copy/Paste the information inside the codebox below into the panel where it says "Paste fix here" and then click the *Run Fix* button.


```
[Kill All Processes]
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-2251334012-3395122772-3458723819-1001\] > -> 
YN -> HKEY_USERS\S-1-5-21-2251334012-3395122772-3458723819-1001\: Main\\"Default_Page_URL" -> http://asus.msn.com
YN -> HKEY_USERS\S-1-5-21-2251334012-3395122772-3458723819-1001\: Main\\"Start Page" -> http://www.1188.com
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {5C255C8A-E604-49b4-9D64-90988571CECB} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< 64bit-Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "Locked" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "Locked" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Setwallpaper" -> c:\programdata\SetWallpaper.cmd [c:\programdata\SetWallpaper.cmd]
< RunOnce [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
YN -> "mctadmin" -> C:\Windows\SysWow64\mctadmin.exe [C:\Windows\System32\mctadmin.exe]
< RunOnce [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
YN -> "mctadmin" -> C:\Windows\SysWow64\mctadmin.exe [C:\Windows\System32\mctadmin.exe]
< Run [HKEY_USERS\S-1-5-21-2251334012-3395122772-3458723819-1001\] > -> HKEY_USERS\S-1-5-21-2251334012-3395122772-3458723819-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "PPS Accelerator" -> C:\Program Files (x86)\PPStream\ppsap.exe [C:\Program Files (x86)\PPStream\ppsap.exe]
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
YN -> \\"NoActiveDesktop" -> [1]
YN -> \\"NoActiveDesktopChanges" -> [1]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {95B3F550-91C4-4627-BCC4-521288C52978}:Exec [HKLM] -> [Button: PP.tv Video-Search]
YN -> {95B3F550-91C4-4627-BCC4-521288C52978}:Exec [HKLM] -> [Menu: PP.tv Video-Search]
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
YN -> "MaxScriptStatements" -> Reg Error: Invalid data type.
YN -> "Use My Stylesheet" -> Reg Error: Invalid data type.
< 64bit-SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YN -> "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" [HKLM] -> Reg Error: Key error. [WebCheck]
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YN -> "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" [HKLM] -> Reg Error: Key error. [WebCheck]
< Vista Active Application Exception Rules > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
YN -> {7844D9BA-B758-4159-90AC-C6F1FF1D6877} -> protocol=17 | dir=in | action=allow | name=&#956;torrent (udp-in) | app=c:\program files (x86)\utorrent\utorrent.exe | 
YN -> {D240C975-83BF-4137-8180-04C1092DC734} -> protocol=6 | dir=in | action=allow | name=&#956;torrent (tcp-in) | app=c:\program files (x86)\utorrent\utorrent.exe | 
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YY -> "C:\Program Files (x86)\PPStream\PPSAP.exe" -> C:\Program Files (x86)\PPStream\PPSAP.exe [C:\Program Files (x86)\PPStream\PPSAP.exe:*:Enabled:PPS ÍøÂç¼ÓËÙÆ÷]
YN -> "C:\Program Files (x86)\PPStream\PPStream.exe" -> C:\Program Files (x86)\PPStream\PPStream.exe [C:\Program Files (x86)\PPStream\PPStream.exe:*:Enabled:PPSÍøÂçµçÊÓ]
[Registry - Additional Scans - Safe List]
< 64bit-Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
YN -> livecall:{828030A1-22C1-4009-854F-8E305202313F} [HKLM] -> Reg Error: Key error.[Reg Error: Key error.]
YN -> ms-help:{314111c7-a502-11d2-bbca-00c04f8ec294} [HKLM] -> Reg Error: Key error.[Reg Error: Key error.]
YN -> msnim:{828030A1-22C1-4009-854F-8E305202313F} [HKLM] -> Reg Error: Key error.[Reg Error: Key error.]
YN -> wlmailhtml:{03C514A3-1EFB-4856-9F99-10D7BE1653C0} [HKLM] -> Reg Error: Key error.[Reg Error: Key error.]
[Files/Folders - Modified Within 30 Days]
NY ->  USMLE_Kaplan_Step2_complete_set[www.btmon.com].torrent -> C:\Users\E-Laptop\Desktop\USMLE_Kaplan_Step2_complete_set[www.btmon.com].torrent
NY ->  43 C:\Users\E-Laptop\AppData\Local\Temp\*.tmp files -> C:\Users\E-Laptop\AppData\Local\Temp\*.tmp
[Empty Temp Folders]
[Reboot]
```
The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the *Ok* button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTS will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

*NEXT:*

*Scanning with MalwareBytes' Anti-Malware*
Please download *Malwarebytes' Anti-Malware* to your desktop.


Double-click *mbam-setup.exe* and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click *Finish*.
If an update is found, it will download and install the latest version.
Once the program has loaded, select *Perform quick scan*, then click *Scan*.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Be sure that everything is checked, and click *Remove Selected*.
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

*Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. *

*NEXT:*

Using Internet Explorer or Firefox, visit *Kaspersky Online Scanner*

*1.* Click *Accept*, when prompted to download and install the program files and database of malware definitions.

*2.* To *optimize scanning time* and produce a more sensible report for review:


Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. Click *HERE* to see how to disable the most common antivirus programs.

*3.* Click *Run* at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.


Once the update is complete, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

[*]Spyware, adware, dialers, and other riskware
[*]Archives
[*]E-mail databases

Click on *My Computer* under the green *Scan* bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do *NOT* be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click *View report...* at the bottom.
 Click the *Save report...* button.









 Change the *Files of type* dropdown box to *Text file (.txt)* and name the file *KasReport.txt* to save the file to your desktop so that you may post it in your next reply

*NEXT:*

*Please make sure you include the following items in your next post:**1.* Any comments or questions you may have that you'd like for me to answer in my next post to you.
*2.* The log that was produced after running the OTS scan.
*3.* The log that was produced after running the MalwareBytes' Anti-Malware scan.
*4.* The log that was produced after running the Kaspersky Online scanner.
*5.* An update on how your computer is currently running.​*It would be helpful if you could answer each question in the order asked, as well as numbering your answers.*


----------



## hocapoca (Mar 26, 2010)

01-1. 
MBAM error during middle of scan (MBAM_ERROR_ADD_TU_RESULTS(0,6) but it continue to scan after click ok.

01-2
Found some information on fixing 1188.com issue but dont know how reliable the method is.
http://www.fans88.com/viewthread.php?tid=2828&extra=page%3D1%26amp%3Borderby%3Dlastpost%26amp%3Bfilter%3D172800
The site is in Chinese.

01-3
At 1188.com it has homepage hijack fix link for IE and all sort of browsers.
http://www.1188.com/xiufu.html

02. OTS Log

All Processes Killed
[Registry - Safe List]
Registry delete failed. HKEY_USERS\S-1-5-21-2251334012-3395122772-3458723819-1001\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Page_URL scheduled to be deleted on reboot.
Registry delete failed. HKEY_USERS\S-1-5-21-2251334012-3395122772-3458723819-1001\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page scheduled to be deleted on reboot.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Setwallpaper deleted successfully.
File c:\programdata\SetWallpaper.cmd not found.
Registry value HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
Registry value HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
Registry value HKEY_USERS\S-1-5-21-2251334012-3395122772-3458723819-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\PPS Accelerator deleted successfully.
File C:\Program Files (x86)\PPStream\ppsap.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{95B3F550-91C4-4627-BCC4-521288C52978}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95B3F550-91C4-4627-BCC4-521288C52978}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95B3F550-91C4-4627-BCC4-521288C52978}:Exec\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{95B3F550-91C4-4627-BCC4-521288C52978}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95B3F550-91C4-4627-BCC4-521288C52978}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95B3F550-91C4-4627-BCC4-521288C52978}:Exec\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\\NameServer updated successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\\NameServer updated successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7844D9BA-B758-4159-90AC-C6F1FF1D6877} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7844D9BA-B758-4159-90AC-C6F1FF1D6877}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{D240C975-83BF-4137-8180-04C1092DC734} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D240C975-83BF-4137-8180-04C1092DC734}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files (x86)\PPStream\PPSAP.exe deleted successfully.
File C:\Program Files (x86)\PPStream\PPSAP.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files (x86)\PPStream\PPStream.exe deleted successfully.
[Registry - Additional Scans - Safe List]
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\livecall\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{828030A1-22C1-4009-854F-8E305202313F}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-help\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{314111c7-a502-11d2-bbca-00c04f8ec294}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msnim\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{828030A1-22C1-4009-854F-8E305202313F}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wlmailhtml\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03C514A3-1EFB-4856-9F99-10D7BE1653C0}\ not found.
[Files/Folders - Modified Within 30 Days]
C:\Users\E-Laptop\Desktop\USMLE_Kaplan_Step2_complete_set[www.btmon.com].torrent moved successfully.
C:\Users\E-Laptop\AppData\Local\Temp\AppLoc.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo51D4.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo51D5.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo51E6.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo51E7.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo51E8.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo51E9.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo51F9.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo51FA.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo51FB.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo51FC.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo51FD.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo520E.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo520F.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo5210.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo5221.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo5222.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo5242.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo80A1.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo80B1.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo80B2.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo80C3.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo80C4.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo80C5.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo80C6.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo80C7.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo80D7.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo80D8.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo80D9.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo80DA.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo80DB.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo80EC.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo80ED.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo80EE.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo811E.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\foo812E.tmp deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\~DF7400E3291FE65942.TMP deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\~DF8FC8D1FB17DD6DFA.TMP deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\~DF9D41BB3BEF62C853.TMP deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\~DFA4A87D159318C156.TMP deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\~DFB405643CB3183F33.TMP deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\~DFDF5E07B58077159C.TMP deleted successfully.
C:\Users\E-Laptop\AppData\Local\Temp\~DFE2B2FF0C25F15429.TMP deleted successfully.
[Empty Temp Folders]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: E-Laptop
->Temp folder emptied: 437975 bytes
->Temporary Internet Files folder emptied: 2273334 bytes
->Java cache emptied: 19076048 bytes
->FireFox cache emptied: 87992378 bytes
->Google Chrome cache emptied: 7813217 bytes
->Flash cache emptied: 16399 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 24072 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32902 bytes
RecycleBin emptied: 658461 bytes

