Solved Google Redirect in Windows 7

quirkymac · 2009/09/01

Sorry about that....I remembered I had a copy of Spybot and thought it might not hurt (see what happens when I think for myself!!?)

Have done as you asked and........the problem goes away. No more redirects immediately after the fixes were made by HJT. But as soon as I reboot the computer those entries are there again in HJT and the problem is back.

We are getting closer though!!

QK.

quirkymac · 2009/09/01

HJT log after 'fixing'
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:19:41 PM, on 2/09/2009
Platform: Unknown Windows (WinNT 6.01.3004)
MSIE: Internet Explorer v8.00 (8.00.7100.0000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe

--
End of file - 2389 bytes

Currently the redirect issue is not happening!

I will post another after the next reboot.

broni · 2009/09/01

Yes we're getting somewhere
Just to make sure...
When you restart computer, most likely, Spybot asks you about registry changes.
Do you allow them?

quirkymac · 2009/09/01

There I go again. Instead of disabling teatimer I uninstalled Spybot completely.

I have just rebooted and the issue appears to have been resolved.

HJT log post fixes and post reboot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:29:15 PM, on 2/09/2009
Platform: Unknown Windows (WinNT 6.01.3004)
MSIE: Internet Explorer v8.00 (8.00.7100.0000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe

--
End of file - 2389 bytes

broni · 2009/09/01

I assume, we're both happy

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

2. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore ".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

3. Restart computer.

4. Turn System Restore on.

Everything OK?

quirkymac · 2009/09/01

Thanks. Temp files all cleared out.
system restore stopped and started.

All sorted. No redirection happening here!

Thanks very much Broni!! Thread can be closed.

QK

broni · 2009/09/01

You're very welcome
Happy surfing

quirkymac · 2009/09/02

I may have spoken too soon.

The redirect issue just happened to my wife using this computer, I didn't see it so will try and replicate her search and what happened and will post the details.

HJT log prior to me trying to figure out what is happening.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:21:29 PM, on 2/09/2009
Platform: Unknown Windows (WinNT 6.01.3004)
MSIE: Internet Explorer v8.00 (8.00.7100.0000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe

--
End of file - 2333 bytes

broni · 2009/09/02

so will try and replicate her search and what happened and will post the details
Click to expand...

Please do, so we have more info...

If it happens to you, please give me AVZ log.

quirkymac · 2009/09/02

AVZ log link http://www.uploadmb.com/dw.php?id=1251926216

I am having troubles (which is a good thing - I guess!) replicating the issue my wife had. I haven't seen any redirects no matter what I do. I will wait until she is up and about and ask her to try and get the issue to happen again.

I am hoping that something else happened for my wife and it wasn't the same redirect issue as before, although she doesn't get things wrong (yes I have standing orders to say that!!!!)

broni · 2009/09/02

I see absolutely nothing suspicious in AVZ log.

quirkymac · 2009/09/03

unfortunately I have managed to replicate the issue.

I searched via google and from the search results was taken to
http://au.shopping.com/xGS-vent air~NS-1~linkin_id-8025953

intead of

http://www.fisherpaykel.com/admin/pdfs/pdf_installations/427621B_Dryer_UC_UD.pdf

broni · 2009/09/03

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:

netsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\system32\eventlog.dll
%systemroot%\system32\scecli.dll
%systemroot%\netlogon.dll
%systemroot%\system32\cngaudit.dll
%systemroot%\system32\sceclt.dll
%systemroot%\ntelogon.dll
%systemroot%\system32\logevent.dll

* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
o When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
o Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

quirkymac · 2009/09/03

Thanks
OTL logfile created on: 3/09/2009 4:26:10 PM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Users\laptop\Desktop
Ultimate Edition (Version = 6.1.7100) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7100.0)
Locale: 00000c09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

