arnolfini

Honorary Members

View Profile See their activity

Posts
123
Joined
July 21, 2012
Last visited
November 18, 2020

Content Type

All Activity

Events

Profiles

Forums

Topics
Posts

Everything posted by arnolfini

infected with trojan.FakeAlert, rogue.FakeAV, PUM.Disabled.SecurityCenter

arnolfini replied to arnolfini's topic in Resolved Malware Removal Logs

Okay here you go: Diagnostic Report (1.9.0019.0): ----------------------------------------- WGA Data--> Validation Status: Invalid License Validation Code: 50 Cached Validation Code: 0xc004c4a2 Windows Product Key: *****-*****-8PV4W-QC2CG-CWDJ8 Windows Product Key Hash: awk4+/xFereIY2RtwgZRDoFk6jU= Windows Product ID: 00426-069-0413596-86563 Windows Product ID Type: 5 Windows License Type: Retail Windows OS version: 6.1.7601.2.00010100.1.0.001 ID: {6B02F90B-6493-409D-9156-7467965F82A9}(1) Is Admin: Yes TestCab: 0x0 WGA Version: N/A, hr = 0x80070002 Signed By: N/A, hr = 0x80070002 Product Name: Windows 7 Ultimate Architecture: 0x00000009 Build lab: 7601.win7sp1_gdr.130104-1431 TTS Error: Validation Diagnostic: Resolution Status: N/A WgaER Data--> ThreatID(s): N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 WGA Notifications Data--> Cached Result: N/A, hr = 0x80070002 File Exists: No Version: N/A, hr = 0x80070002 WgaTray.exe Signed By: N/A, hr = 0x80070002 WgaLogon.dll Signed By: N/A, hr = 0x80070002 OGA Notifications Data--> Cached Result: N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 OGAExec.exe Signed By: N/A, hr = 0x80070002 OGAAddin.dll Signed By: N/A, hr = 0x80070002 OGA Data--> Office Status: 109 N/A OGA Version: N/A, 0x80070002 Signed By: N/A, hr = 0x80070002 Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3 Browser Data--> Proxy settings: N/A User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32) Default Browser: C:\Program Files\Internet Explorer\iexplore.exe Download signed ActiveX controls: Prompt Download unsigned ActiveX controls: Disabled Run ActiveX controls and plug-ins: Allowed Initialize and script ActiveX controls not marked as safe: Disabled Allow scripting of Internet Explorer Webbrowser control: Disabled Active scripting: Allowed Script ActiveX controls marked as safe for scripting: Allowed File Scan Data--> Other data--> Office Details: <GenuineResults><MachineData><UGUID>{6B02F90B-6493-409D-9156-7467965F82A9}</UGUID><Version>1.9.0019.0</Version><OS>6.1.7601.2.00010100.1.0.001</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-CWDJ8</PKey><PID>00426-069-0413596-86563</PID><PIDType>5</PIDType><SID>S-1-5-21-1368498391-2565348536-346576405</SID><SYSTEM><Manufacturer>Apple Inc.</Manufacturer><Model>Macmini2,1</Model></SYSTEM><BIOS><Manufacturer>Apple Inc.</Manufacturer><Version> MM21.88Z.009A.B00.0706281359</Version><SMBIOSVersion major="2" minor="4"/><Date>20070628000000.000000+000</Date></BIOS><HWID>60523707018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> Spsys.log Content: 0x80070002 Licensing Data--> Software licensing service version: 6.1.7601.17514 Name: Windows® 7, Ultimate edition Description: Windows Operating System - Windows® 7, RETAIL channel Activation ID: a0cde89c-3304-4157-b61c-c8ad785d1fad Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f Extended PID: 00426-00172-069-041359-00-1033-7601.0000-2302012 Installation ID: 011875749025484335367931046391248340321895732964253541 Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338 Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339 Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341 Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340 Partial Product Key: CWDJ8 License Status: Notification Notification Reason: 0xC004F200 (non-genuine). Remaining Windows rearm count: 3 Trusted time: 2/26/2013 11:11:32 PM Windows Activation Technologies--> HrOffline: 0x00000000 HrOnline: 0xC004C4A2 HealthStatus: PASS Event Time Stamp: 2:15:2013 18:49 WAT Activex: Registered WAT Admin Service: Registered HWID Data--> HWID Hash Current: NAAAAAEABAABAAEAAAABAAAAAwABAAEAeqgokcUx6KHqTkjk3Hccgj6pcLxTJpKHZr4qhQ== OEM Activation 1.0 Data--> N/A OEM Activation 2.0 Data--> BIOS valid for OA 2.0: yes, but no SLIC table Windows marker version: N/A OEMID and OEMTableID Consistent: N/A BIOS Information: ACPI Table Name OEMID Value OEMTableID Value APIC APPLE Apple00 FACP APPLE Apple00 HPET APPLE Apple00 MCFG APPLE Apple00 ASF! APPLE Apple00 SBST APPLE Apple00 ECDT APPLE Apple00 SSDT APPLE SataPri SSDT APPLE SataPri SSDT APPLE SataPri
- February 27, 2013
- 28 replies
infected with trojan.FakeAlert, rogue.FakeAV, PUM.Disabled.SecurityCenter

arnolfini replied to arnolfini's topic in Resolved Malware Removal Logs

I still have the notification saying this copy of windows is not genuine, even thought it is. Here's the Adw log # AdwCleaner v2.113 - Logfile created 02/26/2013 at 22:21:03 # Updated 23/02/2013 by Xplode # Operating system : Windows 7 Ultimate Service Pack 1 (64 bits) # User : michael - MA # Boot Mode : Normal # Running from : C:\Users\michael\Desktop\adwcleaner.exe # Option [search] ***** [services] ***** ***** [Files / Folders] ***** Folder Found : C:\Program Files (x86)\Ask.com Folder Found : C:\ProgramData\Ask Folder Found : C:\Users\michael\AppData\Local\APN Folder Found : C:\Users\michael\AppData\LocalLow\AskToolbar Folder Found : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE} ***** [Registry] ***** Key Found : HKCU\Software\APN Key Found : HKCU\Software\AppDataLow\Software\AskToolbar Key Found : HKCU\Software\Ask.com Key Found : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A} Key Found : HKLM\Software\APN Key Found : HKLM\Software\AskToolbar Key Found : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874} Key Found : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC} Key Found : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\aaaaojmikegpiepcfdkkjaplodkpfmlo Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A} Key Found : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5} ***** [internet Browsers] ***** -\\ Internet Explorer v9.0.8112.16464 [OK] Registry is clean. -\\ Google Chrome v24.0.1312.57 File : C:\Users\michael\AppData\Local\Google\Chrome\User Data\Default\Preferences [OK] File is clean. ************************* AdwCleaner[R1].txt - [2049 octets] - [26/02/2013 22:21:03] ########## EOF - C:\AdwCleaner[R1].txt - [2109 octets] ##########
- February 27, 2013
- 28 replies
infected with trojan.FakeAlert, rogue.FakeAV, PUM.Disabled.SecurityCenter