Total Files Cleaned = 113.00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.28.0 fix logfile created on 04042010_164645

Files\Folders moved on Reboot...
C:\Users\E-Laptop\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...
Registry key HKEY_LOCAL_MACHINE\S-1-5-21-2251334012-3395122772-3458723819-1001\SOFTWARE\Microsoft\Internet Explorer\Main not found.
Registry key HKEY_LOCAL_MACHINE\S-1-5-21-2251334012-3395122772-3458723819-1001\SOFTWARE\Microsoft\Internet Explorer\Main not found.

03. MBAM log

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3954

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

4/4/2010 4:58:13 PM
mbam-log-2010-04-04 (16-58-13).txt

Scan type: Quick scan
Objects scanned: 104428
Time elapsed: 4 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\qq.ico (Malware.Trace) -> Quarantined and deleted successfully.

04. K online Scanning 100% done found 0 threats and 0 infected. for some reason cannot save the report.

05. IE still have same issue. No change so far.


----------



## SweetTech (Jan 1, 1970)

*Running OTS*
To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Close *ALL OTHER PROGRAMS*.

Double-click on *OTS.exe* to start the program.
Check the box that says *Scan All Users*
Under Additional Scans click the *"Extras"* button
In the custom scans section copy and paste in the following*
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main /s
*​
Now click the *Run Scan* button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete *Notepad* will open with the report file loaded in it.
Click the *Format* menu and make sure that *Wordwrap* is not checked. If it is then click on it to uncheck it.

Please *attach* the log in your next post.

To attach a file, do the following:

Click *Add Reply*
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green *Upload* button
Once it has uploaded, click the *Manage Current Attachments* drop down box
Click on







to insert the attachment into your post


----------



## hocapoca (Mar 26, 2010)

OTS Log attached.


----------



## SweetTech (Jan 1, 1970)

*I would like for you to submit a file for me so that I can analyze it further.*

Please visit this *site* & follow the instructions for uploading this file: C:\69ed4u0q.exe

Copy/paste the contents of the Code Box below into the *Link to topic where this file was requested:* box:

```
http://forums.techguy.org/malware-removal-hijackthis-logs/912722-ie-not-connecting-homepage-hijack.html
```
Click *Browse* & navigate to *C:\69ed4u0q.exe*. Click *Open* then *Send File*.


----------



## hocapoca (Mar 26, 2010)

Sending the file now. 
That file is the random name for the GMER downloaded earlier.


----------



## SweetTech (Jan 1, 1970)

Hello!

Thank you for submitting that file for me. Please go ahead and proceed with the OTS Fix below. Lets see if that takes care of the IE homepage issue.

*Running OTS Fix*
Start OTS Copy/Paste the information inside the codebox below into the panel where it says "Paste fix here" and then click the *Run Fix* button.


```
[Kill All Processes]
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-2251334012-3395122772-3458723819-1001\] > -> 
YN -> HKEY_USERS\S-1-5-21-2251334012-3395122772-3458723819-1001\: Main\\"Start Page" -> http://www.1188.com
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
YN -> "MaxScriptStatements" -> Reg Error: Invalid data type.
YN -> "Use My Stylesheet" -> Reg Error: Invalid data type.
[Files/Folders - Modified Within 30 Days]
NY ->  69ed4u0q.exe -> C:\69ed4u0q.exe
NY ->  1 C:\Users\E-Laptop\AppData\Local\Temp\*.tmp files -> C:\Users\E-Laptop\AppData\Local\Temp\*.tmp
[Empty Temp Folders]
[EMPTYFLASH]
[Reboot]
```
The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the *Ok* button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTS will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.


----------



## hocapoca (Mar 26, 2010)

OTS Fix log attached. 
IE still the same with blank screen showing connecting.
Under internet option in control panel still show 1188.com


----------



## SweetTech (Jan 1, 1970)

After you ran the OTS fix it should have restarted your computer/prompted you to do so. If it did not reboot your computer then please do so now and see if these website: 1188.com is still set as your homepage.

Could you take a screenshot of what you are seeing with IE?

Please take a screenshot of that window.


You can do this by pressing the *PrintScreen* key.
Then go to Start > All Programs > Accessories > Paint
In Paint, go up to *Edit > Paste*
Then Go up to *File > Save As*. Click the drop-down box to change the *"Save As Type"* to *"JPEG"*, name it what you want, and save it where you want.
Then click *Reply* in this topic.
[*Scroll down to *Attachments*.
Click the *Browse* button. 
Locate the file you just saved, click on it, then click *Open*. 
Click *Upload* and submit the reply.


----------



## hocapoca (Mar 26, 2010)

01. I did restart the computer after the fix.

02. I attached two screen shots. One of them is with regular IE and this one is not functional at all. Not able to load any website and when click on internet option under tools nothing shows up.

second one is IE 64bit , this one IE is functional but the homepage is stuck with that website even after I reset the IE settings in option.


----------



## hocapoca (Mar 26, 2010)

01. Not sure if this going to help. I search 1188.com in regedit.

Value for "Start Page" is http://www.1188.com

HKEY_USERS\S-1-5-21-2324179612-35356136-2698337578-1000. HKEY_USERS\S-1-5-21-2324179612-35356136-2698337578-1001\Software\Microsoft\Internet Explore\Main\Start Page

I try to change it to other website (www.google.com)
It give me an error editing Value "cannot edit Start Page: Error writing the value's new contents.

Not sure if is good idea to just delete the entry or not..


----------



## SweetTech (Jan 1, 1970)

Are these the only two issues that you are currently experiencing with your computer?


----------



## hocapoca (Mar 26, 2010)

Yes.
IE is not functional at all, it is especially annoy when click an url from msn messenger with no response. 
Many of my school website require IE to view everything correctly.
Hijack homepage is with 1188.com is just awful.


----------



## SweetTech (Jan 1, 1970)

Please take a link at this Microsoft link for information on how to reset Internet Explorer.

Link: http://support.microsoft.com/kb/923737

Let me know if that does the trick.


----------



## hocapoca (Mar 26, 2010)

I tried that before and didn't work.

I just try it again now and it did not help.

There are reporting of problem for IE 8 showing connecting with no response when open a page in new tab.
Not sure if that is connected in this case.


----------



## SweetTech (Jan 1, 1970)

I'm trying to locate some additional information on a program I am thinking of having you run to try and fix the IE issues, the only problem being is that I don't know if it supports 64 bit systems.

I should hopefully find out soon.

Thanks,
ST.


----------



## hocapoca (Mar 26, 2010)

Ok. Thank you.


----------



## CatByte (Feb 24, 2009)

Hi,

Sweettech is unavailable at the moment and asked if I would look in on this thread.

Please do the following:

Download *TFC* to your *desktop*

Close any open windows.
Double click the *TFC* icon to run the program
TFC *will close all open programs itself* in order to run, 
Click the *Start* button to begin the process. 
Allow *TFC* to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically *reboot your machine,*
if it doesn't, manually reboot to ensure a complete clean
*It's normal after running TFC cleaner that the PC will be slower to boot the first time. *

*
NEXT*

If you *connect to the internet via a router* do this:

Let's try to reset the router to its default configuration. 

This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. 
Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). 
If you don't know the router's default password, you can look it up. HERE
You also need to reconfigure any security settings you had in place prior to the reset. 
You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

*
NEXT*

Please do the following:

Click the *Microsoft Start logo* in the bottom left corner of the screen
Click *All Programs*
Click *Accessories*
RIGHT-click on *Command Prompt*
Select *Run As Administrator*
In the command window type the following and then hit enter: 
*
ipconfig /flushdns​*
You will see the following confirmation:



> Windows IP Configuration
> Successfully flushed the DNS Resolver Cache.


