onepiolin
asked on
Search engine redirect?
One of my users has been having a weird issue. Any search request that you plug into google, yahoo, or msn, brings back crap. Like for example, a search for "microsoft" will bring up "Microsoft Download Center
Visit the Download Center to find the latest product updates from Microsoft in dozens of languages.
www.deal-land.com - 45k - Cached - Similar pages" and so on and so forth. The issue is not only with IE, but also with Firefox.
I've run Spybot, CA AV, Ad Aware, fixwareout, hijackthis with no solutions. Hijackthis shows no questionable entries, and I've put the log below. DNS is pointing to the right server, the hosts file is clean, no proxy is being used.
I don't know what else to look for.
Any help is appreciated.
>>>
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:17 AM, on 1/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
C:\Program Files\Bonjour\mDNSResponde r.exe
C:\WINDOWS\system32\cisvc. exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
C:\Program Files\CA\SharedComponents\ iTechnolog y\igateway .exe
C:\Program Files\CA\eTrustITM\InoRpc. exe
C:\Program Files\CA\eTrustITM\InoRT.e xe
C:\Program Files\CA\eTrustITM\InoTask .exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc3 2.exe
c:\program files\timberline office\shared\sage.service host.host. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\cidaem on.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin \jusched.e xe
C:\WINDOWS\System32\DLA\DL ACTRLW.EXE
C:\Program Files\PFU\ScanSnap\PfuSsSc t.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\CA\eTrustITM\realmon .exe
C:\WINDOWS\system32\RUNDLL 32.EXE
C:\Program Files\iTunes\iTunesHelper. exe
C:\Program Files\Yahoo!\Messenger\Yah ooMessenge r.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\iPod\bin\iPodService .exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EX E
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
C:\Program Files\Timberline Office\Accounting\TS.exe
C:\Program Files\Timberline Office\Accounting\tstasks. exe
C:\Program Files\Timberline Office\Accounting\IA.exe
C:\Program Files\PFU\ScanSnap\Driver\ PfuSsMon.e xe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuaucl t.exe
C:\WINDOWS\system32\taskmg r.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d ll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0 0123456789 0} - C:\WINDOWS\System32\DLA\DL ASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre1.6.0_01\bin \ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-B A8D5E23E04 5} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5 164760863C 6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0 445EE16191 0} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-6 4B5B4FF55D 0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0 819E2EAAC9 3} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-6 4B5B4FF55D 0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtr ay.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd. exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpe rs.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin \jusched.e xe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DL ACTRLW.EXE
O4 - HKLM\..\Run: [PfuSsSct.exe] C:\Program Files\PFU\ScanSnap\PfuSsSc t.exe /Station
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon .exe" -s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl. dll,NvStar tup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTr ay.dll,NvT askbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe " -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper. exe"
O4 - HKLM\..\Run: [4-Day Forecast] "C:\Program Files\4-Day Forecast\4-Day Forecast\4-Day Forecast.exe" /Startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\Yah ooMessenge r.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe " /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: ScanSnap Manager.lnk = C:\Program Files\PFU\ScanSnap\Driver\ PfuSsMon.e xe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IECapture. html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IEAppend.h tml
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IECaptureS elLinks.ht ml
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IEAppendSe lLinks.htm l
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IECapture. html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IEAppend.h tml
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IECapture. html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IEAppend.h tml
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_01\bin \ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_01\bin \ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~4\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-0 0C0F0318AF E} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0 050045C3C9 6} - C:\Program Files\Yahoo!\Messenger\Yah ooMessenge r.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0 050045C3C9 6} - C:\Program Files\Yahoo!\Messenger\Yah ooMessenge r.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-8 3BD8464250 1} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2 2031317559 2} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3 EE46475B07 2} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8 D7179A4BCF 3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab57176.cab
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = rammingpaving.com
O17 - HKLM\Software\..\Telephony : DomainName = rammingpaving.com
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = rammingpaving.com
O17 - HKLM\System\CS2\Services\T cpip\Param eters: Domain = rammingpaving.com
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponde r.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_Help erSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \1150\Inte l 32\IDriverT.exe
O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\Program Files\CA\SharedComponents\ iTechnolog y\igateway .exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc. exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.e xe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask .exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService .exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NC S\Sync\Net Svc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3 2.exe
O23 - Service: Sage Service Host v1.0 (Sage.ServiceHost.Host.1.0 ) - Sage Software, Inc. - c:\program files\timberline office\shared\sage.service host.host. exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4 .exe
--
End of file - 11606 bytes
Visit the Download Center to find the latest product updates from Microsoft in dozens of languages.
www.deal-land.com - 45k - Cached - Similar pages" and so on and so forth. The issue is not only with IE, but also with Firefox.