arnolfini replied to arnolfini's topic in Resolved Malware Removal Logs

Okay, thanks. here is the log from ComboFix. ComboFix 13-02-26.01 - michael 02/26/2013 21:26:46.1.2 - x64 Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3040.1799 [GMT -5:00] Running from: c:\users\michael\Desktop\ComboFix.exe AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C} SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . . ((((((((((((((((((((((((( Files Created from 2013-01-27 to 2013-02-27 ))))))))))))))))))))))))))))))) . . 2013-02-27 02:29 . 2013-02-27 02:29 -------- d-----w- c:\users\Public\AppData\Local\temp 2013-02-27 02:29 . 2013-02-27 02:29 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-02-27 00:28 . 2013-02-27 00:28 208216 ----a-w- c:\windows\system32\drivers\88423626.sys 2013-02-27 00:23 . 2013-02-27 00:24 -------- d---a-w- C:\.fseventsd 2013-02-26 19:10 . 2013-02-26 19:10 208216 ----a-w- c:\windows\system32\drivers\49430623.sys 2013-02-26 18:02 . 2013-02-26 18:02 -------- d-----w- c:\program files (x86)\trend micro 2013-02-26 18:02 . 2013-02-26 18:02 -------- d-----w- C:\rsit 2013-02-23 01:13 . 2013-02-23 01:20 -------- d-----w- c:\programdata\70BA8775C6C6A90A000070BA16BFAD07 2013-02-23 01:12 . 2013-02-23 01:12 68608 ---ha-w- c:\windows\system32\mcbutray64.dll 2013-02-23 01:12 . 2013-02-23 01:12 60928 ---ha-w- c:\windows\SysWow64\mcbutray.dll 2013-02-22 23:15 . 2013-02-08 00:28 9162192 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D5571092-58B8-4EDD-965D-E6F4BE007CEE}\mpengine.dll 2013-02-21 22:45 . 2013-02-08 00:28 9162192 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2013-02-13 16:13 . 2013-01-09 01:10 996352 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll 2013-02-13 16:13 . 2013-01-08 22:01 768000 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll 2013-02-13 14:37 . 2013-01-05 05:53 5553512 ----a-w- c:\windows\system32\ntoskrnl.exe 2013-02-13 14:37 . 2013-01-05 05:00 3967848 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe 2013-02-13 14:37 . 2013-01-05 05:00 3913064 ----a-w- c:\windows\SysWow64\ntoskrnl.exe 2013-02-13 14:37 . 2013-01-04 05:46 215040 ----a-w- c:\windows\system32\winsrv.dll 2013-02-13 14:37 . 2013-01-04 03:26 3153408 ----a-w- c:\windows\system32\win32k.sys 2013-02-13 14:37 . 2013-01-04 04:51 5120 ----a-w- c:\windows\SysWow64\wow32.dll 2013-02-13 14:37 . 2013-01-04 02:47 25600 ----a-w- c:\windows\SysWow64\setup16.exe 2013-02-13 14:37 . 2013-01-04 02:47 7680 ----a-w- c:\windows\SysWow64\instnm.exe 2013-02-13 14:37 . 2013-01-04 02:47 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll 2013-02-13 14:37 . 2013-01-04 02:47 2048 ----a-w- c:\windows\SysWow64\user.exe 2013-02-13 14:37 . 2013-01-03 06:00 1913192 ----a-w- c:\windows\system32\drivers\tcpip.sys 2013-02-13 14:37 . 2013-01-03 06:00 288088 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS 2013-02-05 13:50 . 2013-02-27 00:41 -------- d---a-w- C:\mbar . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-02-26 20:44 . 2012-08-19 01:31 71024 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2013-02-26 20:44 . 2012-08-19 01:31 691568 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2013-02-13 16:16 . 2012-08-20 17:26 70004024 ----a-w- c:\windows\system32\MRT.exe 2013-01-30 10:53 . 2010-11-21 03:27 273840 ------w- c:\windows\system32\MpSigStub.exe 2013-01-04 04:43 . 2013-02-13 14:37 44032 ----a-w- c:\windows\apppatch\acwow64.dll 2012-12-16 17:11 . 2012-12-21 21:03 46080 ----a-w- c:\windows\system32\atmlib.dll 2012-12-16 14:45 . 2012-12-21 21:03 367616 ----a-w- c:\windows\system32\atmfd.dll 2012-12-16 14:13 . 2012-12-21 21:03 295424 ----a-w- c:\windows\SysWow64\atmfd.dll 2012-12-16 14:13 . 2012-12-21 21:03 34304 ----a-w- c:\windows\SysWow64\atmlib.dll 2012-12-14 21:49 . 2013-01-08 23:42 24176 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-12-07 13:20 . 2013-01-09 14:41 441856 ----a-w- c:\windows\system32\Wpc.dll 2012-12-07 13:15 . 2013-01-09 14:41 2746368 ----a-w- c:\windows\system32\gameux.dll 2012-12-07 12:26 . 2013-01-09 14:41 308736 ----a-w- c:\windows\SysWow64\Wpc.dll 2012-12-07 12:20 . 2013-01-09 14:41 2576384 ----a-w- c:\windows\SysWow64\gameux.dll 2012-12-07 11:20 . 2013-01-09 14:41 30720 ----a-w- c:\windows\system32\usk.rs 2012-12-07 11:20 . 2013-01-09 14:41 43520 ----a-w- c:\windows\system32\csrr.rs 2012-12-07 11:20 . 2013-01-09 14:41 23552 ----a-w- c:\windows\system32\oflc.rs 2012-12-07 11:20 . 2013-01-09 14:41 45568 ----a-w- c:\windows\system32\oflc-nz.rs 2012-12-07 11:20 . 2013-01-09 14:41 44544 ----a-w- c:\windows\system32\pegibbfc.rs 2012-12-07 11:20 . 2013-01-09 14:41 20480 ----a-w- c:\windows\system32\pegi-fi.rs 2012-12-07 11:20 . 2013-01-09 14:41 20480 ----a-w- c:\windows\system32\pegi-pt.rs 2012-12-07 11:19 . 2013-01-09 14:41 20480 ----a-w- c:\windows\system32\pegi.rs 2012-12-07 11:19 . 2013-01-09 14:41 46592 ----a-w- c:\windows\system32\fpb.rs 2012-12-07 11:19 . 2013-01-09 14:41 40960 ----a-w- c:\windows\system32\cob-au.rs 2012-12-07 11:19 . 2013-01-09 14:41 21504 ----a-w- c:\windows\system32\grb.rs 2012-12-07 11:19 . 2013-01-09 14:41 15360 ----a-w- c:\windows\system32\djctq.rs 2012-12-07 11:19 . 2013-01-09 14:41 55296 ----a-w- c:\windows\system32\cero.rs 2012-12-07 11:19 . 2013-01-09 14:41 51712 ----a-w- c:\windows\system32\esrb.rs 2012-12-07 10:46 . 2013-01-09 14:41 43520 ----a-w- c:\windows\SysWow64\csrr.rs 2012-12-07 10:46 . 2013-01-09 14:41 30720 ----a-w- c:\windows\SysWow64\usk.rs 2012-12-07 10:46 . 2013-01-09 14:41 45568 ----a-w- c:\windows\SysWow64\oflc-nz.rs 2012-12-07 10:46 . 2013-01-09 14:41 44544 ----a-w- c:\windows\SysWow64\pegibbfc.rs 2012-12-07 10:46 . 2013-01-09 14:41 20480 ----a-w- c:\windows\SysWow64\pegi-pt.rs 2012-12-07 10:46 . 2013-01-09 14:41 23552 ----a-w- c:\windows\SysWow64\oflc.rs 2012-12-07 10:46 . 2013-01-09 14:41 20480 ----a-w- c:\windows\SysWow64\pegi-fi.rs 2012-12-07 10:46 . 2013-01-09 14:41 46592 ----a-w- c:\windows\SysWow64\fpb.rs 2012-12-07 10:46 . 2013-01-09 14:41 20480 ----a-w- c:\windows\SysWow64\pegi.rs 2012-12-07 10:46 . 2013-01-09 14:41 21504 ----a-w- c:\windows\SysWow64\grb.rs 2012-12-07 10:46 . 2013-01-09 14:41 40960 ----a-w- c:\windows\SysWow64\cob-au.rs 2012-12-07 10:46 . 2013-01-09 14:41 15360 ----a-w- c:\windows\SysWow64\djctq.rs 2012-12-07 10:46 . 2013-01-09 14:41 55296 ----a-w- c:\windows\SysWow64\cero.rs 2012-12-07 10:46 . 2013-01-09 14:41 51712 ----a-w- c:\windows\SysWow64\esrb.rs 2012-11-30 05:45 . 2013-01-09 14:41 362496 ----a-w- c:\windows\system32\wow64win.dll 2012-11-30 05:45 . 2013-01-09 14:41 243200 ----a-w- c:\windows\system32\wow64.dll 2012-11-30 05:45 . 2013-01-09 14:41 13312 ----a-w- c:\windows\system32\wow64cpu.dll 2012-11-30 05:43 . 2013-01-09 14:41 16384 ----a-w- c:\windows\system32\ntvdm64.dll 2012-11-30 05:41 . 2013-01-09 14:41 424448 ----a-w- c:\windows\system32\KernelBase.dll 2012-11-30 05:41 . 2013-01-09 14:41 1161216 ----a-w- c:\windows\system32\kernel32.dll 2012-11-30 05:38 . 2013-01-09 14:41 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll 2012-11-30 05:38 . 2013-01-09 14:41 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll 2012-11-30 05:38 . 2013-01-09 14:41 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll 2012-11-30 05:38 . 2013-01-09 14:41 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll 2012-11-30 05:38 . 2013-01-09 14:41 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll 2012-11-30 05:38 . 2013-01-09 14:41 3584 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll 2012-11-30 05:38 . 2013-01-09 14:41 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll 2012-11-30 05:38 . 2013-01-09 14:41 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll 2012-11-30 05:38 . 2013-01-09 14:41 3584 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll 2012-11-30 05:38 . 2013-01-09 14:41 3072 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll 2012-11-30 05:38 . 2013-01-09 14:41 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll 2012-11-30 05:38 . 2013-01-09 14:41 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll 2012-11-30 05:38 . 2013-01-09 14:41 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll 2012-11-30 05:38 . 2013-01-09 14:41 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll 2012-11-30 05:38 . 2013-01-09 14:41 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll 2012-11-30 05:38 . 