----------



## hocapoca (Mar 26, 2010)

Okay. I did everything. Run TFC, Reset router, FlushDNS.
Internet explore still not working at all.


----------



## CatByte (Feb 24, 2009)

Hi,

Follow the steps in this Microsoft article to uninstall then reinstall IE8

http://support.microsoft.com/kb/957700/en-us


----------



## hocapoca (Mar 26, 2010)

Just remove IE 8 restart then install IE 8 back restart.. nothing changes.

Tried to install IE7 but not compatible with windows 7...

I think need to remove what is in the registry to get rid of the problem.

I post this regedit info before. Don't know if this going to help or not. I can;t change the value but not sure if is a good idea to delete it.. or not.

"Value for "Start Page" is http://www.1188.com

HKEY_USERS\S-1-5-21-2324179612-35356136-2698337578-1000. HKEY_USERS\S-1-5-21-2324179612-35356136-2698337578-1001\Software\Microsoft\Internet Explore\Main\Start Page

I try to change it to other website (www.google.com)
It give me an error editing Value "cannot edit Start Page: Error writing the value's new contents.

Not sure if is good idea to just delete the entry or not.."


----------



## CatByte (Feb 24, 2009)

Hi,

Can you please describe in as much detail as possible what the issues with IE are..when it started happening and what steps you have done on your own to try and fix it:

Do not change the registry at this time, I'd like to get a look with another tool

Download *OTL* to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath *Output* at the top change it to *Minimal Output*.
Check the boxes beside *LOP Check* and *Purity Check*.
Under the Custom Scan box paste this in

*
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys 
symmpi.sys
adp3132.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav 
CREATERESTOREPOINT 
*

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. *OTL.Txt* and *Extras.Txt*. These are saved in the same location as OTL.
Please copy *(Edit->Select All, Edit->Copy)* the contents of these files, one at a time, and post them in your next reply.


----------



## hocapoca (Mar 26, 2010)

It all started 2-3 weeks ago.
When open up Internet explore, will have a blank page with the tab shows connecting.
When go to Tools /Internet Option. Nothing would open up.
However, when go to control panel and internet option it shows the homepage is 1188.com

When using Internet explore (64bit) from program menu, the internet works but the homepage is stuck with 1188.com. Cannot change the homepage even reset all settings.


I attached both pictures from previous post for both IE.

When click url link from msn messenger, IE is non-responsive at all.

So far i just run virus scan, run spybot s&D, microsoft malicious software removal tool. Nothing helps so far. I attached both OTL and extra . too big to copy and paste.


----------



## CatByte (Feb 24, 2009)

Hi

Please do the following:

Run *OTL.exe*

Copy/paste the following text written *inside of the code box* into the *Custom Scans/Fixes* box located at the bottom of OTL


```
:OTL
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.1188.com
O33 - MountPoints2\{4766c734-084a-11df-b9dc-90e6ba743da9}\Shell - "" = AutoRun
O33 - MountPoints2\{4766c734-084a-11df-b9dc-90e6ba743da9}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\Autorun.exe -- File not found
[2010/04/04 14:07:40 | 000,000,000 | ---D | C] -- C:\Users\E-Laptop\AppData\Roaming\360safe
[2010/04/04 14:07:40 | 000,000,000 | ---D | C] -- C:\ProgramData\360safe
[2010/04/02 03:02:50 | 000,000,000 | ---D | C] -- C:\Windows\tasks\360Disabled
[2010/04/02 03:02:50 | 000,000,000 | ---D | C] -- C:\Windows\tasks\360Delay
[2010/04/02 02:20:58 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\360
[2010/03/26 22:16:48 | 000,000,029 | ---- | M] () -- C:\Windows\msgtn.ini

:Commands
[resethosts]
[emptyflash]
[purity]
[emptytemp]
[Reboot]
```

Then click the *Run Fix* button at the top
Let the program run unhindered, reboot when it is done
Then post the OTL log


----------



## hocapoca (Mar 26, 2010)

Here is the log. IE still the same.

All processes killed
========== OTL ==========
Unable to set value : HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E!
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4766c734-084a-11df-b9dc-90e6ba743da9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4766c734-084a-11df-b9dc-90e6ba743da9}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4766c734-084a-11df-b9dc-90e6ba743da9}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4766c734-084a-11df-b9dc-90e6ba743da9}\ not found.
File G:\LaunchU3.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\ not found.
File F:\Autorun.exe not found.
C:\Users\E-Laptop\AppData\Roaming\360safe\360Disabled folder moved successfully.
C:\Users\E-Laptop\AppData\Roaming\360safe folder moved successfully.
C:\ProgramData\360safe\360Disabled folder moved successfully.
C:\ProgramData\360safe folder moved successfully.
C:\Windows\tasks\360Disabled folder moved successfully.
C:\Windows\tasks\360Delay folder moved successfully.
C:\Program Files (x86)\360\360safe folder moved successfully.
C:\Program Files (x86)\360 folder moved successfully.
C:\Windows\msgtn.ini moved successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: E-Laptop
->Flash cache emptied: 1633 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: E-Laptop
->Temp folder emptied: 404350 bytes
->Temporary Internet Files folder emptied: 97189 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 82879032 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 7992 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 80.00 mb

OTL by OldTimer - Version 3.2.1.0 log created on 04082010_234410

Files\Folders moved on Reboot...
C:\Users\E-Laptop\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...


----------



## CatByte (Feb 24, 2009)

Please do the following

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*

Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:


```
:reg
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main /sub
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*


----------



## hocapoca (Mar 26, 2010)

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 23:56 on 08/04/2010 by E-Laptop (Administrator - Elevation successful)

========== reg ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Anchor Underline"="yes"
"Cache_Update_Frequency"="Once_Per_Session"
"Check_Associations"="no"
"CompatibilityFlags"= 0000000000 (0)
"Default_Page_URL"="http://asus.msn.com"
"Disable Script Debugger"="yes"
"DisableFirstRunCustomize"= 0x0000000003 (3)
"Display Inline Images"="yes"
"Do404Search"=01 00 00 00 (REG_BINARY)
"Enable Browser Extensions"="yes"
"FormSuggest Passwords"="yes"
"FormSuggest PW Ask"="yes"
"FullScreen"="no"
"IE8RunOnceLastShown"= 0x0000000001 (1)
"IE8RunOnceLastShown_TIMESTAMP"=80 23 e1 ea 7c c8 ca 01 (REG_BINARY)
"Local Page"="C:\Windows\system32\blank.htm"
"NotifyDownloadComplete"="no"
"NoUpdateCheck"= 0x0000000001 (1)
"Play_Animations"="yes"
"Play_Background_Sounds"="yes"
"Save_Session_History_On_Exit"="no"
"Search Page"="http://go.microsoft.com/fwlink/?LinkId=54896"
"Show_FullURL"="no"
"Show_StatusBar"="yes"
"Show_ToolBar"="yes"
"Show_URLinStatusBar"="yes"
"Show_URLToolBar"="yes"
"Start Page"="http://www.1188.com"
"Use FormSuggest"="no"
"UseClearType"="no"
"Use_DlgBox_Colors"="yes"
"Window_Placement"=2c 00 00 00 02 00 00 00 03 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 83 03 00 00 5f 00 00 00 f0 07 00 00 49 04 00 00 (REG_BINARY)
"XMLHTTP"= 0x0000000001 (1)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default Feeds]
(No values found)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default Feeds\{222C34EB-AB76-4356-A6DC-9921C9ED3BA7}]
"Title"="Microsoft Feeds\Microsoft at Work"
"Url"="http://go.microsoft.com/fwlink/?LinkId=68929"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default Feeds\{6AF2A542-262C-4999-AA99-6ABEFAEEB70A}]
"Title"="Microsoft Feeds\MSNBC News"
"Url"="http://go.microsoft.com/fwlink/?LinkId=44406"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default Feeds\{708AD174-BA80-48C5-9FAC-AF5FA22E3F52}]
"Title"="Microsoft Feeds\Microsoft at Home"
"Url"="http://go.microsoft.com/fwlink/?LinkId=68928"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch]
"AutoCompleteGroups"= 0x0000000005 (5)
"Cleared"= 0x0000000001 (1)
"Cleared_TIMESTAMP"=9e a7 3e 3f 2b d2 ca 01 (REG_BINARY)
"ConfiguredScopes"= 0x0000000005 (5)
"LastCrawl"=a4 4b d1 3a b2 d6 ca 01 (REG_BINARY)
"UpgradeTime"=5c 3c f8 89 de d6 ca 01 (REG_BINARY)
"User Favorites Path"="file:///C:\Users\E-Laptop\Favorites\"
"Version"="6.1.7600.16385"

-=End Of File=-


----------



## CatByte (Feb 24, 2009)

Before I do anything else can you please open your Symantec Antivirus Interface and see if you can find any settings for "Home Page Protection"


----------



## hocapoca (Mar 26, 2010)

did not see anything like that in my Symantec antivirus.


----------



## CatByte (Feb 24, 2009)

Is there a settings tab, with an "Internet Section"?


----------



## CatByte (Feb 24, 2009)

Hi,

You had Spybot installed at one point, when was that un-installed.

Did you try the system restore feature in your win7, to restore the computer back to before this issue began?


----------



## hocapoca (Mar 26, 2010)

Did not see any internet option in the symantec virus. It's a corp edition from school.
Spybot removed few days ago.. scan find nothing.

Did not do system restore .


----------



## CatByte (Feb 24, 2009)

Hi,

This is a Win7 64bit system, it's doubtful malware has messed with the permissions on your registry keys, but I suppose it is possible, so my first thought is that one of your security programs has it locked down with a homepage protection feature.

First, boot up into safe mode: (tap F8 on startup till the option menu appears, choose safe mode with networking)

Run this OTL Fix in safe mode, see if that will work:

Run *OTL.exe*

Copy/paste the following text written inside of the code box into the *Custom Scans/Fixes *box located at the bottom of OTL