2.00 Gb Total Physical Memory | 1.12 Gb Available Physical Memory | 55.89% Memory free
4.00 Gb Paging File | 2.83 Gb Available in Paging File | 70.69% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 55.89 Gb Total Space | 11.88 Gb Free Space | 21.26% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LAPTOP-PC
Current User Name: laptop
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2007/06/01 02:02:06 | 00,036,400 | ---- | M] (Lenovo) -- C:\Windows\System32\ibmpmsvc.exe
PRC - [2008/12/01 20:44:12 | 00,720,896 | ---- | M] (ATI Technologies Inc.) -- C:\Windows\System32\Ati2evxx.exe
PRC - [2008/12/01 20:44:12 | 00,720,896 | ---- | M] (ATI Technologies Inc.) -- C:\Windows\System32\Ati2evxx.exe
PRC - [2009/04/22 15:19:02 | 02,607,616 | ---- | M] (Microsoft Corporation) -- C:\Windows\Explorer.EXE
PRC - [2009/08/20 06:46:52 | 02,007,832 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/08/30 12:56:08 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/04/22 15:19:35 | 00,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/08/20 06:46:46 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/08/29 18:26:32 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
PRC - [2009/08/20 06:47:00 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/04/22 15:19:43 | 01,124,352 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe
PRC - [2009/04/22 15:23:15 | 00,674,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/04/22 15:23:15 | 00,674,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/02/03 12:07:18 | 00,240,544 | R--- | M] (Adobe Systems, Inc.) -- C:\Windows\System32\Macromed\Flash\FlashUtil10b.exe
PRC - [2009/04/22 15:23:15 | 00,674,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/04/22 15:23:15 | 00,674,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/04/22 15:23:15 | 00,674,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/07/09 21:26:38 | 06,827,264 | ---- | M] (Foxit Software Company) -- C:\Program Files\Foxit Software\Foxit Reader\Foxit Reader.exe
PRC - [2009/04/22 15:19:35 | 00,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/04/22 15:23:15 | 00,674,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/09/03 16:25:46 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Users\laptop\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/04/22 15:19:51 | 00,027,648 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc [On_Demand | Stopped])
SRV - [2008/12/01 20:44:12 | 00,720,896 | ---- | M] (ATI Technologies Inc.) -- C:\Windows\System32\Ati2evxx.exe -- (Ati External Event Utility [Auto | Running])
SRV - [2009/08/20 06:46:46 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
SRV - [2009/04/22 15:19:54 | 00,088,064 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\AxInstSV.dll -- (AxInstSV [On_Demand | Stopped])
SRV - [2009/04/22 15:19:55 | 00,076,288 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\bdesvc.dll -- (BDESVC [Unknown | Stopped])
SRV - [2009/04/05 06:05:06 | 00,067,424 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2009/04/22 15:20:13 | 00,218,624 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\defragsvc.dll -- (defragsvc [On_Demand | Stopped])
SRV - [2009/04/22 15:20:14 | 00,252,928 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dhcpcore.dll -- (Dhcp [Auto | Running])
SRV - [2009/04/22 15:19:00 | 00,556,544 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehRecvr.exe -- (ehRecvr [On_Demand | Stopped])
SRV - [2009/04/22 15:19:00 | 00,094,720 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe -- (ehSched [On_Demand | Stopped])
SRV - [2009/04/22 15:22:15 | 01,086,976 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wevtsvc.dll -- (eventlog [Auto | Running])
SRV - [2009/04/22 15:20:30 | 00,797,184 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\FntCache.dll -- (FontCache [On_Demand | Stopped])
SRV - [2009/04/05 06:04:57 | 00,043,888 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2009/08/29 18:26:31 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate [Auto | Stopped])
SRV - [2009/07/09 07:53:41 | 00,194,560 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener [On_Demand | Running])
SRV - [2009/04/22 15:21:43 | 00,164,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider [On_Demand | Running])
SRV - [2007/06/01 02:02:06 | 00,036,400 | ---- | M] (Lenovo) -- C:\Windows\System32\ibmpmsvc.exe -- (IBMPMSVC [Auto | Running])
SRV - [2009/04/05 06:04:34 | 00,879,456 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/04/22 15:20:42 | 00,019,968 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\irmon.dll -- (Irmon [Auto | Running])
SRV - [2009/04/05 06:04:35 | 00,129,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2009/04/22 15:21:42 | 00,269,824 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc [On_Demand | Running])
SRV - [2009/04/22 15:21:40 | 01,004,032 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\peerdistsvc.dll -- (PeerDistSvc [On_Demand | Stopped])
SRV - [2009/04/22 15:21:42 | 00,020,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg [On_Demand | Stopped])
SRV - [2009/04/22 15:21:42 | 00,269,824 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc [On_Demand | Running])
SRV - [2009/04/22 15:22:10 | 00,119,808 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\umpo.dll -- (Power [Auto | Running])
SRV - [2009/04/22 15:21:46 | 00,043,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper [Unknown | Running])
SRV - [2009/04/22 15:21:49 | 00,025,600 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc [On_Demand | Stopped])
SRV - [2009/04/22 15:19:20 | 03,179,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sppsvc.exe -- (sppsvc [Auto | Stopped])
SRV - [2009/04/22 15:22:02 | 00,053,760 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify [On_Demand | Stopped])
SRV - [2009/04/22 15:22:07 | 00,037,888 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\themeservice.dll -- (Themes [Auto | Running])
SRV - [2009/04/22 15:22:12 | 00,151,040 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc [On_Demand | Stopped])
SRV - [2009/04/22 15:20:52 | 00,680,448 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend [Auto | Running])
SRV - [2009/04/22 15:19:43 | 01,124,352 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [Auto | Running])
SRV - [2009/04/22 15:22:25 | 00,185,344 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wwansvc.dll -- (WwanSvc [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ninemsn.com.au/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-au
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = B7 AD 06 E8 B6 FF C9 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/04/22 18:55:53 | 00,000,000 | ---D | M]