2013-01-09 14:41 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll 2012-11-30 05:38 . 2013-01-09 14:41 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll 2012-11-30 05:38 . 2013-01-09 14:41 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll 2012-11-30 05:38 . 2013-01-09 14:41 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll 2012-11-30 05:38 . 2013-01-09 14:41 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll 2012-11-30 05:38 . 2013-01-09 14:41 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll 2012-11-30 05:38 . 2013-01-09 14:41 3072 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll 2012-11-30 05:38 . 2013-01-09 14:41 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll 2012-11-30 05:38 . 2013-01-09 14:41 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll 2012-11-30 05:38 . 2013-01-09 14:41 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll 2012-11-30 05:38 . 2013-01-09 14:41 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll 2012-11-30 05:38 . 2013-01-09 14:41 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll 2012-11-30 05:38 . 2013-01-09 14:41 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll 2012-11-30 04:53 . 2013-01-09 14:41 274944 ----a-w- c:\windows\SysWow64\KernelBase.dll 2012-11-30 04:45 . 2013-01-09 14:41 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll 2012-11-30 04:45 . 2013-01-09 14:41 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll 2012-11-30 04:45 . 2013-01-09 14:41 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll 2012-11-30 04:45 . 2013-01-09 14:41 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll 2012-11-30 04:45 . 2013-01-09 14:41 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll 2012-11-30 04:45 . 2013-01-09 14:41 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll 2012-11-30 04:45 . 2013-01-09 14:41 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll 2012-11-30 04:45 . 2013-01-09 14:41 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll 2012-11-30 04:45 . 2013-01-09 14:41 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll 2012-11-30 04:45 . 2013-01-09 14:41 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll 2012-11-30 04:45 . 2013-01-09 14:41 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll 2012-11-30 04:45 . 2013-01-09 14:41 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll 2012-11-30 04:45 . 2013-01-09 14:41 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll 2012-11-30 04:45 . 2013-01-09 14:41 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll 2012-11-30 04:45 . 2013-01-09 14:41 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll 2012-11-30 04:45 . 2013-01-09 14:41 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-io-l1-1-0.dll 2012-11-30 04:45 . 2013-01-09 14:41 5120 ---ha-w- c:\windows\SysWow64\api-ms-win-core-file-l1-1-0.dll 2012-11-30 04:45 . 2013-01-09 14:41 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll 2012-11-30 04:45 . 2013-01-09 14:41 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll 2012-11-30 04:45 . 2013-01-09 14:41 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll 2012-11-30 04:45 . 2013-01-09 14:41 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll 2012-11-30 04:45 . 2013-01-09 14:41 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll 2012-11-30 04:45 . 2013-01-09 14:41 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848] "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] "Z1"="c:\mbar\mbar.exe" [2013-02-05 1363528] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) "ConsentPromptBehaviorAdmin"= 0 (0x0) "EnableLUA"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 VMTools;VMware Tools;c:\program files\VMware\VMware Tools\vmtoolsd.exe [2012-05-27 72856] R3 BthKicker;Apple Bluetooth Device Driver;c:\windows\system32\DRIVERS\BthKicker.sys [2011-03-25 8704] R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168] R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\3.0.313\McCHSvc.exe [2012-10-26 234776] R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-31 128456] R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-13 368896] R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-10 174440] R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 20992] R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 31800] R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-21 88960] R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 34816] R3 TPAutoConnSvc;TP AutoConnect Service;c:\program files\VMware\VMware Tools\TPAutoConnSvc.exe [2012-05-01 509776] R3 TPVCGateway;TP VC Gateway Service;c:\program files\VMware\VMware Tools\TPVCGateway.exe [2012-05-01 566096] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232] R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248] R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x] R3 vm3dmp;vm3dmp;c:\windows\system32\DRIVERS\vm3dmp.sys [2012-05-27 138352] R3 vmmouse;VMware Pointing Device;c:\windows\system32\DRIVERS\vmmouse.sys [2012-05-27 13872] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-08-18 1255736] S0 AppleHFS;AppleHFS; [x] S0 AppleMNT;AppleMNT; [x] S0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys [2012-05-27 116336] S1 vmhgfs;vmhgfs;c:\windows\system32\DRIVERS\vmhgfs.sys [2012-05-27 123544] S1 vmrawdsk;VMware Vista Physical Disk Helper;c:\program files\VMware\VMware Tools\vmrawdsk.sys [2012-05-27 45720] S2 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe [2011-06-29 224640] S2 AppleTimeSrv;Apple Time Service;c:\windows\system32\AppleTimeSrv.exe [2011-06-29 111488] S2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys [2011-06-29 17752] S2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys [2011-06-29 22872] S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184] S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344] S2 VMMEMCTL;Memory Control Driver;c:\program files\Common Files\VMware\Drivers\memctl\vmmemctl.sys [2012-05-27 17560] S3 AppleODD;Apple ODD;c:\windows\system32\DRIVERS\AppleODD.sys [2011-03-25 8704] S3 IRRemoteFlt;IR Receiver Filter Driver;c:\windows\system32\DRIVERS\IRFilter.sys [2011-03-25 18432] S3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\DRIVERS\KeyMagic.sys [2011-05-27 32256] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176] S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-09-28 395264] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - 21653169 *Deregistered* - 21653169 . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}] 2013-02-01 02:49 1607120 ----a-w- c:\program files (x86)\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe . Contents of the 'Scheduled Tasks' folder . 2013-02-27 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-19 20:44] . 2013-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-08-19 01:31] . 2013-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-08-19 01:31] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 165912] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 385560] "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 363544] "Apple_KbdMgr"="c:\program files\Boot Camp\Bootcamp.exe" [2011-06-29 741760] . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 uStart Page = hxxp://www.google.com/ mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000 LSP: %SystemRoot%\system32\vsocklib.dll Trusted Zone: internet Trusted Zone: intuit.com\ttlc Trusted Zone: mcafee.com Trusted Zone: microsoft.com\office Trusted Zone: microsoft.com\update Trusted Zone: office.com TCP: DhcpNameServer = 74.5.116.246 205.244.194.36 . - - - - ORPHANS REMOVED - - - - . URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - (no file) Wow6432Node-HKLM-Run-<NO NAME> - (no file) SafeBoot-70867656.sys SafeBoot-79896188.sys SafeBoot-86964407.sys HKLM-Run-SysTrayApp - c:\program files (x86)\IDT\WDM\sttray64.exe . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_171_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_171_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2013-02-26 21:30:59 ComboFix-quarantined-files.txt 2013-02-27 02:30 . Pre-Run: 3,800,313,856 bytes free Post-Run: 3,691,372,544 bytes free . - - End Of File - - 540FAD46004DC96EB831F452970318C1
- February 27, 2013
- 28 replies
infected with trojan.FakeAlert, rogue.FakeAV, PUM.Disabled.SecurityCenter