I've run Spybot, CA AV, Ad Aware, fixwareout, hijackthis with no solutions. Hijackthis shows no questionable entries, and I've put the log below. DNS is pointing to the right server, the hosts file is clean, no proxy is being used.
I don't know what else to look for.
Any help is appreciated.
>>>
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:17 AM, on 1/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
C:\Program Files\Bonjour\mDNSResponde
C:\WINDOWS\system32\cisvc.
C:\Program Files\Google\Common\Google
C:\Program Files\CA\SharedComponents\
C:\Program Files\CA\eTrustITM\InoRpc.
C:\Program Files\CA\eTrustITM\InoRT.e
C:\Program Files\CA\eTrustITM\InoTask
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc3
c:\program files\timberline office\shared\sage.service
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\cidaem
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin
C:\WINDOWS\System32\DLA\DL
C:\Program Files\PFU\ScanSnap\PfuSsSc
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\CA\eTrustITM\realmon
C:\WINDOWS\system32\RUNDLL
C:\Program Files\iTunes\iTunesHelper.
C:\Program Files\Yahoo!\Messenger\Yah
C:\WINDOWS\system32\ctfmon
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\iPod\bin\iPodService
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EX
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
C:\Program Files\Timberline Office\Accounting\TS.exe
C:\Program Files\Timberline Office\Accounting\tstasks.
C:\Program Files\Timberline Office\Accounting\IA.exe
C:\Program Files\PFU\ScanSnap\Driver\
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuaucl
C:\WINDOWS\system32\taskmg
C:\Program Files\Trend Micro\HijackThis\HijackThi
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-B
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-6
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-6
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtr
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DL
O4 - HKLM\..\Run: [PfuSsSct.exe] C:\Program Files\PFU\ScanSnap\PfuSsSc
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTr
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [4-Day Forecast] "C:\Program Files\4-Day Forecast\4-Day Forecast\4-Day Forecast.exe" /Startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\Yah
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: ScanSnap Manager.lnk = C:\Program Files\PFU\ScanSnap\Driver\
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-8
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {DA758BB1-5F89-4465-975F-8
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponde
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_Help
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\Program Files\CA\SharedComponents\
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.e
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NC
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3
O23 - Service: Sage Service Host v1.0 (Sage.ServiceHost.Host.1.0
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4
--
End of file - 11606 bytes
Fixwareout might work, but the link above is bad. Try downloading it from here:
http://files.filefront.com/Fixwareoutexe/;9892936;/fileinfo.html
TK
http://files.filefront.com/Fixwareoutexe/;9892936;/fileinfo.html
TK
ASKER
I ran fixwareout before I posted.
No luck.
No luck.
onepiolin, Mailwarebytes antimailware program should fix the problem.
ASKER
No luck with malwarebyte's program either.
Below is the log. I have also attached a screen cap.
Oh, and I did a System Restore to last week, when it was supposedly working right. no luck with that either.
>>>
Malwarebytes' Anti-Malware 1.33
Database version: 1702
Windows 5.1.2600 Service Pack 3
1/28/2009 9:45:38 PM
mbam-log-2009-01-28 (21-45-38).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 155762
Time elapsed: 59 minute(s), 52 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
<<<
ScreenCap.JPG
Below is the log. I have also attached a screen cap.
Oh, and I did a System Restore to last week, when it was supposedly working right. no luck with that either.
>>>
Malwarebytes' Anti-Malware 1.33
Database version: 1702
Windows 5.1.2600 Service Pack 3
1/28/2009 9:45:38 PM
mbam-log-2009-01-28 (21-45-38).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 155762
Time elapsed: 59 minute(s), 52 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
<<<
ScreenCap.JPG
Have you tried ComboFix?
Instructions:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Download:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
TK
Instructions:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Download:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
TK
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
You are a *GENIUS*!
Thank you so much.
The bad file wad the wdmaud.sys. In the registry key:
HKLM\software\microsoft\wi ndows nt\currentversion\drivers3 2
it was entered in the "aux2" spot.
Thank you so much.
The bad file wad the wdmaud.sys. In the registry key:
HKLM\software\microsoft\wi
it was entered in the "aux2" spot.
Yes, it also changes the value of "aux" to wdmaud.sys instead of the default "wdmaud.drv", and in your case it changes the value of "aux2" to "wdmaud.sys".If you lose audio just change the value to "wdmaud.drv"
Thanks for points and the grade!
Thanks for points and the grade!
ASKER
you're welcome.
I wonder why any of the malware software doesn't pick it up...?
... and why a system restore didn't work either? I thought it was supposed to revert the registry to an older date.
I wonder why any of the malware software doesn't pick it up...?
... and why a system restore didn't work either? I thought it was supposed to revert the registry to an older date.
You may have a Wareout infection. Run FixWareout
http://downloads.subratam.org/Fixwareout.exe
If no joy, run Mailwarebytes
http://www.malwarebytes.org/
Hope this helps!
war1