O1 HOSTS File: (824 bytes) - C:\Windows\System32\drivers\etc\Hosts
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disableregistrytools = 0
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\microsoft shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (avgrsstx.dll) - C:\Windows\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/21 01:42:25 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{3fcc54a7-85f4-11de-aec3-001641e600b9}\Shell - " " = AutoRun
O33 - MountPoints2\{3fcc54a7-85f4-11de-aec3-001641e600b9}\Shell\AutoRun\command - " " = E:\SETUP.EXE -- File not found
O33 - MountPoints2\{3fcc54a7-85f4-11de-aec3-001641e600b9}\Shell\configure\command - " " = E:\SETUP.EXE -- File not found
O33 - MountPoints2\{3fcc54a7-85f4-11de-aec3-001641e600b9}\Shell\install\command - " " = E:\SETUP.EXE -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\Windows\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

NetSvcs: FastUserSwitchingCompatibility - Service key not found. File not found
NetSvcs: Ias - Service key not found. File not found
NetSvcs: Irmon - C:\Windows\System32\irmon.dll (Microsoft Corporation)
NetSvcs: Nla - Service key not found. File not found
NetSvcs: Ntmssvc - Service key not found. File not found
NetSvcs: NWCWorkstation - Service key not found. File not found
NetSvcs: Nwsapagent - Service key not found. File not found
NetSvcs: SRService - Service key not found. File not found
NetSvcs: Wmi - Service key not found. File not found
NetSvcs: WmdmPmSp - Service key not found. File not found
NetSvcs: LogonHours - Service key not found. File not found
NetSvcs: PCAudit - Service key not found. File not found
NetSvcs: helpsvc - Service key not found. File not found
NetSvcs: uploadmgr - Service key not found. File not found
NetSvcs: BDESVC - C:\Windows\System32\bdesvc.dll (Microsoft Corporation)
NetSvcs: Themes - C:\Windows\System32\themeservice.dll (Microsoft Corporation)