arnolfini replied to arnolfini's topic in Resolved Malware Removal Logs

Thank you, mr. C; it worked and below are the logs. Malwarebytes Anti-Rootkit BETA 1.01.0.1020 www.malwarebytes.org Database version: v2013.02.26.11 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 michael :: MA [administrator] 2/26/2013 7:34:34 PM mbar-log-2013-02-26 (19-34-34).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P Scan options disabled: Objects scanned: 6651 Time elapsed: 4 minute(s), 26 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 2 c:\$Recycle.Bin\S-1-5-18\$70e337c9b65d51131f5e0a88757fd297 (Trojan.Siredef.C) -> Delete on reboot. c:\$Recycle.Bin\S-1-5-21-1368498391-2565348536-346576405-1001\$70e337c9b65d51131f5e0a88757fd297 (Trojan.Siredef.C) -> Delete on reboot. Files Detected: 0 (No malicious items detected) (end) --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.01.0.1020 © Malwarebytes Corporation 2011-2012 OS version: 6.1.7601 Windows 7 Service Pack 1 x64 Account is Administrative Internet Explorer version: 9.0.8112.16421 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED, G:\ DRIVE_FIXED CPU speed: 2.333000 GHz Memory total: 3187994624, free: 2077683712 ------------ Kernel report ------------ 02/26/2013 19:29:22 ------------ Loaded modules ----------- \SystemRoot\system32\ntoskrnl.exe \SystemRoot\system32\hal.dll \SystemRoot\system32\kdcom.dll \SystemRoot\system32\mcupdate_GenuineIntel.dll \SystemRoot\system32\PSHED.dll \SystemRoot\system32\CLFS.SYS \SystemRoot\system32\CI.dll \SystemRoot\system32\drivers\Wdf01000.sys \SystemRoot\system32\drivers\WDFLDR.SYS \SystemRoot\system32\drivers\ACPI.sys \SystemRoot\system32\drivers\WMILIB.SYS \SystemRoot\system32\drivers\msisadrv.sys \SystemRoot\system32\drivers\pci.sys \SystemRoot\system32\drivers\vdrvroot.sys \SystemRoot\System32\drivers\partmgr.sys \SystemRoot\system32\DRIVERS\compbatt.sys \SystemRoot\system32\DRIVERS\BATTC.SYS \SystemRoot\System32\DRIVERS\intelide.sys \SystemRoot\System32\DRIVERS\PCIIDEX.SYS \SystemRoot\system32\drivers\volmgr.sys \SystemRoot\System32\drivers\volmgrx.sys \SystemRoot\system32\drivers\pciide.sys \SystemRoot\system32\DRIVERS\vmci.sys \SystemRoot\System32\Drivers\AppleMNT.sys \SystemRoot\System32\drivers\mountmgr.sys \SystemRoot\system32\drivers\atapi.sys \SystemRoot\system32\drivers\ataport.SYS \SystemRoot\system32\drivers\amdxata.sys \SystemRoot\system32\drivers\fltmgr.sys \SystemRoot\system32\drivers\fileinfo.sys \SystemRoot\system32\DRIVERS\MpFilter.sys \SystemRoot\System32\Drivers\Ntfs.sys \SystemRoot\System32\Drivers\msrpc.sys \SystemRoot\System32\Drivers\ksecdd.sys \SystemRoot\System32\Drivers\cng.sys \SystemRoot\System32\drivers\pcw.sys \SystemRoot\System32\Drivers\AppleHFS.sys \SystemRoot\System32\Drivers\Fs_Rec.sys \SystemRoot\system32\drivers\ndis.sys \SystemRoot\system32\drivers\NETIO.SYS \SystemRoot\System32\Drivers\ksecpkg.sys \SystemRoot\System32\drivers\tcpip.sys \SystemRoot\System32\drivers\fwpkclnt.sys \SystemRoot\system32\drivers\vmstorfl.sys \SystemRoot\system32\drivers\volsnap.sys \SystemRoot\System32\Drivers\spldr.sys \SystemRoot\System32\drivers\rdyboost.sys \SystemRoot\System32\Drivers\mup.sys \SystemRoot\System32\drivers\hwpolicy.sys \SystemRoot\System32\DRIVERS\fvevol.sys \SystemRoot\system32\drivers\disk.sys \SystemRoot\system32\drivers\CLASSPNP.SYS \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\Beep.SYS \??\C:\Program Files\VMware\VMware Tools\vmrawdsk.sys \SystemRoot\System32\drivers\vga.sys \SystemRoot\System32\drivers\VIDEOPRT.SYS \SystemRoot\System32\drivers\watchdog.sys \SystemRoot\System32\DRIVERS\RDPCDD.sys \SystemRoot\system32\drivers\rdpencdd.sys \SystemRoot\system32\drivers\rdprefmp.sys \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\system32\DRIVERS\tdx.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\system32\drivers\afd.sys \SystemRoot\System32\DRIVERS\netbt.sys \SystemRoot\system32\drivers\ws2ifsl.sys \SystemRoot\system32\DRIVERS\wfplwf.sys \SystemRoot\system32\DRIVERS\pacer.sys \SystemRoot\system32\DRIVERS\vwififlt.sys \SystemRoot\system32\DRIVERS\netbios.sys \SystemRoot\System32\DRIVERS\vmhgfs.sys \SystemRoot\system32\DRIVERS\wanarp.sys \SystemRoot\system32\DRIVERS\termdd.sys \SystemRoot\System32\Drivers\SCDEmu.SYS \SystemRoot\system32\DRIVERS\rdbss.sys \SystemRoot\system32\drivers\nsiproxy.sys \SystemRoot\system32\DRIVERS\mssmbios.sys \SystemRoot\System32\drivers\discache.sys \SystemRoot\system32\drivers\csc.sys \SystemRoot\System32\Drivers\dfsc.sys \SystemRoot\system32\DRIVERS\blbdrive.sys \SystemRoot\system32\DRIVERS\tunnel.sys \SystemRoot\system32\DRIVERS\intelppm.sys \SystemRoot\system32\DRIVERS\igdkmd64.sys \SystemRoot\System32\drivers\dxgkrnl.sys \SystemRoot\System32\drivers\dxgmms1.sys \SystemRoot\system32\DRIVERS\HDAudBus.sys \SystemRoot\system32\DRIVERS\yk62x64.sys \SystemRoot\system32\DRIVERS\athrx.sys \SystemRoot\system32\DRIVERS\vwifibus.sys \SystemRoot\system32\DRIVERS\usbuhci.sys \SystemRoot\system32\DRIVERS\USBPORT.SYS \SystemRoot\system32\DRIVERS\usbehci.sys \SystemRoot\system32\DRIVERS\1394ohci.sys \SystemRoot\system32\DRIVERS\CompositeBus.sys \SystemRoot\system32\DRIVERS\AgileVpn.sys \SystemRoot\system32\DRIVERS\rasl2tp.sys \SystemRoot\system32\DRIVERS\ndistapi.sys \SystemRoot\system32\DRIVERS\ndiswan.sys \SystemRoot\system32\DRIVERS\raspppoe.sys \SystemRoot\system32\DRIVERS\raspptp.sys \SystemRoot\system32\DRIVERS\rassstp.sys \SystemRoot\system32\DRIVERS\rdpbus.sys \SystemRoot\system32\DRIVERS\kbdclass.sys \SystemRoot\system32\DRIVERS\mouclass.sys \SystemRoot\system32\DRIVERS\swenum.sys \SystemRoot\system32\DRIVERS\ks.sys \SystemRoot\system32\DRIVERS\umbus.sys \SystemRoot\system32\DRIVERS\usbhub.sys \SystemRoot\System32\Drivers\NDProxy.SYS \SystemRoot\system32\DRIVERS\stwrt64.sys \SystemRoot\system32\DRIVERS\portcls.sys \SystemRoot\system32\DRIVERS\drmk.sys \SystemRoot\system32\drivers\ksthunk.sys \SystemRoot\System32\Drivers\crashdmp.sys \SystemRoot\System32\Drivers\dump_dumpata.sys \SystemRoot\System32\Drivers\dump_atapi.sys \SystemRoot\System32\Drivers\dump_dumpfve.sys \SystemRoot\System32\win32k.sys \SystemRoot\System32\drivers\Dxapi.sys \SystemRoot\system32\DRIVERS\monitor.sys \SystemRoot\System32\TSDDD.dll \SystemRoot\System32\cdd.dll \SystemRoot\system32\DRIVERS\AppleODD.sys \SystemRoot\system32\DRIVERS\USBSTOR.SYS \SystemRoot\system32\DRIVERS\USBD.SYS \SystemRoot\system32\DRIVERS\cdrom.sys \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys \SystemRoot\system32\DRIVERS\usbccgp.sys \SystemRoot\system32\DRIVERS\KeyMagic.sys \SystemRoot\system32\DRIVERS\hidusb.sys \SystemRoot\system32\DRIVERS\HIDCLASS.SYS \SystemRoot\system32\DRIVERS\HIDPARSE.SYS \SystemRoot\system32\DRIVERS\kbdhid.sys \SystemRoot\system32\DRIVERS\IRFilter.sys \SystemRoot\system32\DRIVERS\mouhid.sys \SystemRoot\System32\Drivers\BTHUSB.sys \SystemRoot\System32\Drivers\bthport.sys \SystemRoot\system32\DRIVERS\rfcomm.sys \SystemRoot\system32\DRIVERS\BthEnum.sys \SystemRoot\system32\DRIVERS\bthpan.sys \??\C:\Windows\system32\drivers\mbam.sys \SystemRoot\system32\DRIVERS\lltdio.sys \SystemRoot\system32\DRIVERS\nwifi.sys \SystemRoot\system32\DRIVERS\ndisuio.sys \SystemRoot\system32\DRIVERS\rspndr.sys \SystemRoot\system32\drivers\HTTP.sys \SystemRoot\System32\DRIVERS\srvnet.sys \SystemRoot\system32\DRIVERS\bowser.sys \SystemRoot\System32\drivers\mpsdrv.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\system32\DRIVERS\mrxsmb10.sys \SystemRoot\system32\DRIVERS\mrxsmb20.sys \SystemRoot\System32\DRIVERS\srv2.sys \SystemRoot\System32\DRIVERS\srv.sys \??\C:\Program Files\Common Files\VMware\Drivers\memctl\vmmemctl.sys \??\C:\Windows\system32\drivers\KeyAgent.sys \??\C:\Windows\system32\drivers\MacHALDriver.sys \SystemRoot\system32\DRIVERS\NisDrvWFP.sys \SystemRoot\system32\drivers\peauth.sys \SystemRoot\System32\Drivers\secdrv.SYS \SystemRoot\System32\drivers\tcpipreg.sys \SystemRoot\system32\drivers\spsys.sys \??\C:\Windows\system32\drivers\mbamchameleon.sys \??