```
:OTL
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.1188.com

:Commands
[resethosts]
[emptyflash]
[purity]
[emptytemp]
[Reboot]
```
Then click the *Run Fix *button at the top

Let the program run unhindered, reboot into normal mode when it is done.

Then post the OTL log.

If that doesn't work, then try restoring the computer back to a time before this occurred. Win7 has a vigorous system restore feature that should resolve the issue.

Let me know if either of those suggestions resolves the issue. If not we'll look at the permissions on the key.


----------



## hocapoca (Mar 26, 2010)

Here is the log.. I don't think is working even in safe mode.

System restore was off for some reason.. so no restore pt at all..

All processes killed
========== OTL ==========
Unable to set value : HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E!
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: E-Laptop
->Flash cache emptied: 560 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: E-Laptop
->Temp folder emptied: 201943 bytes
->Temporary Internet Files folder emptied: 3642354 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 48585193 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3272 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 50.00 mb

OTL by OldTimer - Version 3.2.1.0 log created on 04092010_162106

Files\Folders moved on Reboot...
C:\Users\E-Laptop\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...


----------



## CatByte (Feb 24, 2009)

Hi,

Please do the following:

Download: *SWREG* and save it to your desktop.

Now open an elevated command prompt

Got to the Start logo > type > *cmd*

right click on the *cmd program* and *"Run as an Administrator"* this will open an elevated command window

Copy the text inside the code box and paste it into the open command window


```
cd %userprofile% 
SWREG ACL "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main" >log.txt
start notepad log.txt
exit
cls
```
post the resulting log


----------



## hocapoca (Mar 26, 2010)

After I do that.. the log file open in notepad but it is blank inside..


----------



## CatByte (Feb 24, 2009)

OK,

we'll try and reset the permissions on that key anyway:

please do this:

open an elevated command prompt

Got to the Start logo > type > *cmd*

*right click* on the *cmd program* and *"Run as an Administrator"* this will open an elevated command window

Copy the text inside the code box and paste it into the open command window


```
cd %userprofile%
SWREG ACL "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main" /reset
Swreg acl "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main" >log.txt
Start notepad log.txt
Exit
Cls
```
Please post the resulting log:

If the log is still blank, please go into your IE and see if you can now change the start page manually:


----------



## hocapoca (Mar 26, 2010)

Log still blank.
homepage still cannot be changed under control panel / internet option.


----------



## CatByte (Feb 24, 2009)

I think perhaps spybot may have locked it down.

If spybot locks the homepage and then is uninstalled, the homepage remains locked down

you could try reinstalling spybot then remove the homepage protection feature

see if that is the issue


----------



## hocapoca (Mar 26, 2010)

the home page was lock way before (more than 2 weeks) i install spybot few days ago..
Don't really think that is the issue.
Beside homepage lock.. IE cannot even load any single page at all.


----------



## CatByte (Feb 24, 2009)

Then have a look again at the Symantec settings

see in you can uninstall symantec, see if IE will now work, then reinstall Symantec


----------



## hocapoca (Mar 26, 2010)

Just uninstall symantec and restart. nothing changes. So I install symantec back.

After that I download this fix file from a website, and now my IE(64 bit) homepage change to
this http://www.symantec.com/norton/security_response/fixhomepage.jsp from 1188.com but i cannot change to anything else.

32bit IE still not working at all. cannot load any page.


----------



## CatByte (Feb 24, 2009)

My apologies,

I left off an important part of the syntax, that's why the log was blank

let's get a look at that key again:

open an elevated command prompt

Go to the Start logo > type > *cmd*

right click on the *cmd* program and "Run as an Administrator" this will open an elevated command window

Copy the text inside the code box and paste it into the open command window


```
cd %userprofile%\desktop 
SWREG ACL "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main" >log.txt
start notepad log.txt
exit
cls
```
post the resulting log


----------



## hocapoca (Mar 26, 2010)

Here is the log file

*******************************************************************************
Registrykey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main

Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
\Everyone
Allowed Read This Key and Subkeys

No Auditing set

Owner: SYSTEM (NT AUTHORITY\SYSTEM)


----------



## CatByte (Feb 24, 2009)

OK, that key are not the issue then as you have permission on that key.

Lets check something else:

Please do the following:

Please run the System Look program with the following script:


Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:


```
:Reg
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel /sub
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel /sub
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*


----------



## hocapoca (Mar 26, 2010)

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 18:27 on 10/04/2010 by E-Laptop (Administrator - Elevation successful)

========== Reg ==========

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel]
(Unable to open key - key not found)

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]
(Unable to open key - key not found)

-=End Of File=-


----------



## CatByte (Feb 24, 2009)

Hi,

My apologies, I initially misread the results of the permissions check, you have permission on the key, but only to read, not write, so it won't allow a change:

we'll attempt to reset it back

please do the following:

open an elevated command prompt

Go to the *Start logo* > type > *cmd*

*right click* on the *cmd program* and select *"Run as an Administrator"* this will open an elevated command window
*
Copy* the text *inside* the code box and *paste* it into the open command window


```
cd %userprofile%\desktop
SWREG ACL "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main" /reset
Swreg acl "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main" >log.txt
Start notepad log.txt
Exit
Cls
```
Please post the resulting log:


----------



## hocapoca (Mar 26, 2010)

After this, I tried to change homepage in IE (64 bit) , and now it allows me to change homepage to google.com.
However, i still cannot load any page from IE 32 bit. when clicking url in msn live messenger, it is non-responsive.

*******************************************************************************
Registrykey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main

Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
EC-LAPTOP\Administrators
Allowed Full Control This Key Only
\CREATOR OWNER
Allowed Full Control Subkeys only
EC-Laptop\E-Laptop
Allowed Full Control Subkeys only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Full Control Subkeys only (Inherited) (Inherited)
EC-LAPTOP\Administrators
Allowed Full Control Subkeys only (Inherited) (Inherited) (Inherited)
NT AUTHORITY\RESTRICTED
Allowed Read Subkeys only (Inherited) (Inherited) (Inherited) (Inherited)

No Auditing set

Owner: Administrators (EC-LAPTOP\Administrators)


----------



## CatByte (Feb 24, 2009)

Was it working fine before the current issues you have experienced?

when did this occur? Was there anything that you recall that you did at the time when it stopped working?

have you tried to reset the IE32 back to default with the ms fixit > http://support.microsoft.com/kb/923737


----------



## hocapoca (Mar 26, 2010)

I think it happens exactly the time when my homepage got hijack by 1188.com 2-3 weeks ago.
I tried reset the IE 8 but still the same.


----------



## hocapoca (Mar 26, 2010)

It seems like to be a very common problem with IE 8 32 bit..
I tried this solution here but not working at all.
http://social.answers.microsoft.com.../thread/e312e580-1cbc-496b-8c6b-b69b8535a7bb/

I got access denies when running that bat.


----------



## CatByte (Feb 24, 2009)

Hi,

That fix was for new tabs not opening.

What exactly happens with the IE 32 bit...please describe the problem with it in as much detail as possible.

Can you connect to the internet at all with it?

will your home page open?

What happens when you right click the icon and run it as an administrator.

Did you reboot after you ran that fix as many people report it didn't take effect till after a reboot regardless of the access denied message?


----------



## hocapoca (Mar 26, 2010)

When open IE 8 32 bit. The page will be blank with the tab showing connecting. 
But nothing would load. Homepage will not open. Even if I manually type in a web address, nothing happens. Weird thing is that when go to tools/internet options , it won't open it.
Many of the options are gray out ex. Help/About IE Help/Internet Explorer help
Here is the picture attachment I upload earlier.

http://attachments.techguy.org/attachments/168099d1270506739/ie-regular.jpg

If I run it as Admin, then I can actually open internet option under tools. but the page is still blank.
Because IE8 32 bit is the default for live messenger, so when clicking url hyperlink from messenger. Not even an IE window pop up.