========== Files/Folders - Created Within 14 Days ==========

[2009/09/03 16:25:32 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Users\laptop\Desktop\OTL.exe
[2009/09/03 07:11:58 | 00,000,000 | ---D | C] -- C:\Users\laptop\Desktop\avz4
[2009/09/03 07:11:34 | 05,125,238 | ---- | C] () -- C:\Users\laptop\Desktop\avz4.zip
[2009/09/02 19:44:11 | 00,000,000 | ---D | C] -- C:\Users\laptop\AppData\Local\WMTools Downloaded Files
[2009/09/02 14:09:52 | 00,000,000 | ---D | C] -- C:\Windows\System32\appmgmt
[2009/09/02 14:02:10 | 01,144,703 | -H-- | C] () -- C:\Users\laptop\AppData\Local\IconCache.db
[2009/09/02 13:19:21 | 00,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2009/09/02 13:19:21 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/09/02 13:00:20 | 00,000,000 | ---D | C] -- C:\Users\laptop\AppData\Local\Mozilla
[2009/09/02 12:53:23 | 00,000,000 | ---- | C] () -- C:\Windows\System32\settings.dat
[2009/08/31 07:34:36 | 00,000,000 | ---D | C] -- C:\Users\laptop\AppData\Roaming\Malwarebytes
[2009/08/31 07:34:29 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/08/31 06:48:47 | 00,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2009/08/30 15:23:21 | 00,002,043 | ---- | C] () -- C:\Users\laptop\Desktop\HijackThis.lnk
[2009/08/30 15:23:20 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/08/30 15:13:34 | 00,000,000 | ---D | C] -- C:\32788R22FWJFW
[2009/08/30 12:56:03 | 00,000,000 | ---D | C] -- C:\Program Files\Java
[2009/08/29 20:15:38 | 00,001,340 | ---- | C] () -- C:\Users\laptop\Desktop\Thomas the Tank Engine and Friends Season 7 - Shortcut.lnk
[2009/08/29 18:29:44 | 00,002,145 | ---- | C] () -- C:\Users\Public\Desktop\Google Earth.lnk
[2009/08/29 18:26:58 | 00,000,886 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2009/08/29 18:26:56 | 00,000,882 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2009/08/29 18:26:46 | 00,000,000 | ---D | C] -- C:\Program Files\Google
[2009/08/29 18:26:33 | 00,000,000 | ---D | C] -- C:\Users\laptop\AppData\Local\Google
[2009/08/26 20:14:52 | 00,000,472 | ---- | C] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2009/08/26 20:10:05 | 00,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2009/08/24 14:36:30 | 00,001,113 | ---- | C] () -- C:\Users\Public\Desktop\CastleLink V3.161.lnk
[2009/08/24 14:36:26 | 00,000,000 | ---D | C] -- C:\Program Files\Castle Creations

========== Files - Modified Within 14 Days ==========

[2009/09/03 16:31:00 | 00,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2009/09/03 16:25:46 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Users\laptop\Desktop\OTL.exe
[2009/09/03 16:21:37 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/09/03 08:38:25 | 40,565,323 | ---- | M] () -- C:\Windows\System32\drivers\Avg\incavi.avm
[2009/09/03 08:38:25 | 00,076,683 | ---- | M] () -- C:\Windows\System32\drivers\Avg\microavi.avg
[2009/09/03 07:11:37 | 05,125,238 | ---- | M] () -- C:\Users\laptop\Desktop\avz4.zip
[2009/09/02 20:20:44 | 00,000,472 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2009/09/02 18:31:00 | 00,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2009/09/02 14:50:55 | 00,013,392 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2009/09/02 14:50:55 | 00,013,392 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2009/09/02 14:43:18 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/09/02 14:42:40 | 16,094,24896 | -HS- | M] () -- C:\hiberfil.sys
[2009/09/02 14:20:42 | 01,144,703 | -H-- | M] () -- C:\Users\laptop\AppData\Local\IconCache.db
[2009/09/02 12:53:23 | 00,000,000 | ---- | M] () -- C:\Windows\System32\settings.dat
[2009/08/30 15:23:21 | 00,002,043 | ---- | M] () -- C:\Users\laptop\Desktop\HijackThis.lnk
[2009/08/29 20:15:38 | 00,001,340 | ---- | M] () -- C:\Users\laptop\Desktop\Thomas the Tank Engine and Friends Season 7 - Shortcut.lnk
[2009/08/29 18:29:44 | 00,002,145 | ---- | M] () -- C:\Users\Public\Desktop\Google Earth.lnk
[2009/08/24 14:36:30 | 00,001,113 | ---- | M] () -- C:\Users\Public\Desktop\CastleLink V3.161.lnk

========== LOP Check ==========

[2009/09/02 14:10:08 | 00,000,000 | ---D | M] -- C:\Users\laptop\AppData\Roaming
[2009/07/09 21:26:47 | 00,000,000 | ---D | M] -- C:\Users\laptop\AppData\Roaming\Foxit
[2009/04/22 20:24:12 | 00,000,000 | ---D | M] -- C:\Users\laptop\AppData\Roaming\Media Center Programs
[2009/08/30 15:24:56 | 00,000,000 | ---D | M] -- C:\Users\laptop\AppData\Roaming\uTorrent
[2009/09/02 20:20:44 | 00,000,472 | ---- | M] () -- C:\Windows\Tasks\Ad-Aware Update (Weekly).job
[2009/09/02 18:31:00 | 00,000,882 | ---- | M] () -- C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
[2009/09/03 16:31:00 | 00,000,886 | ---- | M] () -- C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
[2009/09/02 14:43:18 | 00,000,006 | -H-- | M] () -- C:\Windows\Tasks\SA.DAT
[2009/04/22 18:27:21 | 00,007,780 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< %systemroot%\system32\eventlog.dll >