\C:\Windows\system32\drivers\mbamswissarmy.sys \Windows\System32\ntdll.dll \Windows\System32\smss.exe \Windows\System32\apisetschema.dll \Windows\System32\autochk.exe \Windows\System32\psapi.dll \Windows\System32\iertutil.dll \Windows\System32\kernel32.dll \Windows\System32\imm32.dll \Windows\System32\msvcrt.dll \Windows\System32\wininet.dll \Windows\System32\setupapi.dll \Windows\System32\usp10.dll \Windows\System32\Wldap32.dll \Windows\System32\clbcatq.dll \Windows\System32\msctf.dll \Windows\System32\user32.dll \Windows\System32\gdi32.dll \Windows\System32\difxapi.dll \Windows\System32\shlwapi.dll \Windows\System32\imagehlp.dll \Windows\System32\oleaut32.dll \Windows\System32\ws2_32.dll \Windows\System32\sechost.dll \Windows\System32\shell32.dll \Windows\System32\ole32.dll \Windows\System32\advapi32.dll \Windows\System32\nsi.dll \Windows\System32\lpk.dll \Windows\System32\comdlg32.dll \Windows\System32\urlmon.dll \Windows\System32\rpcrt4.dll \Windows\System32\normaliz.dll \Windows\System32\devobj.dll \Windows\System32\crypt32.dll \Windows\System32\cfgmgr32.dll \Windows\System32\comctl32.dll \Windows\System32\wintrust.dll \Windows\System32\KernelBase.dll \Windows\System32\msasn1.dll \Windows\SysWOW64\normaliz.dll ----------- End ----------- <<<1>>> Upper Device Name: \Device\Harddisk1\DR1 Upper Device Object: 0xfffffa8002b2e790 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Ide\IdeDeviceP2T1L0-7\ Lower Device Object: 0xfffffa8002481680 Lower Device Driver Name: \Driver\atapi\ Driver name found: atapi Initialization returned 0x0 Port sub-driver loaded: \??\C:\Windows\System32\drivers\ataport.sys (0x0) Load Function returned 0x0 <<<1>>> Upper Device Name: \Device\Harddisk0\DR0 Upper Device Object: 0xfffffa8002b2d610 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\ Lower Device Object: 0xfffffa8002637060 Lower Device Driver Name: \Driver\atapi\ Driver name found: atapi No address found Host not found Downloaded database version: v2013.02.26.11 Initializing... Done! <<<2>>> Device number: 1, partition: 4 Physical Sector Size: 512 Drive: 1, DevicePointer: 0xfffffa8002b2e790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xfffffa8002b2f040, DeviceName: Unknown, DriverName: \Driver\partmgr\ DevicePointer: 0xfffffa8002b2e790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\ DevicePointer: 0xfffffa8002658520, DeviceName: Unknown, DriverName: \Driver\ACPI\ DevicePointer: 0xfffffa8002481680, DeviceName: \Device\Ide\IdeDeviceP2T1L0-7\, DriverName: \Driver\atapi\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\ Upper DeviceData: 0xfffff8a003a739a0, 0xfffffa8002b2e790, 0xfffffa8002706090 Lower DeviceData: 0xfffff8a00346b1b0, 0xfffffa8002481680, 0xfffffa800441b700 Partition type: GUID <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Scanning directory: C:\Windows\system32\drivers... <<<2>>> Device number: 1, partition: 4 Partition type: GUID <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Done! Physical Sector Size: 512 Drive: 0, DevicePointer: 0xfffffa8002b2d610, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xfffffa8002b2e040, DeviceName: Unknown, DriverName: \Driver\partmgr\ DevicePointer: 0xfffffa8002b2d610, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ DevicePointer: 0xfffffa800262d520, DeviceName: Unknown, DriverName: \Driver\ACPI\ DevicePointer: 0xfffffa8002637060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ Upper DeviceData: 0xfffff8a003b07160, 0xfffffa8002b2d610, 0xfffffa8002705090 Lower DeviceData: 0xfffff8a002fea9a0, 0xfffffa8002637060, 0xfffffa80026f7d40 Drive 0 Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: 4041BC3E Partition information: Partition 0 type is EFI-GPT (0xee) Partition is NOT ACTIVE. Partition starts at LBA: 1 Numsec = 409639 Partition 1 type is Other (0xaf) Partition is NOT ACTIVE. Partition starts at LBA: 409640 Numsec = 449573912 Partition 2 type is Other (0xaf) Partition is NOT ACTIVE. Partition starts at LBA: 450245696 Numsec = 38538216 Partition 3 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 489046056 Numsec = 487727072 Partition file system is NTFS Partition is bootable Disk Size: 500107862016 bytes Sector size: 512 bytes Drive 1 Scanning MBR on drive 1... Inspecting partition table: MBR Signature: 55AA Disk Signature: 6B65763C Partition information: Partition 0 type is EFI-GPT (0xee) Partition is NOT ACTIVE. Partition starts at LBA: 1 Numsec = 409639 Partition 1 type is Other (0xaf) Partition is NOT ACTIVE. Partition starts at LBA: 409640 Numsec = 56640624 Partition 2 type is Other (0xab) Partition is NOT ACTIVE. Partition starts at LBA: 57050264 Numsec = 1269536 Partition 3 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 58320896 Numsec = 58908672 Partition file system is NTFS Partition is bootable Disk Size: 60022480896 bytes Sector size: 512 bytes Done! Performing system, memory and registry scan... <<<2>>> Device number: 0, partition: 4 Partition type: GUID <<<3>>> Volume: D: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Infected: c:\$Recycle.Bin\S-1-5-18\$70e337c9b65d51131f5e0a88757fd297 --> [Trojan.Siredef.C] Infected: c:\$Recycle.Bin\S-1-5-21-1368498391-2565348536-346576405-1001\$70e337c9b65d51131f5e0a88757fd297 --> [Trojan.Siredef.C] Done! Scan finished Creating System Restore point... Could not create restore point... Scheduling clean up... <<<2>>> Device number: 1, partition: 4 Partition type: GUID <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes <<<2>>> Device number: 0, partition: 4 Partition type: GUID <<<3>>> Volume: D: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Removal successful. No system shutdown is required. ======================================= --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.01.0.1020 © Malwarebytes Corporation 2011-2012 OS version: 6.1.7601 Windows 7 Service Pack 1 x64 Account is Administrative Internet Explorer version: 9.0.8112.16421 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED, G:\ DRIVE_FIXED CPU speed: 2.333000 GHz Memory total: 3187994624, free: 1941684224 ------------ Kernel report ------------ 02/26/2013 19:37:31 ------------ Loaded modules ----------- \SystemRoot\system32\ntoskrnl.exe \SystemRoot\system32\hal.dll \SystemRoot\system32\kdcom.dll \SystemRoot\system32\mcupdate_GenuineIntel.dll \SystemRoot\system32\PSHED.dll \SystemRoot\system32\CLFS.SYS \SystemRoot\system32\CI.dll \SystemRoot\system32\drivers\Wdf01000.sys \SystemRoot\system32\drivers\WDFLDR.SYS \SystemRoot\system32\drivers\ACPI.sys \SystemRoot\system32\drivers\WMILIB.SYS \SystemRoot\system32\drivers\msisadrv.sys \SystemRoot\system32\drivers\pci.sys \SystemRoot\system32\drivers\vdrvroot.sys \SystemRoot\System32\drivers\partmgr.sys \SystemRoot\system32\DRIVERS\compbatt.sys \SystemRoot\system32\DRIVERS\BATTC.SYS \SystemRoot\System32\DRIVERS\intelide.sys \SystemRoot\System32\DRIVERS\PCIIDEX.SYS \SystemRoot\system32\drivers\volmgr.sys \SystemRoot\System32\drivers\volmgrx.sys \SystemRoot\system32\drivers\pciide.sys \SystemRoot\system32\DRIVERS\vmci.sys \SystemRoot\System32\Drivers\AppleMNT.sys \SystemRoot\System32\drivers\mountmgr.sys \SystemRoot\system32\drivers\atapi.sys \SystemRoot\system32\drivers\ataport.SYS \SystemRoot\system32\drivers\amdxata.sys \SystemRoot\system32\drivers\fltmgr.sys \SystemRoot\system32\drivers\fileinfo.sys \SystemRoot\system32\DRIVERS\MpFilter.sys \SystemRoot\System32\Drivers\Ntfs.sys \SystemRoot\System32\Drivers\msrpc.sys \SystemRoot\System32\Drivers\ksecdd.sys \SystemRoot\System32\Drivers\cng.sys \SystemRoot\System32\drivers\pcw.sys \SystemRoot\System32\Drivers\AppleHFS.sys \SystemRoot\System32\Drivers\Fs_Rec.sys \SystemRoot\system32\drivers\ndis.sys \SystemRoot\system32\drivers\NETIO.SYS \SystemRoot\System32\Drivers\ksecpkg.sys \SystemRoot\System32\drivers\tcpip.sys \SystemRoot\System32\drivers\fwpkclnt.sys \SystemRoot\system32\drivers\vmstorfl.sys \SystemRoot\system32\drivers\volsnap.sys \SystemRoot\System32\Drivers\spldr.sys \SystemRoot\System32\drivers\rdyboost.sys \SystemRoot\System32\Drivers\mup.sys \SystemRoot\System32\drivers\hwpolicy.sys \SystemRoot\System32\DRIVERS\fvevol.sys \SystemRoot\system32\drivers\disk.sys \SystemRoot\system32\drivers\CLASSPNP.SYS \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\Beep.SYS \??\C:\Program Files\VMware\VMware Tools\vmrawdsk.sys \SystemRoot\System32\drivers\vga.sys \SystemRoot\System32\drivers\VIDEOPRT.SYS \SystemRoot\System32\drivers\watchdog.sys \SystemRoot\System32\DRIVERS\RDPCDD.sys \SystemRoot\system32\drivers\rdpencdd.sys \SystemRoot\system32\drivers\rdprefmp.sys \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\system32\DRIVERS\tdx.