Firefox and IE 64 bit is loading everything fine.

I did restart after the script command . 
I tried remove IE 8 and reinstall it again, reset IE settings, reset my router, remove symantec with removal tools, running MSRT from microsoft, virus scan.

Microsoft Answers recommend I get expert help from hijackware help site..


----------



## CatByte (Feb 24, 2009)

Hi

Please try the following:

Open an elevated command window

Go to Start > type in *cmd *> right click cmd.exe > *Run as an Administrator
*

_first type>_ *regsvr32 actxprxy.dll* > _hit enter_
_now type>_ *regsvr32 jscript.dll* > _hit enter_
_now type>_ *regsvr32 vbscript.dll* > _hit enter_
_now type>_ *regsvr32 Urlmon.dll* > _hit enter_
_now type>_ *regsvr32 Mshtml.dll* > _hit enter_
_now type>_ *regsvr32 Oleaut32.dll* > _hit enter_
_now type>_ *regsvr32 Shell32.dll* > _hit enter_
_now type>_ *regsvr32 Shdocvw.dll* > _hit enter_

You should get a *success* message

reboot the machine.

see if that helps


----------



## hocapoca (Mar 26, 2010)

Just try it and restart. 2 of the command give me error.
The module "shdocvw.dll" was loaded but the entry-point DllRegisterServer was not found.
IE still the same not loading any pages.

*regsvr32 Shdocvw.dll*
*regsvr32 Mshtml.dll*


----------



## CatByte (Feb 24, 2009)

Hi

Please run the System Look program with the following script:


Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:


```
:Reg
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} /sub
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*


----------



## hocapoca (Mar 26, 2010)

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 18:02 on 11/04/2010 by E-Laptop (Administrator - Elevation successful)

========== Reg ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}]
@="IDispatch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}\NumMethods]
@="7"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}\ProxyStubClsid]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}\ProxyStubClsid32]
@="{00020420-0000-0000-C000-000000000046}"

-=End Of File=-


----------



## CatByte (Feb 24, 2009)

Hi,

Please try the following:

Go to Start > control panel

Click on > Network and Internet

Click on Internet Options > Advanced tab

Now click the "Reset" button in the Reset Internet Explorer Settings


Click Apply > OK


exit and see it there are any changes


----------



## hocapoca (Mar 26, 2010)

No change after I reset IE


----------



## CatByte (Feb 24, 2009)

Please run a fresh OTL log and advise if there are any other outstanding issues besides the 32bit IE not working


----------



## hocapoca (Mar 26, 2010)

No other problems besides the IE 8 32 bit.
Is it possible to link firefox as default browser for MSN Live messenger?

OTL logfile created on: 4/12/2010 5:38:24 PM - Run 2
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Users\E-Laptop\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 67.00% Memory free
8.00 Gb Paging File | 7.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 232.88 Gb Total Space | 188.96 Gb Free Space | 81.14% Space Free | Partition Type: NTFS
Drive D: | 218.23 Gb Total Space | 115.03 Gb Free Space | 52.71% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: EC-LAPTOP
Current User Name: E-Laptop
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Minimal
Quick Scan

========== Processes (SafeList) ==========

PRC - C:\Users\E-Laptop\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Windows\SysWOW64\CSHelper.exe ()
PRC - C:\Program Files (x86)\Common Files\PPLiveNetwork\PPAP.exe (PPLive Corporation)
PRC - C:\Program Files (x86)\GBM\GRemote Pro\GRemoteServer.exe (GBM Software)
PRC - C:\Program Files (x86)\ASUS\ControlDeck\ControlDeckStartUp.exe ()
PRC - C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe (ASUS)
PRC - C:\Windows\SysWOW64\Fast Boot\FastBootAgent.exe (ASUSTeK Computer Inc.)
PRC - C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe (ASUS)
PRC - C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe (ASUSTek Computer Inc.)
PRC - C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe (ASUS)
PRC - C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe (ASUS)
PRC - C:\Program Files (x86)\ASUS\ATK Hotkey\AsLdrSrv.exe (ASUS)
PRC - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
PRC - C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe (ASUS)
PRC - C:\Program Files (x86)\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
PRC - C:\Program Files (x86)\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
PRC - C:\Program Files (x86)\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
PRC - C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
PRC - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
PRC - C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe (ASUS)
PRC - C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe (ASUS)
PRC - C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe (CyberLink)
PRC - C:\Windows\SysWOW64\NMSAccessU.exe ()
PRC - C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe (ASUSTek Computer Inc.)
PRC - C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe ()
PRC - C:\Program Files\ATKGFNEX\GFNEXSrv.exe ()

========== Modules (SafeList) ==========

MOD - C:\Users\E-Laptop\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\SysWOW64\comdlg32.dll (Microsoft Corporation)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV:*64bit:* - (WatAdminSvc) -- C:\Windows\SysNative\Wat\WatAdminSvc.exe (Microsoft Corporation)
SRV:*64bit:* - (AFBAgent) -- C:\Windows\SysNative\FBAgent.exe (ASUSTeK Computer Inc.)
SRV:*64bit:* - (AMD External Events Utility) -- C:\Windows\SysNative\atiesrxx.exe (AMD)
SRV:*64bit:* - (WwanSvc) -- C:\Windows\SysNative\wwansvc.dll (Microsoft Corporation)
SRV:*64bit:* - (WbioSrvc) -- C:\Windows\SysNative\wbiosrvc.dll (Microsoft Corporation)
SRV:*64bit:* - (Power) -- C:\Windows\SysNative\umpo.dll (Microsoft Corporation)
SRV:*64bit:* - (Themes) -- C:\Windows\SysNative\themeservice.dll (Microsoft Corporation)
SRV:*64bit:* - (sppuinotify) -- C:\Windows\SysNative\sppuinotify.dll (Microsoft Corporation)
SRV:*64bit:* - (SensrSvc) -- C:\Windows\SysNative\sensrsvc.dll (Microsoft Corporation)
SRV:*64bit:* - (PNRPsvc) -- C:\Windows\SysNative\pnrpsvc.dll (Microsoft Corporation)
SRV:*64bit:* - (p2pimsvc) -- C:\Windows\SysNative\pnrpsvc.dll (Microsoft Corporation)
SRV:*64bit:* - (HomeGroupProvider) -- C:\Windows\SysNative\provsvc.dll (Microsoft Corporation)
SRV:*64bit:* - (RpcEptMapper) -- C:\Windows\SysNative\RpcEpMap.dll (Microsoft Corporation)
SRV:*64bit:* - (PNRPAutoReg) -- C:\Windows\SysNative\pnrpauto.dll (Microsoft Corporation)
SRV:*64bit:* - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV:*64bit:* - (HomeGroupListener) -- C:\Windows\SysNative\ListSvc.dll (Microsoft Corporation)
SRV:*64bit:* - (FontCache) -- C:\Windows\SysNative\FntCache.dll (Microsoft Corporation)
SRV:*64bit:* - (Dhcp) -- C:\Windows\SysNative\dhcpcore.dll (Microsoft Corporation)
SRV:*64bit:* - (defragsvc) -- C:\Windows\SysNative\defragsvc.dll (Microsoft Corporation)
SRV:*64bit:* - (bthserv) -- C:\Windows\SysNative\bthserv.dll (Microsoft Corporation)
SRV:*64bit:* - (BDESVC) -- C:\Windows\SysNative\bdesvc.dll (Microsoft Corporation)
SRV:*64bit:* - (AxInstSV) -- C:\Windows\SysNative\AxInstSv.dll (Microsoft Corporation)
SRV:*64bit:* - (AppIDSvc) -- C:\Windows\SysNative\appidsvc.dll (Microsoft Corporation)
SRV:*64bit:* - (wbengine) -- C:\Windows\SysNative\wbengine.exe (Microsoft Corporation)
SRV:*64bit:* - (sppsvc) -- C:\Windows\SysNative\sppsvc.exe (Microsoft Corporation)
SRV:*64bit:* - (Fax) -- C:\Windows\SysNative\FXSSVC.exe (Microsoft Corporation)
SRV:*64bit:* - (ATKGFNEXSrv) -- C:\Program Files\ATKGFNEX\GFNEXSrv.exe ()
SRV - (CSHelper) -- C:\Windows\SysWOW64\CSHelper.exe ()
SRV - (fsssvc) -- C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe (Microsoft Corporation)
SRV - (FastBootAgent) -- C:\Windows\SysWOW64\Fast Boot\FastBootAgent.exe (ASUSTeK Computer Inc.)
SRV - (VSS) -- C:\Windows\Vss [2009/07/13 23:20:14 | 000,000,000 | ---D | M]
SRV - (MSDTC) -- C:\Windows\SysWOW64\Msdtc [2009/07/13 23:20:14 | 000,000,000 | ---D | M]
SRV - (HomeGroupProvider) -- C:\Windows\SysWOW64\provsvc.dll (Microsoft Corporation)
SRV - (Dhcp) -- C:\Windows\SysWOW64\dhcpcore.dll (Microsoft Corporation)
SRV - (vds) -- C:\Windows\SysWOW64\wbem\vds.mof ()
SRV - (ASLDRService) -- C:\Program Files (x86)\ASUS\ATK Hotkey\AsLdrSrv.exe (ASUS)
SRV - (clr_optimization_v2.0.50727_64) -- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (SeaPort) -- C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
SRV - (Symantec AntiVirus) -- C:\Program Files (x86)\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
SRV - (DefWatch) -- C:\Program Files (x86)\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
SRV - (ccSetMgr) -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SRV - (ccEvtMgr) -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SRV - (LiveUpdate) -- C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_3.EXE (Symantec Corporation)
SRV - (NMSAccessU) -- C:\Windows\SysWOW64\NMSAccessU.exe ()
SRV - (ADSMService) -- C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe (ASUSTek Computer Inc.)
SRV - (WcesComm) -- C:\Windows\WindowsMobile\wcescomm.dll (Microsoft Corporation)
SRV - (RapiMgr) -- C:\Windows\WindowsMobile\rapimgr.dll (Microsoft Corporation)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://asus.msn.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://asus.msn.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.gmail.com"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA}:5.0.19
FF - prefs.js..extensions.enabledItems: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E}:2.9.1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/04/02 01:28:12 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010/04/02 01:28:12 | 000,000,000 | ---D | M]

[2010/01/22 23:41:10 | 000,000,000 | ---D | M] -- C:\Users\E-Laptop\AppData\Roaming\Mozilla\Extensions
[2010/04/11 22:20:14 | 000,000,000 | ---D | M] -- C:\Users\E-Laptop\AppData\Roaming\Mozilla\Firefox\Profiles\orudxl8p.default\extensions
[2010/03/13 19:38:13 | 000,000,000 | ---D | M] (No name found) -- C:\Users\E-Laptop\AppData\Roaming\Mozilla\Firefox\Profiles\orudxl8p.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
[2010/02/01 23:12:58 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\E-Laptop\AppData\Roaming\Mozilla\Firefox\Profiles\orudxl8p.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/04/01 20:26:35 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2010/02/14 23:46:25 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA}
[2009/01/15 14:53:03 | 000,616,448 | ---- | M] (ArtistScope) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npArtistScope42.dll
[2009/02/02 02:06:56 | 000,211,456 | ---- | M] (ArtistScope) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npArtistScopeDRM11.dll
[2010/01/13 18:46:00 | 000,063,488 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npwachk.dll
[2009/07/02 12:19:28 | 000,102,400 | ---- | M] (Zylom) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npzylomgamesplayer.dll

O1 HOSTS File: ([2010/04/09 16:21:07 | 000,000,098 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4:*64bit:* - HKLM..\Run: [Windows Mobile Device Center] C:\Windows\WindowsMobile\wmdc.exe (Microsoft Corporation)
O4 - HKLM..\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe (ASUS)
O4 - HKLM..\Run: [ccApp] C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe (ASUS)
O4 - HKLM..\Run: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [UpdateLBPShortCut] C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdateP2GoShortCut] C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [vptray] C:\Program Files (x86)\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKCU..\Run: [GRemoteServer Pro] C:\Program Files (x86)\GBM\GRemote Pro\GRemoteServer.exe (GBM Software)
O4 - HKCU..\Run: [msnmsgr] C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation)
O4 - HKCU..\Run: [PPAP] C:\Program Files (x86)\Common Files\PPLiveNetwork\PPAP.EXE (PPLive Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 0
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: PPLive Video Accelerator - {95B3F550-91C4-4627-BCC4-521288C52979} - C:\Program Files (x86)\PPLive\PPVA\PPLiveVA.exe (Synacast)
O9 - Extra 'Tools' menuitem : PPLive Video Accelerator - {95B3F550-91C4-4627-BCC4-521288C52979} - C:\Program Files (x86)\PPLive\PPVA\PPLiveVA.exe (Synacast)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} http://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab (Windows Live OneCare safety scanner control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_19-windows-i586.cab (Java Plug-in 1.5.0_19)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18:*64bit:* - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O18:*64bit:* - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - Reg Error: Key error. File not found