< %systemroot%\system32\scecli.dll >
[2009/04/22 15:21:47 | 00,175,616 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\scecli.dll

< %systemroot%\netlogon.dll >

< %systemroot%\system32\cngaudit.dll >
[2009/04/22 15:20:04 | 00,012,288 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\cngaudit.dll

< %systemroot%\system32\sceclt.dll >

< %systemroot%\ntelogon.dll >

< %systemroot%\system32\logevent.dll >
< End of report >

quirkymac · 2009/09/03

OTL Extras logfile created on: 3/09/2009 4:26:10 PM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Users\laptop\Desktop
Ultimate Edition (Version = 6.1.7100) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7100.0)
Locale: 00000c09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

2.00 Gb Total Physical Memory | 1.12 Gb Available Physical Memory | 55.89% Memory free
4.00 Gb Paging File | 2.83 Gb Available in Paging File | 70.69% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 55.89 Gb Total Space | 11.88 Gb Free Space | 21.26% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LAPTOP-PC
Current User Name: laptop
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java(TM) 6 Update 15
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7D93C54E-127C-4E44-AF58-146B34750321}" = Castle Link
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{919F3D91-8374-410F-932B-A126F2C85426}" = e-tax 2009
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{B3DAF54F-DB25-4586-9EF1-96D24BB14088}" = Windows Movie Maker 2.6
"{CC016F21-3970-11DE-B878-005056806466}" = Google Earth
"{E7310F2E-C551-4FAB-BA07-EAC2E158B1BB}" = IKEA Home Planner
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"AVG8Uninstall" = AVG Free 8.5
"Foxit Reader" = Foxit Reader
"HijackThis" = HijackThis 2.0.2
"Power Management Driver" = ThinkPad Power Management Driver

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 26/08/2009 7:15:44 AM | Computer Name = laptop-PC | Source = Application Error | ID = 1000
Description = Faulting application name: FOXITR~1.EXE, version: 3.0.2009.1817, time
stamp: 0x4a38a751 Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception
code: 0xc0000005 Fault offset: 0x00308397 Faulting process id: 0x26c Faulting application
start time: 0x01ca263dd901bf20 Faulting application path: C:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE
Faulting
module path: unknown Report Id: cb891843-9231-11de-b200-001641e600b9

Error - 30/08/2009 1:16:02 AM | Computer Name = laptop-PC | Source = EventSystem | ID = 4621
Description =

Error - 30/08/2009 1:16:46 AM | Computer Name = laptop-PC | Source = VSS | ID = 13
Description =

Error - 30/08/2009 1:16:46 AM | Computer Name = laptop-PC | Source = VSS | ID = 8193
Description =

Error - 30/08/2009 1:16:46 AM | Computer Name = laptop-PC | Source = VSS | ID = 13
Description =

Error - 30/08/2009 1:16:46 AM | Computer Name = laptop-PC | Source = VSS | ID = 8193
Description =

Error - 30/08/2009 4:58:19 PM | Computer Name = laptop-PC | Source = EventSystem | ID = 4621
Description =

Error - 31/08/2009 4:45:33 PM | Computer Name = laptop-PC | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 8.0.7100.0, time
stamp: 0x49ee9200 Faulting module name: ntdll.dll, version: 6.1.7100.0, time stamp:
0x49eea66e Exception code: 0xc0000005 Fault offset: 0x0006876f Faulting process id:
0xd64 Faulting application start time: 0x01ca2a10149f6615 Faulting application path:
C:\Program Files\Internet Explorer\iexplore.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report
Id: 39e9a6e6-966f-11de-868b-001641e600b9

Error - 2/09/2009 12:02:19 AM | Computer Name = laptop-PC | Source = EventSystem | ID = 4621
Description =

Error - 2/09/2009 12:11:03 AM | Computer Name = laptop-PC | Source = EventSystem | ID = 4621
Description =

[ Media Center Events ]
Error - 20/08/2009 6:49:09 AM | Computer Name = laptop-PC | Source = MCUpdate | ID = 0
Description = 8:49:09 PM - Error connecting to the internet. 8:49:09 PM - Unable
to contact server..