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\system32\drivers\afd.sys \SystemRoot\System32\DRIVERS\netbt.sys \SystemRoot\system32\drivers\ws2ifsl.sys \SystemRoot\system32\DRIVERS\wfplwf.sys \SystemRoot\system32\DRIVERS\pacer.sys \SystemRoot\system32\DRIVERS\vwififlt.sys \SystemRoot\system32\DRIVERS\netbios.sys \SystemRoot\System32\DRIVERS\vmhgfs.sys \SystemRoot\system32\DRIVERS\wanarp.sys \SystemRoot\system32\DRIVERS\termdd.sys \SystemRoot\System32\Drivers\SCDEmu.SYS \SystemRoot\system32\DRIVERS\rdbss.sys \SystemRoot\system32\drivers\nsiproxy.sys \SystemRoot\system32\DRIVERS\mssmbios.sys \SystemRoot\System32\drivers\discache.sys \SystemRoot\system32\drivers\csc.sys \SystemRoot\System32\Drivers\dfsc.sys \SystemRoot\system32\DRIVERS\blbdrive.sys \SystemRoot\system32\DRIVERS\tunnel.sys \SystemRoot\system32\DRIVERS\intelppm.sys \SystemRoot\system32\DRIVERS\igdkmd64.sys \SystemRoot\System32\drivers\dxgkrnl.sys \SystemRoot\System32\drivers\dxgmms1.sys \SystemRoot\system32\DRIVERS\HDAudBus.sys \SystemRoot\system32\DRIVERS\yk62x64.sys \SystemRoot\system32\DRIVERS\athrx.sys \SystemRoot\system32\DRIVERS\vwifibus.sys \SystemRoot\system32\DRIVERS\usbuhci.sys \SystemRoot\system32\DRIVERS\USBPORT.SYS \SystemRoot\system32\DRIVERS\usbehci.sys \SystemRoot\system32\DRIVERS\1394ohci.sys \SystemRoot\system32\DRIVERS\CompositeBus.sys \SystemRoot\system32\DRIVERS\AgileVpn.sys \SystemRoot\system32\DRIVERS\rasl2tp.sys \SystemRoot\system32\DRIVERS\ndistapi.sys \SystemRoot\system32\DRIVERS\ndiswan.sys \SystemRoot\system32\DRIVERS\raspppoe.sys \SystemRoot\system32\DRIVERS\raspptp.sys \SystemRoot\system32\DRIVERS\rassstp.sys \SystemRoot\system32\DRIVERS\rdpbus.sys \SystemRoot\system32\DRIVERS\kbdclass.sys \SystemRoot\system32\DRIVERS\mouclass.sys \SystemRoot\system32\DRIVERS\swenum.sys \SystemRoot\system32\DRIVERS\ks.sys \SystemRoot\system32\DRIVERS\umbus.sys \SystemRoot\system32\DRIVERS\usbhub.sys \SystemRoot\System32\Drivers\NDProxy.SYS \SystemRoot\system32\DRIVERS\stwrt64.sys \SystemRoot\system32\DRIVERS\portcls.sys \SystemRoot\system32\DRIVERS\drmk.sys \SystemRoot\system32\drivers\ksthunk.sys \SystemRoot\System32\Drivers\crashdmp.sys \SystemRoot\System32\Drivers\dump_dumpata.sys \SystemRoot\System32\Drivers\dump_atapi.sys \SystemRoot\System32\Drivers\dump_dumpfve.sys \SystemRoot\System32\win32k.sys \SystemRoot\System32\drivers\Dxapi.sys \SystemRoot\system32\DRIVERS\monitor.sys \SystemRoot\System32\TSDDD.dll \SystemRoot\System32\cdd.dll \SystemRoot\system32\DRIVERS\AppleODD.sys \SystemRoot\system32\DRIVERS\USBSTOR.SYS \SystemRoot\system32\DRIVERS\USBD.SYS \SystemRoot\system32\DRIVERS\cdrom.sys \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys \SystemRoot\system32\DRIVERS\usbccgp.sys \SystemRoot\system32\DRIVERS\KeyMagic.sys \SystemRoot\system32\DRIVERS\hidusb.sys \SystemRoot\system32\DRIVERS\HIDCLASS.SYS \SystemRoot\system32\DRIVERS\HIDPARSE.SYS \SystemRoot\system32\DRIVERS\kbdhid.sys \SystemRoot\system32\DRIVERS\IRFilter.sys \SystemRoot\system32\DRIVERS\mouhid.sys \SystemRoot\System32\Drivers\BTHUSB.sys \SystemRoot\System32\Drivers\bthport.sys \SystemRoot\system32\DRIVERS\rfcomm.sys \SystemRoot\system32\DRIVERS\BthEnum.sys \SystemRoot\system32\DRIVERS\bthpan.sys \??\C:\Windows\system32\drivers\mbam.sys \SystemRoot\system32\DRIVERS\lltdio.sys \SystemRoot\system32\DRIVERS\nwifi.sys \SystemRoot\system32\DRIVERS\ndisuio.sys \SystemRoot\system32\DRIVERS\rspndr.sys \SystemRoot\system32\drivers\HTTP.sys \SystemRoot\System32\DRIVERS\srvnet.sys \SystemRoot\system32\DRIVERS\bowser.sys \SystemRoot\System32\drivers\mpsdrv.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\system32\DRIVERS\mrxsmb10.sys \SystemRoot\system32\DRIVERS\mrxsmb20.sys \SystemRoot\System32\DRIVERS\srv2.sys \SystemRoot\System32\DRIVERS\srv.sys \??\C:\Program Files\Common Files\VMware\Drivers\memctl\vmmemctl.sys \??\C:\Windows\system32\drivers\KeyAgent.sys \??\C:\Windows\system32\drivers\MacHALDriver.sys \SystemRoot\system32\DRIVERS\NisDrvWFP.sys \SystemRoot\system32\drivers\peauth.sys \SystemRoot\System32\Drivers\secdrv.SYS \SystemRoot\System32\drivers\tcpipreg.sys \SystemRoot\system32\drivers\spsys.sys \??\C:\Windows\system32\drivers\mbamchameleon.sys \??\C:\Windows\system32\drivers\mbamswissarmy.sys \Windows\System32\ntdll.dll \Windows\System32\smss.exe \Windows\System32\apisetschema.dll \Windows\System32\autochk.exe \Windows\System32\psapi.dll \Windows\System32\iertutil.dll \Windows\System32\kernel32.dll \Windows\System32\imm32.dll \Windows\System32\msvcrt.dll \Windows\System32\wininet.dll \Windows\System32\setupapi.dll \Windows\System32\usp10.dll \Windows\System32\Wldap32.dll \Windows\System32\clbcatq.dll \Windows\System32\msctf.dll \Windows\System32\user32.dll \Windows\System32\gdi32.dll \Windows\System32\difxapi.dll \Windows\System32\shlwapi.dll \Windows\System32\imagehlp.dll \Windows\System32\oleaut32.dll \Windows\System32\ws2_32.dll \Windows\System32\sechost.dll \Windows\System32\shell32.dll \Windows\System32\ole32.dll \Windows\System32\advapi32.dll \Windows\System32\nsi.dll \Windows\System32\lpk.dll \Windows\System32\comdlg32.dll \Windows\System32\urlmon.dll \Windows\System32\rpcrt4.dll \Windows\System32\normaliz.dll \Windows\System32\devobj.dll \Windows\System32\crypt32.dll \Windows\System32\cfgmgr32.dll \Windows\System32\comctl32.dll \Windows\System32\wintrust.dll \Windows\System32\KernelBase.dll \Windows\System32\msasn1.dll \Windows\SysWOW64\normaliz.dll ----------- End ----------- <<<1>>> Upper Device Name: \Device\Harddisk1\DR1 Upper Device Object: 0xfffffa8002b2e790 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Ide\IdeDeviceP2T1L0-7\ Lower Device Object: 0xfffffa8002481680 Lower Device Driver Name: \Driver\atapi\ Device already Exists: 0xfffffa800441b700 <<<1>>> Upper Device Name: \Device\Harddisk0\DR0 Upper Device Object: 0xfffffa8002b2d610 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\ Lower Device Object: 0xfffffa8002637060 Lower Device Driver Name: \Driver\atapi\ Device already Exists: 0xfffffa80026f7d40 Initializing... Done! <<<2>>> Device number: 1, partition: 4 Physical Sector Size: 512 Drive: 1, DevicePointer: 0xfffffa8002b2e790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xfffffa8002b2f040, DeviceName: Unknown, DriverName: \Driver\partmgr\ DevicePointer: 0xfffffa8002b2e790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\ DevicePointer: 0xfffffa8002658520, DeviceName: Unknown, DriverName: \Driver\ACPI\ DevicePointer: 0xfffffa8002481680, DeviceName: \Device\Ide\IdeDeviceP2T1L0-7\, DriverName: \Driver\atapi\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\ Upper DeviceData: 0xfffff8a00b022870, 0xfffffa8002b2e790, 0xfffffa8002706090 Lower DeviceData: 0xfffff8a0098f0f20, 0xfffffa8002481680, 0xfffffa800441b700 Partition type: GUID <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Scanning directory: C:\Windows\system32\drivers... <<<2>>> Device number: 1, partition: 4 Partition type: GUID <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Done! Physical Sector Size: 512 Drive: 0, DevicePointer: 0xfffffa8002b2d610, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xfffffa8002b2e040, DeviceName: Unknown, DriverName: \Driver\partmgr\ DevicePointer: 0xfffffa8002b2d610, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ DevicePointer: 0xfffffa800262d520, DeviceName: Unknown, DriverName: \Driver\ACPI\ DevicePointer: 0xfffffa8002637060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ Upper DeviceData: 0xfffff8a00a19f520, 0xfffffa8002b2d610, 0xfffffa8002705090 Lower DeviceData: 0xfffff8a0001e3cf0, 0xfffffa8002637060, 0xfffffa80026f7d40 Drive 0 Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: 4041BC3E Partition information: Partition 0 type is EFI-GPT (0xee) Partition is NOT ACTIVE. Partition starts at LBA: 1 Numsec = 409639 Partition 1 type is Other (0xaf) Partition is NOT ACTIVE. Partition starts at LBA: 409640 Numsec = 449573912 Partition 2 type is Other (0xaf) Partition is NOT ACTIVE. Partition starts at LBA: 450245696 Numsec = 38538216 Partition 3 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 489046056 Numsec = 487727072 Partition file system is NTFS Partition is bootable Disk Size: 500107862016 bytes Sector size: 512 bytes Drive 1 Scanning MBR on drive 1... Inspecting partition table: MBR Signature: 55AA Disk Signature: 6B65763C Partition information: Partition 0 type is EFI-GPT (0xee) Partition is NOT ACTIVE. Partition starts at LBA: 1 Numsec = 409639 Partition 1 type is Other (0xaf) Partition is NOT ACTIVE. Partition starts at LBA: 409640 Numsec = 56640624 Partition 2 type is Other (0xab) Partition is NOT ACTIVE. Partition starts at LBA: 57050264 Numsec = 1269536 Partition 3 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 58320896 Numsec = 58908672 Partition file system is NTFS Partition is bootable Disk Size: 60022480896 bytes Sector size: 512 bytes Done! Performing system, memory and registry scan... <<<2>>> Device number: 0, partition: 4 Partition type: GUID <<<3>>> Volume: D: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Done! Scan finished =======================================
- February 27, 2013
- 28 replies
infected with trojan.FakeAlert, rogue.FakeAV, PUM.Disabled.SecurityCenter