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - Reg Error: Key error. File not found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20:*64bit:* - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:*64bit:* - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:*64bit:* - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKCU Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (C:\Users\E-Laptop\AppData\Roaming\114la.exe) - C:\Users\E-Laptop\AppData\Roaming\114la.exe (YLMF)
O30:*64bit:* - LSA: Security Packages - (pku2u) - C:\Windows\SysNative\pku2u.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\SysWow64\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:*64bit:* - HKLM\..comfile [open] -- "%1" %*
O35:*64bit:* - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:*64bit:* - HKLM\...com [@ = comfile] -- "%1" %*
O37:*64bit:* - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/04/12 17:37:44 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Users\E-Laptop\Desktop\OTL.exe
[2010/04/10 20:25:06 | 000,172,080 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS
[2010/04/10 20:25:05 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2010/04/10 20:23:14 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2010/04/10 20:23:10 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Symantec Shared
[2010/04/10 20:23:10 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Symantec AntiVirus
[2010/04/10 20:14:25 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/04/09 20:12:19 | 000,286,720 | ---- | C] (SteelWerX) -- C:\Users\E-Laptop\Desktop\swreg.exe
[2010/04/09 16:16:53 | 000,000,000 | ---D | C] -- C:\Temp OTL
[2010/04/08 23:44:10 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/04/08 00:22:43 | 000,000,000 | ---D | C] -- C:\Users\E-Laptop\AppData\Roaming\skypePM
[2010/04/08 00:11:31 | 000,000,000 | ---D | C] -- C:\Users\E-Laptop\AppData\Roaming\Skype
[2010/04/08 00:11:03 | 000,000,000 | R--D | C] -- C:\Program Files (x86)\Skype
[2010/04/08 00:11:03 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Skype
[2010/04/08 00:10:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Skype
[2010/04/07 22:12:53 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\StreamTorrent 1.0
[2010/04/07 22:12:53 | 000,000,000 | ---D | C] -- C:\Users\E-Laptop\AppData\Roaming\StreamTorrent
[2010/04/04 16:52:41 | 000,000,000 | ---D | C] -- C:\Users\E-Laptop\AppData\Roaming\Malwarebytes
[2010/04/04 16:52:33 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010/04/04 16:52:31 | 000,024,664 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2010/04/04 16:52:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010/04/04 16:52:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/04/04 16:46:45 | 000,000,000 | ---D | C] -- C:\_OTS
[2010/04/02 01:06:58 | 000,000,000 | ---D | C] -- C:\Users\E-Laptop\Documents\Downloads
[2010/04/02 01:04:34 | 000,000,000 | ---D | C] -- C:\Users\E-Laptop\AppData\Local\Google
[2010/04/01 20:26:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2009/12/02 04:06:52 | 000,204,800 | ---- | C] (YLMF) -- C:\Users\E-Laptop\AppData\Roaming\114la.exe
[2008/08/12 00:45:20 | 000,155,648 | ---- | C] (ASUS) -- C:\Program Files (x86)\Common Files\MSIactionall.dll

========== Files - Modified Within 14 Days ==========

[2010/04/12 17:37:46 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Users\E-Laptop\Desktop\OTL.exe
[2010/04/12 17:34:49 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/04/12 17:34:47 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/04/12 17:34:32 | 3220,525,056 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/12 01:21:52 | 004,718,592 | -HS- | M] () -- C:\Users\E-Laptop\NTUSER.DAT
[2010/04/12 01:21:43 | 004,341,056 | -H-- | M] () -- C:\Users\E-Laptop\AppData\Local\IconCache.db
[2010/04/12 01:09:00 | 000,000,920 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2251334012-3395122772-3458723819-1001UA.job
[2010/04/12 01:09:00 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2251334012-3395122772-3458723819-1001Core.job
[2010/04/12 00:58:44 | 000,001,812 | ---- | M] () -- C:\Windows\psnetwork.ini
[2010/04/12 00:58:44 | 000,001,133 | ---- | M] () -- C:\Windows\powerplayer.ini
[2010/04/12 00:58:44 | 000,000,092 | ---- | M] () -- C:\Windows\PCDNSetting.ini
[2010/04/11 23:17:15 | 000,000,128 | ---- | M] () -- C:\Windows\powerlist.ini
[2010/04/11 23:02:56 | 000,000,060 | ---- | M] () -- C:\Windows\MediaList.ini
[2010/04/11 23:02:13 | 000,000,025 | ---- | M] () -- C:\Windows\msgtn.ini
[2010/04/11 14:42:13 | 000,010,240 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/04/11 14:42:13 | 000,010,240 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/04/10 23:30:41 | 000,000,439 | ---- | M] () -- C:\Windows\win.ini
[2010/04/10 20:25:09 | 000,172,080 | ---- | M] (Symantec Corporation) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS
[2010/04/10 20:25:09 | 000,010,583 | ---- | M] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.CAT
[2010/04/10 20:25:09 | 000,000,854 | ---- | M] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.INF
[2010/04/10 20:04:37 | 000,713,888 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/04/10 20:04:37 | 000,607,190 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/04/10 20:04:37 | 000,103,568 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/04/10 18:26:32 | 000,100,908 | ---- | M] () -- C:\Users\E-Laptop\Desktop\SystemLook.exe
[2010/04/10 15:13:15 | 000,004,456 | ---- | M] () -- C:\New Text Document.bat
[2010/04/10 02:35:01 | 000,002,017 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010/04/10 02:35:01 | 000,001,049 | ---- | M] () -- C:\Users\E-Laptop\Desktop\Mozilla Firefox.lnk
[2010/04/09 20:12:23 | 000,286,720 | ---- | M] (SteelWerX) -- C:\Users\E-Laptop\Desktop\swreg.exe
[2010/04/09 16:21:07 | 000,000,098 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\Hosts
[2010/04/08 00:22:44 | 000,000,056 | -H-- | M] () -- C:\ProgramData\ezsidmv.dat
[2010/04/08 00:11:03 | 000,002,515 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk
[2010/04/06 17:34:25 | 000,033,792 | ---- | M] () -- C:\Users\E-Laptop\Documents\CV-Chen.doc
[2010/04/06 17:34:19 | 000,094,216 | ---- | M] () -- C:\Users\E-Laptop\Documents\CV-Chen.pdf
[2010/04/04 16:52:36 | 000,001,015 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/02 12:07:38 | 000,001,626 | ---- | M] () -- C:\Windows\SysNative\AutoRunFilter.ini
[2010/04/02 12:07:38 | 000,001,251 | ---- | M] () -- C:\Windows\SysNative\ServiceFilter.ini
[2010/04/02 01:06:10 | 000,002,275 | ---- | M] () -- C:\Users\E-Laptop\Desktop\Google Chrome.lnk

========== Files Created - No Company Name ==========

[2010/04/10 20:25:06 | 000,010,583 | ---- | C] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.CAT
[2010/04/10 20:25:06 | 000,000,854 | ---- | C] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.INF
[2010/04/10 18:26:30 | 000,100,908 | ---- | C] () -- C:\Users\E-Laptop\Desktop\SystemLook.exe
[2010/04/10 15:12:46 | 000,004,456 | ---- | C] () -- C:\New Text Document.bat
[2010/04/09 22:55:19 | 000,000,025 | ---- | C] () -- C:\Windows\msgtn.ini
[2010/04/09 20:16:18 | 000,000,000 | ---- | C] () -- C:\Users\E-Laptop\log.txt
[2010/04/08 00:22:44 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/04/08 00:11:03 | 000,002,515 | ---- | C] () -- C:\Users\Public\Desktop\Skype.lnk
[2010/04/06 17:44:23 | 000,043,825 | ---- | C] () -- C:\Users\E-Laptop\Desktop\myreport.PDF
[2010/04/06 17:34:19 | 000,094,216 | ---- | C] () -- C:\Users\E-Laptop\Documents\CV-Chen.pdf
[2010/04/06 17:15:23 | 000,033,792 | ---- | C] () -- C:\Users\E-Laptop\Documents\CV-Chen.doc
[2010/04/06 00:41:13 | 011,533,504 | ---- | C] () -- C:\Users\E-Laptop\Desktop\The ICU Book-3rd ed.pdf
[2010/04/04 16:52:36 | 000,001,015 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/02 02:45:26 | 000,001,049 | ---- | C] () -- C:\Users\E-Laptop\Desktop\Mozilla Firefox.lnk
[2010/04/02 01:06:10 | 000,002,275 | ---- | C] () -- C:\Users\E-Laptop\Desktop\Google Chrome.lnk
[2010/04/02 01:04:44 | 000,000,920 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2251334012-3395122772-3458723819-1001UA.job
[2010/04/02 01:04:41 | 000,000,868 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2251334012-3395122772-3458723819-1001Core.job
[2010/03/27 02:44:56 | 000,000,036 | ---- | C] () -- C:\Users\E-Laptop\AppData\Local\housecall.guid.cache
[2010/03/22 23:48:15 | 001,049,536 | ---- | C] () -- C:\ProgramData\coopen_setup_100163.exe
[2010/01/23 17:44:48 | 000,017,408 | ---- | C] () -- C:\Windows\SysWow64\SyncBackPro.dll
[2010/01/23 15:43:16 | 000,000,092 | ---- | C] () -- C:\Windows\PCDNSetting.ini
[2010/01/23 15:42:21 | 000,001,812 | ---- | C] () -- C:\Windows\psnetwork.ini
[2010/01/23 15:42:21 | 000,000,128 | ---- | C] () -- C:\Windows\powerlist.ini
[2010/01/23 15:42:21 | 000,000,060 | ---- | C] () -- C:\Windows\MediaList.ini
[2010/01/23 15:42:09 | 000,001,133 | ---- | C] () -- C:\Windows\powerplayer.ini
[2010/01/23 03:37:02 | 000,000,024 | ---- | C] () -- C:\Windows\ATKPF.ini
[2010/01/22 11:14:01 | 004,718,592 | -HS- | C] () -- C:\Users\E-Laptop\NTUSER.DAT
[2010/01/22 11:14:01 | 000,524,288 | -HS- | C] () -- C:\Users\E-Laptop\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
[2010/01/22 11:14:01 | 000,524,288 | -HS- | C] () -- C:\Users\E-Laptop\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
[2010/01/22 11:14:01 | 000,262,144 | -HS- | C] () -- C:\Users\E-Laptop\ntuser.dat.LOG1
[2010/01/22 11:14:01 | 000,065,536 | -HS- | C] () -- C:\Users\E-Laptop\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
[2010/01/22 11:14:01 | 000,000,020 | -HS- | C] () -- C:\Users\E-Laptop\ntuser.ini
[2010/01/22 11:14:01 | 000,000,000 | -HS- | C] () -- C:\Users\E-Laptop\ntuser.dat.LOG2
[2009/10/13 21:50:06 | 000,053,248 | ---- | C] () -- C:\Windows\SysWow64\LogonStart.dll
[2009/10/13 21:38:11 | 000,000,105 | ---- | C] () -- C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
[2009/10/13 21:37:49 | 000,000,107 | ---- | C] () -- C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
[2009/08/19 04:33:09 | 000,000,031 | ---- | C] () -- C:\Windows\OOBEPlayer.ini
[2009/07/29 01:20:40 | 000,000,010 | ---- | C] () -- C:\Windows\SysWow64\ABLKSR.ini
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 17:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/04/08 13:31:56 | 000,106,496 | ---- | C] () -- C:\Program Files (x86)\Common Files\CPInstallAction.dll
[2008/12/01 21:32:32 | 000,362,029 | ---- | C] () -- C:\Windows\SysWow64\sqlite3.dll
[2008/05/22 11:35:54 | 000,051,962 | ---- | C] () -- C:\Program Files (x86)\Common Files\banner.jpg
[2007/06/12 12:34:50 | 000,035,822 | ---- | C] () -- C:\Program Files (x86)\Common Files\ASPG_icon.ico
[2006/05/18 23:39:57 | 000,015,497 | ---- | C] () -- C:\Windows\snp2uvc.ini

========== LOP Check ==========

[2010/03/13 19:38:26 | 000,000,000 | ---D | M] -- C:\Users\E-Laptop\AppData\Roaming\GARMIN
[2010/02/20 16:40:15 | 000,000,000 | ---D | M] -- C:\Users\E-Laptop\AppData\Roaming\GBM Software
[2010/02/09 22:26:04 | 000,000,000 | ---D | M] -- C:\Users\E-Laptop\AppData\Roaming\PPLive
[2010/04/09 22:40:16 | 000,000,000 | ---D | M] -- C:\Users\E-Laptop\AppData\Roaming\PPStream
[2010/04/07 22:12:53 | 000,000,000 | ---D | M] -- C:\Users\E-Laptop\AppData\Roaming\StreamTorrent
[2010/03/26 15:48:34 | 000,000,000 | ---D | M] -- C:\Users\E-Laptop\AppData\Roaming\uTorrent
[2010/04/07 17:50:07 | 000,032,608 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

< End of report >


----------



## CatByte (Feb 24, 2009)

Hi

Please do the following:

Run *OTL.exe*

Copy/paste the following text written *inside of the code box* into the *Custom Scans/Fixes* box located at the bottom of OTL