Error - 20/08/2009 6:49:38 AM | Computer Name = laptop-PC | Source = MCUpdate | ID = 0
Description = 8:49:31 PM - Error connecting to the internet. 8:49:31 PM - Unable
to contact server..

[ System Events ]
Error - 1/09/2009 2:07:07 AM | Computer Name = laptop-PC | Source = Server | ID = 2505
Description = The server could not bind to the transport \Device\NetBT_Tcpip_{907C89CE-A577-4A0A-89CD-6C7EB6056CA8}
because another computer on the network has the same name. The server could not
start.

Error - 1/09/2009 4:45:38 PM | Computer Name = laptop-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the Wlansvc service.

Error - 2/09/2009 12:40:46 AM | Computer Name = laptop-PC | Source = Service Control Manager | ID = 7034
Description = The ThinkPad PM Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 2/09/2009 12:40:46 AM | Computer Name = laptop-PC | Source = Service Control Manager | ID = 7034
Description = The Ati External Event Utility service terminated unexpectedly. It
has done this 1 time(s).

Error - 2/09/2009 12:40:46 AM | Computer Name = laptop-PC | Source = Service Control Manager | ID = 7031
Description = The AVG Free8 WatchDog service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 0 milliseconds:
Restart the service.

Error - 2/09/2009 12:40:46 AM | Computer Name = laptop-PC | Source = Service Control Manager | ID = 7031
Description = The Windows Media Player Network Sharing Service service terminated
unexpectedly. It has done this 1 time(s). The following corrective action will
be taken in 30000 milliseconds: Restart the service.

Error - 2/09/2009 12:44:52 AM | Computer Name = laptop-PC | Source = WMPNetworkSvc | ID = 866300
Description =

Error - 2/09/2009 7:03:56 AM | Computer Name = laptop-PC | Source = volsnap | ID = 393252
Description = The shadow copies of volume C: were aborted because the shadow copy
storage could not grow due to a user imposed limit.

Error - 2/09/2009 5:16:38 PM | Computer Name = laptop-PC | Source = DCOM | ID = 10016
Description =

Error - 2/09/2009 5:16:38 PM | Computer Name = laptop-PC | Source = DCOM | ID = 10016
Description =

< End of report >

broni · 2009/09/03

I see nothing here, either.

Try this...
Close IE.
Go Start>All Programs>Accessories>System Tools, and click on Internet Explorer (no add-ons).
Try to recreate the issue.

quirkymac · 2009/09/03

Ok, I have just run quite a number of searches using the no addons IE and I cannot replicate the issue.

Will keep trying and will put SWMBO onto the case shortly and will post the results.

Thanks
QK

I left Kaspersky online scanner running last night and it came up with this
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, September 4, 2009
Operating system: Microsoft Professional (build 7100)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, September 03, 2009 12:46:36
Records in database: 2742384
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 90956
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 04:27:31

File name / Threat / Threats count
C:\Windows.old.000\Users\laptop\AppData\Local\Temp\tmp825E.tmp Infected: Packed.Win32.Tdss.w 1

Selected area has been scanned.

quirkymac · 2009/09/03

Hmmm don't get to excited by the no addons thing. I just closed all ie windows and went back into ie normally and can't replicate it this morning either.

It was happening last night before the scan and I done or changed anything apart from running the online scan.
QK

broni · 2009/09/03

File name / Threat / Threats count
C:\Windows.old.000\Users\laptop\AppData\Local\Temp\tmp825E.tmp Infected: Packed.Win32.Tdss.w 1
Click to expand...

Re-run TFC, and keep me posted.

broni · 2009/09/03

Also, open Device Manager, go View>Show hidden devices, expand "Non plug and play section" (should be expanded by default), and see if you have anything resembling TDSS name.

Log in or Sign up

Solved Google Redirect in Windows 7

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved Google Redirect in Windows 7

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

Share This Page

Useful Searches