arnolfini replied to arnolfini's topic in Resolved Malware Removal Logs

Unfortunately, that one also gives the error. "TDSS_Undetectable.exe has stopped working"
- February 26, 2013
- 28 replies
infected with trojan.FakeAlert, rogue.FakeAV, PUM.Disabled.SecurityCenter

arnolfini replied to arnolfini's topic in Resolved Malware Removal Logs

Thanks again for your help. I deleted the 4 items from RogueKiller as per your instructions. When trying to run TDSSKiller, it gives an error and stops responding.
- February 26, 2013
- 28 replies
infected with trojan.FakeAlert, rogue.FakeAV, PUM.Disabled.SecurityCenter

arnolfini replied to arnolfini's topic in Resolved Malware Removal Logs

Hey Mr. Charlie, thanks for your response. I ran Roguekiller and here is the log: RogueKiller V8.5.2 _x64_ [Feb 23 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : michael [Admin rights] Mode : Scan -- Date : 02/26/2013 13:36:49 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 8 ¤¤¤ [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND [HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND [HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND [HJ DESK] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$70e337c9b65d51131f5e0a88757fd297\U --> FOUND [ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-1368498391-2565348536-346576405-1001\$70e337c9b65d51131f5e0a88757fd297\U --> FOUND [ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$70e337c9b65d51131f5e0a88757fd297\L --> FOUND [ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-1368498391-2565348536-346576405-1001\$70e337c9b65d51131f5e0a88757fd297\L --> FOUND ¤¤¤ Driver : [NOT LOADED] ¤¤¤ ¤¤¤ Extern Hives: ¤¤¤ -> D:\windows\system32\config\SOFTWARE -> D:\windows\system32\config\SYSTEM -> D:\Users\Default\NTUSER.DAT -> D:\Users\Default User\NTUSER.DAT -> D:\Users\Michael\NTUSER.DAT -> D:\Documents and Settings\Default\NTUSER.DAT -> D:\Documents and Settings\Default User\NTUSER.DAT ¤¤¤ Infection : ZeroAccess ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: ST9500420AS ATA Device +++++ --- User --- [MBR] 1ea372b500ccea713a00c25410c9cf79 [bSP] bd755559ed7d1270adf520083ded2321 : Windows 7/8 MBR Code Partition table: 0 - [XXXXXX] UNKNOWN (0xee) [VISIBLE] Offset (sectors): 1 | Size: 200 Mo 1 - [XXXXXX] UNKNOWN (0xaf) [VISIBLE] Offset (sectors): 409640 | Size: 219518 Mo 2 - [XXXXXX] UNKNOWN (0xaf) [VISIBLE] Offset (sectors): 450245696 | Size: 18817 Mo 3 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 489046056 | Size: 238147 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: OCZ-VERTEX2 ATA Device +++++ --- User --- [MBR] 49ebdc9a7c6472c30b62fe0ac99ba392 [bSP] 749133ad0e70ef37e4267331ceb8e61b : Windows 7/8 MBR Code Partition table: 0 - [XXXXXX] UNKNOWN (0xee) [VISIBLE] Offset (sectors): 1 | Size: 200 Mo 1 - [XXXXXX] UNKNOWN (0xaf) [VISIBLE] Offset (sectors): 409640 | Size: 27656 Mo 2 - [XXXXXX] MACOSX-BT (0xab) [VISIBLE] Offset (sectors): 57050264 | Size: 619 Mo 3 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 58320896 | Size: 28764 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1]_S_02262013_02d1336.txt >> RKreport[1]_S_02262013_02d1336.txt
- February 26, 2013
- 28 replies
infected with trojan.FakeAlert, rogue.FakeAV, PUM.Disabled.SecurityCenter