```
:OTL
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O20 - HKCU Winlogon: Shell - (C:\Users\E-Laptop\AppData\Roaming\114la.exe) - C:\Users\E-Laptop\AppData\Roaming\114la.exe (YLMF)
[2009/12/02 04:06:52 | 000,204,800 | ---- | C] (YLMF) -- C:\Users\E-Laptop\AppData\Roaming\114la.exe
:Commands
[resethosts]
[emptyflash]
[purity]
[emptytemp]
[Reboot]
```

Then click the *Run Fix* button at the top
Let the program run unhindered, reboot when it is done
Then post the OTL log

*NEXT*


Please go to  VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the *"Suspicious files to scan"* box on the top of the page:

*C:\Program Files (x86)\Common Files\MSIactionall.dll*​
Click on the *Upload* button
If a pop-up appears saying the file has been scanned already, please select the *ReScan* button.
Once the Scan is completed, click on the "*Copy to Clipboard*" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.



> Is it possible to link firefox as default browser for MSN Live messenger?


Yes
http://kb.mozillazine.org/MSN_Messenger


----------



## hocapoca (Mar 26, 2010)

IE still the same.

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:C:\Users\E-Laptop\AppData\Roaming\114la.exe deleted successfully.
C:\Users\E-Laptop\AppData\Roaming\114la.exe moved successfully.
File C:\Users\E-Laptop\AppData\Roaming\114la.exe not found.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: E-Laptop
->Flash cache emptied: 7079 bytes

User: hoca

User: Public

Total Flash Files Cleaned = 0.00 mb

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: E-Laptop
->Temp folder emptied: 136491974 bytes
->Temporary Internet Files folder emptied: 6946587 bytes
->Java cache emptied: 131538 bytes
->FireFox cache emptied: 93485211 bytes
->Google Chrome cache emptied: 333289441 bytes
->Flash cache emptied: 0 bytes

User: hoca
->Temp folder emptied: 44049 bytes
->Temporary Internet Files folder emptied: 66340 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 36900 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 544.00 mb

OTL by OldTimer - Version 3.2.1.1 log created on 04122010_203454

Files\Folders moved on Reboot...
C:\Users\E-Laptop\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

*VirSCAN.org Scanned Report :
Scanned time : 2010/04/12 20:41:20 (EDT)
Scanner results: Scanners did not find malware!
File Name : MSIactionall.dll
File Size : 155648 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : 75cb0bb7f02bc772bc8895913284867c
SHA1 : 2928e008a51df249a843fc00a5364f6e1bbc8a9e
Online report : http://virscan.org/report/02cad14ebdf5a97c37b9840d770f8a0d.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100413043122 2010-04-13 5.06 -
AhnLab V3 2010.04.11.00 2010.04.11 2010-04-11 1.13 -
AntiVir 8.2.1.210 7.10.6.64 2010-04-12 0.24 -
Antiy 2.0.18 20100412.4183175 2010-04-12 0.02 -
Arcavir 2009 201004121914 2010-04-12 0.06 -
Authentium 5.1.1 201004121504 2010-04-12 1.66 -
AVAST! 4.7.4 100412-2 2010-04-12 0.01 -
AVG 8.5.720 271.1.1/2807 2010-04-13 0.25 -
BitDefender 7.81008.5625494 7.31180 2010-04-13 3.61 -
ClamAV 0.95.3 10731 2010-04-13 0.04 -
Comodo 3.13.579 4581 2010-04-12 0.92 -
CP Secure 1.3.0.5 2010.04.13 2010-04-13 0.07 -
Dr.Web 5.0.2.3300 2010.04.13 2010-04-13 6.56 -
F-Prot 4.4.4.56 20100412 2010-04-12 1.67 -
F-Secure 7.02.73807 2010.04.12.12 2010-04-12 1.41 -
Fortinet 4.0.14 11.690 2010-04-12 0.24 -
GData 19.10986/19.882 20100412 2010-04-12 6.67 -
ViRobot 20100412 2010.04.12 2010-04-12 0.41 -
Ikarus T3.1.01.80 2010.04.12.75613 2010-04-12 5.73 -
JiangMin 13.0.900 2010.04.12 2010-04-12 1.22 -
Kaspersky 5.5.10 2010.04.11 2010-04-11 0.18 -
KingSoft 2009.2.5.15 2010.4.12.21 2010-04-12 0.78 -
McAfee 5400.1158 5945 2010-04-08 0.02 -
Microsoft 1.5605 2010.04.13 2010-04-13 6.63 -
Norman 6.04.11 6.04.00 2010-04-12 6.01 -
Panda 9.05.01 2010.04.12 2010-04-12 2.72 -
Trend Micro 9.120-1004 6.992.04 2010-04-12 0.03 -
Quick Heal 10.00 2010.04.12 2010-04-12 1.56 -
Rising 20.0 22.43.00.04 2010-04-12 1.10 -
Sophos 3.06.0 4.52 2010-04-13 3.36 -
Sunbelt 3.9.2412.2 6168 2010-04-12 6.14 -
Symantec 1.3.0.24 20100412.003 2010-04-12 0.05 -
nProtect 20100412.03 7941349 2010-04-12 4.99 -
The Hacker 6.5.2.0 v00259 2010-04-12 0.41 -
VBA32 3.12.12.4 20100408.2021 2010-04-08 3.50 -
VirusBuster 4.5.11.10 10.124.6/2045053 2010-04-12 2.45 -

*


----------



## CatByte (Feb 24, 2009)

That was the remaining malware from your log

I don't see any more malware on your system.

Please reboot and try the IE reset instructions from this post

http://forums.techguy.org/7325637-post66.html

If there is still no change,

then I will clean up the tools we have used.

then I would like you to post in the web/email section, the techs there may be able to assist with it, essentially I just do malware in this forum. They are better equipped to figure out why it's not functioning: http://forums.techguy.org/17-web-email/


----------



## hocapoca (Mar 26, 2010)

OK. Thank you so much for all you help. Really appreciated it.
Should I refer the tech to this post?
I will probably try the messenger reroute you mention , IE 8 is piece of junk..


----------



## CatByte (Feb 24, 2009)

Hi,

OK, then let's clean up the tools used:

Clean up with *OTL:*

Double-click *OTL.exe* to start the program.
Close all other programs apart from OTL as this step will require a reboot
On the OTL main screen, press the *CLEANUP* button
Say *Yes* to the prompt and then allow the program to reboot your computer.

If there are any remaining logs or tools I had you download > right click and delete them.

set a new restore point:


press the *Win key* on the keyboard, type**Restore**then press *enter* to get to the *System Restore* section.
Click *"Create a restore point"* Click on the *"Create"* button to create a new restore point. You may be prompted for permission to continue - ALLOW it to continue. You'll be prompted for a name, and you might want to give it a useful name that you'll be able to easily identify later.
Click the *Create* button, and then the system will create the restore point.
When it's all finished, you'll get a message saying it's *completed successfully.*
*You will now have a new restore point*

*Then remove all previous Restore Points*

Click *Win key* on the keyboard, type *cleanmgr* to access the *disk cleanup*
choose *all files on the computer,* then choose the *C: drive*, press *OK* Disk cleanup calculates the files, this takes a few minutes > another menu will pop up.
At the top, click on the *More Options tab*, under *System Restore and Shadow Copies group*, 
Click the *Clean up button,*
Vista will ask you if youre sure, click on the *Delete* button, click *OK* > *Delete Files*

I will give you my normal recommendations, use what you will:

I hope the techs in the other forum can figure it out: do link back to this topic so they can see it's as a result of malware that this occurred and may be locked permissions somewhere along the line:

good luck

Below I have included a number of recommendations for how to protect your computer against malware infections.

It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article *
Strong passwords: How to create and use them* Then consider a *password keeper,* to keep all your passwords safe.

Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

*Make Internet Explorer more secure*
Click *Start* > *Run*
Type *Inetcpl.cpl* & click *OK*
Click on the *Security* tab
Click *Reset all zones to default level*
Make sure the *Internet Zone* is selected & Click *Custom level*
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click *OK*, then *Apply* button and then *OK* to exit the Internet Properties page.

*Download* *TFC* *to your desktop*
Close any open windows.
Double click the *TFC* icon to run the program
TFC *will close all open programs itself* in order to run, 
Click the *Start* button to begin the process. 
Allow *TFC* to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically *reboot your machine,*
if it doesn't, manually reboot to ensure a complete clean
*It's normal after running TFC cleaner that the PC will be slower to boot the first time. *

*WOT*, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
*Green* to go 
*Yellow* for caution 
*Red* to stop
 WOT has an addon available for both Firefox and IE

*Keep a backup of your important files* - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

*ERUNT* (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
*Think Prevention.*
*PC Safety and Security--What Do I Need?.*

***Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. *

Thank you for your patience, and performing all of the procedures requested.


----------



## hocapoca (Mar 26, 2010)

Thank you very much for your help.
One last question. Should I keep the malwarebytes software or i should remove it from control panel?


----------



## CatByte (Feb 24, 2009)

keep it, it's a very good program, run it every once in a while


----------



## hocapoca (Mar 26, 2010)

Ok, I will keep it. Thank you so much for all your time and help.


----------