arnolfini posted a topic in Resolved Malware Removal Logs

Hi, as shown by malwarebytes anti malware, I have been infected with infected with trojan.FakeAlert, rogue.FakeAV, PUM.Disabled.SecurityCenter, and Trojan.FakeAV. I cannot run DDS because I get an error. Below are logs from RSIT and Malwarebytes anti malware. Any help you can provide will be much appreciated. Thank you! RSIT Log Logfile of random's system information tool 1.09 (written by random/random) Run by michael at 2013-02-26 13:02:00 Microsoft Windows 7 Ultimate Service Pack 1 System drive C: has 4 GB (13%) free of 29 GB Total RAM: 3040 MB (32% free) Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 1:02:22 PM, on 2/26/2013 Platform: Windows 7 SP1 (WinNT 6.00.3505) MSIE: Internet Explorer v9.00 (9.00.8112.16464) Boot mode: Normal Running processes: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\michael\Downloads\RSIT.exe C:\Program Files (x86)\trend micro\michael.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {00000000-6E41-4FD3-8538-502F5495E5FC} - (no file) F2 - REG:system.ini: UserInit=userinit.exe, O2 - BHO: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files (x86)\McAfee Security Scan\3.0.313\McAfeeMSS_IE.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE') O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000 O10 - Unknown file in Winsock LSP: c:\windows\system32\vsocklib.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\vsocklib.dll O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O15 - Trusted Zone: http://*.mcafee.com O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\Windows\system32\AppleOSSMgr.exe (file missing) O23 - Service: Apple Time Service (AppleTimeSrv) - Unknown owner - C:\Windows\system32\AppleTimeSrv.exe (file missing) O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing) O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files (x86)\McAfee Security Scan\3.0.313\McCHSvc.exe O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing) O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files (x86)\idt\apple_v50\wdm\STacSV64.exe O23 - Service: TP AutoConnect Service (TPAutoConnSvc) - Cortado AG - C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe O23 - Service: TP VC Gateway Service (TPVCGateway) - Cortado AG - C:\Program Files\VMware\VMware Tools\TPVCGateway.exe O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: VMware Tools (VMTools) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\vmtoolsd.exe O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing) O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing) O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) -- End of file - 9542 bytes ======Scheduled tasks folder====== C:\Windows\tasks\Adobe Flash Player Updater.job C:\Windows\tasks\GoogleUpdateTaskMachineCore.job C:\Windows\tasks\GoogleUpdateTaskMachineUA.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0E8A89AD-95D7-40EB-8D9D-083EF7066A01}] MSS+ Identifier - C:\Program Files (x86)\McAfee Security Scan\3.0.313\McAfeeMSS_IE.dll [2012-10-26 92624] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}] Adobe PDF Link Helper - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-12-18 66280] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] Java™ Plug-In SSV Helper - C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2012-09-24 449512] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}] Office Document Cache Handler - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL [2010-12-21 561552] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}] Java™ Plug-In 2 SSV Helper - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2012-09-24 155384] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Adobe ARM"=C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2012-12-03 946352] "SunJavaUpdateSched"=C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [2012-07-03 252848] ""= [] "APSDaemon"=C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [2012-11-28 59280] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] "Malwarebytes Anti-Malware"=C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe [2012-12-14 512360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"=credssp.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MsMpSvc] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "ConsentPromptBehaviorUser"=3 "EnableUIADesktopToggle"=0 "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 "ConsentPromptBehaviorAdmin"=0 "EnableLUA"=0 "PromptOnSecureDesktop"=0 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 "HideSCAHealth"=1 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoActiveDesktop"=1 "NoActiveDesktopChanges"=1 "ForceActiveDesktopOn"=0 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32] "vidc.mrle"=msrle32.dll "vidc.msvc"=msvidc32.dll "msacm.imaadpcm"=imaadp32.acm "msacm.msg711"=msg711.acm "msacm.msgsm610"=msgsm32.acm "msacm.msadpcm"=msadp32.acm "midimapper"=midimap.dll "wavemapper"=msacm32.drv "vidc.uyvy"=msyuv.dll "vidc.yuy2"=msyuv.dll "vidc.yvyu"=msyuv.dll "vidc.iyuv"=iyuv_32.dll "vidc.i420"=iyuv_32.dll "vidc.yvu9"=tsbyuv.dll "msacm.l3acm"=C:\Windows\SysWOW64\l3codeca.acm "vidc.cvid"=iccvid.dll "wave"=wdmaud.drv "midi"=wdmaud.drv "mixer"=wdmaud.drv "aux"=wdmaud.drv "wave1"=wdmaud.drv "midi1"=wdmaud.drv "mixer1"=wdmaud.drv "aux1"=wdmaud.drv "wave2"=wdmaud.drv "midi2"=wdmaud.drv "mixer2"=wdmaud.drv "aux2"=wdmaud.drv "wave3"=wdmaud.drv "midi3"=wdmaud.drv "mixer3"=wdmaud.drv ======File associations====== .js - edit - C:\Windows\System32\Notepad.exe %1 .js - open - C:\Windows\System32\WScript.exe "%1" %* ======List of files/folders created in the last 1 month====== 2013-02-26 13:02:02 ----D---- C:\Program Files (x86)\trend micro 2013-02-26 13:02:00 ----D---- C:\rsit 2013-02-25 09:28:53 ----AD---- C:\.fseventsd 2013-02-22 20:13:18 ----D---- C:\ProgramData\70BA8775C6C6A90A000070BA16BFAD07 2013-02-22 20:12:28 ----AH---- C:\Windows\SysWOW64\mcbutray.dll 2013-02-13 11:12:41 ----A---- C:\Windows\SysWOW64\mshtmled.dll 2013-02-13 11:12:40 ----A---- C:\Windows\SysWOW64\vbscript.dll 2013-02-13 11:12:40 ----A---- C:\Windows\SysWOW64\ieui.dll 2013-02-13 11:12:39 ----A---- C:\Windows\SysWOW64\urlmon.dll 2013-02-13 11:12:39 ----A---- C:\Windows\SysWOW64\url.dll 2013-02-13 11:12:39 ----A---- C:\Windows\SysWOW64\ieUnatt.exe 2013-02-13 11:12:38 ----A---- C:\Windows\SysWOW64\msfeeds.dll 2013-02-13 11:12:37 ----A---- C:\Windows\SysWOW64\wininet.dll 2013-02-13 11:12:36 ----A---- C:\Windows\SysWOW64\jscript9.dll 2013-02-13 11:12:36 ----A---- C:\Windows\SysWOW64\jscript.dll 2013-02-13 11:12:36 ----A---- C:\Windows\SysWOW64\iertutil.dll 2013-02-13 11:12:35 ----A---- C:\Windows\SysWOW64\jsproxy.dll 2013-02-13 11:12:34 ----A---- C:\Windows\SysWOW64\mshtml.dll 2013-02-13 11:12:31 ----A---- C:\Windows\SysWOW64\ieframe.dll 2013-02-13 09:37:20 ----A---- C:\Windows\SysWOW64\ntoskrnl.exe 2013-02-13 09:37:20 ----A---- C:\Windows\SysWOW64\ntkrnlpa.exe 2013-02-13 09:37:15 ----A---- C:\Windows\SysWOW64\wow32.dll 2013-02-13 09:37:15 ----A---- C:\Windows\SysWOW64\setup16.exe 2013-02-13 09:37:15 ----A---- C:\Windows\SysWOW64\ntvdm64.dll 2013-02-13 09:37:15 ----A---- C:\Windows\SysWOW64\instnm.exe 2013-02-13 09:37:14 ----A---- C:\Windows\SysWOW64\user.exe ======List of files/folders modified in the last 1 month====== 2013-02-26 13:02:02 ----RD---- C:\Program Files (x86) 2013-02-26 13:01:56 ----D---- C:\Windows\Temp 2013-02-26 11:17:48 ----D---- C:\Program Files (x86)\Malwarebytes' Anti-Malware 2013-02-26 11:17:22 ----D---- C:\Windows\System32 2013-02-26 11:17:22 ----D---- C:\Windows\inf 2013-02-25 09:29:01 ----AD---- C:\.Trashes 2013-02-22 20:13:18 ----HD---- C:\ProgramData 2013-02-22 20:12:28 ----D---- C:\Windows\SysWOW64 2013-02-18 14:53:01 ----SHD---- C:\Windows\Installer 2013-02-13 21:03:00 ----D---- C:\Windows\winsxs 2013-02-13 17:02:46 ----RSD---- C:\Windows\assembly 2013-02-13 17:02:46 ----D---- C:\Windows\Microsoft.NET 2013-02-13 14:50:38 ----D---- C:\Windows\SysWOW64\migration 2013-02-13 14:50:38 ----D---- C:\Windows\AppPatch 2013-02-13 14:50:38 ----D---- C:\Program Files (x86)\Internet Explorer 2013-02-13 11:16:17 ----D---- C:\Windows\debug 2013-02-13 11:16:12 ----D---- C:\ProgramData\Microsoft Help 2013-02-12 20:38:56 ----A---- C:\Windows\SysWOW64\FlashPlayerApp.exe 2013-02-12 20:38:01 ----D---- C:\ProgramData\Adobe 2013-02-09 19:34:03 ----D---- C:\Windows 2013-01-31 11:56:15 ----SHD---- C:\$Recycle.Bin 2013-01-29 15:32:09 ----D---- C:\Program Files (x86)\McAfee Security Scan ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R0 AppleHFS;AppleHFS; C:\Windows\SysWOW64\drivers\AppleHFS.sys [] R0 AppleMNT;AppleMNT; C:\Windows\SysWOW64\drivers\AppleMNT.sys [] R0 MpFilter;Microsoft Malware Protection Driver; C:\Windows\system32\DRIVERS\MpFilter.sys [] R0 pciide;pciide; C:\Windows\system32\drivers\pciide.sys [] R0 rdyboost;ReadyBoost; C:\Windows\System32\drivers\rdyboost.sys [] R0 vmci;VMware VMCI Bus Driver; C:\Windows\system32\DRIVERS\vmci.sys [] R1 CSC;@%systemroot%\system32\cscsvc.dll,-202; C:\Windows\system32\drivers\csc.sys [] R1 SCDEmu;SCDEmu; C:\Windows\SysWOW64\drivers\SCDEmu.sys [] R1 vmhgfs;vmhgfs; C:\Windows\System32\DRIVERS\vmhgfs.sys [] R1 vmrawdsk;VMware Vista Physical Disk Helper; \??\C:\Program Files\VMware\VMware Tools\vmrawdsk.sys [2012-05-27 45720] R1 vwififlt;Virtual WiFi Filter Driver; C:\Windows\system32\DRIVERS\vwififlt.sys [] R2 KeyAgent;KeyAgent; \??\C:\Windows\system32\drivers\KeyAgent.sys [] R2 MacHALDriver;Mac HAL; \??\C:\Windows\system32\drivers\MacHALDriver.sys [] R2 NisDrv;Microsoft Network Inspection System; C:\Windows\system32\DRIVERS\NisDrvWFP.sys [] R2 VMMEMCTL;Memory Control Driver; \??\C:\Program Files\Common Files\VMware\Drivers\memctl\vmmemctl.sys [2012-05-27 17560] R3 AppleODD;Apple ODD; C:\Windows\system32\DRIVERS\AppleODD.sys [] R3 athr;Atheros Extensible Wireless LAN device driver; C:\Windows\system32\DRIVERS\athrx.sys [] R3 BthEnum;Bluetooth Enumerator Service; C:\Windows\system32\DRIVERS\BthEnum.sys [] R3 BthPan;Bluetooth Device (Personal Area Network); C:\Windows\system32\DRIVERS\bthpan.sys [] R3 BTHUSB;Bluetooth Radio USB Driver; C:\Windows\System32\Drivers\BTHUSB.sys [] R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [] R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd64.sys [] R3 IRRemoteFlt;IR Receiver Filter Driver; C:\Windows\system32\DRIVERS\IRFilter.sys [] R3 KeyMagic;USB Keyboard HID Filter; C:\Windows\system32\DRIVERS\KeyMagic.sys [] R3 MBAMProtector;MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [] R3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\Windows\system32\DRIVERS\rfcomm.sys [] R3 STHDA;IDT High Definition Audio CODEC; C:\Windows\system32\DRIVERS\stwrt64.sys [] S3 BCM43XX;Broadcom 802.11 Network Adapter Driver; C:\Windows\system32\DRIVERS\bcmwl664.sys [] S3 BthKicker;Apple Bluetooth Device Driver; C:\Windows\system32\DRIVERS\BthKicker.sys [] S3 BTHPORT;Bluetooth Port Driver; C:\Windows\System32\Drivers\BTHport.sys [] S3 dmvsc;dmvsc; C:\Windows\system32\drivers\dmvsc.sys [] S3 E1G60;Intel® PRO/1000 NDIS 6 Adapter Driver; C:\Windows\system32\DRIVERS\E1G6032E.sys [] S3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\Windows\system32\DRIVERS\nvm62x64.sys [] S3 RDPDR;Terminal Server Device Redirector Driver; C:\Windows\System32\drivers\rdpdr.sys [] S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver; C:\Windows\System32\drivers\rdpvideominiport.sys [] S3 Revoflt;Revoflt; C:\Windows\system32\DRIVERS\revoflt.sys [] S3 s3cap;s3cap; C:\Windows\system32\drivers\vms3cap.sys [] S3 storvsc;storvsc; C:\Windows\system32\drivers\storvsc.sys [] S3 Synth3dVsc;Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [] S3 terminpt;Microsoft Remote Desktop Input Driver; C:\Windows\system32\drivers\terminpt.sys [] S3 TsUsbFlt;TsUsbFlt; C:\Windows\system32\drivers\tsusbflt.sys [] S3 TsUsbGD;Remote Desktop Generic USB Device; C:\Windows\system32\drivers\TsUsbGD.sys [] S3 tsusbhub;@%SystemRoot%\system32\drivers\tsusbhub.sys,-1; C:\Windows\system32\drivers\tsusbhub.sys [] S3 VGPU;VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [] S3 vm3dmp;vm3dmp; C:\Windows\system32\DRIVERS\vm3dmp.sys [] S3 vmbus;vmbus; C:\Windows\system32\drivers\vmbus.sys [] S3 VMBusHID;VMBusHID; C:\Windows\system32\drivers\VMBusHID.sys [] S3 vmmouse;VMware Pointing Device; C:\Windows\system32\DRIVERS\vmmouse.sys [] S3 WinUsb;WinUsb; C:\Windows\system32\DRIVERS\WinUsb.sys [] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 AdobeARMservice;Adobe Acrobat Update Service; C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-12-18 65192] R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2012-08-11 55184] R2 AppleOSSMgr;Apple OS Switch Manager; C:\Windows\system32\AppleOSSMgr.exe [] R2 AppleTimeSrv;Apple Time Service; C:\Windows\system32\AppleTimeSrv.exe [] R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2011-08-30 462184] R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2009-07-13 20992] R2 MBAMScheduler;MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184] R2 MBAMService;MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344] R2 MsMpSvc;Microsoft Antimalware Service; C:\Program Files\Microsoft Security Client\MsMpEng.exe [2012-09-12 22072] R2 STacSV;Audio Service; c:\program files (x86)\idt\apple_v50\wdm\STacSV64.exe [2011-03-25 251680] R3 NisSrv;@C:\Program Files\Microsoft Security Client\MpAsDesc.dll,-243; C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-09-12 368896] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] S2 gupdate;Google Update Service (gupdate); C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-08-18 136176] S2 VMTools;VMware Tools; C:\Program Files\VMware\VMware Tools\vmtoolsd.exe [2012-05-27 72856] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service; C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-12 251248] S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2009-07-13 20992] S3 gupdatem;Google Update Service (gupdatem); C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-08-18 136176] S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2012-12-12 641504] S3 McComponentHostService;McAfee Security Scan Component Host Service; C:\Program Files (x86)\McAfee Security Scan\3.0.313\McCHSvc.exe [2012-10-26 234776] S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service; D:\Program Files\Microsoft Office\Office14\GROOVE.EXE [2012-09-20 50899608] S3 ose64;Office 64 Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-09 174440] S3 osppsvc;Office Software Protection Platform; C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184] S3 PeerDistSvc;@%SystemRoot%\system32\peerdistsvc.dll,-9000; C:\Windows\System32\svchost.exe [2009-07-13 20992] S3 TPAutoConnSvc;TP AutoConnect Service; C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe [2012-05-01 509776] S3 TPVCGateway;TP VC Gateway Service; C:\Program Files\VMware\VMware Tools\TPVCGateway.exe [2012-05-01 566096] S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2009-07-13 20992] S3 vmvss;VMware Snapshot Provider; C:\Windows\system32\dllhost.exe [2009-07-13 7168] S3 WatAdminSvc;@%SystemRoot%\system32\Wat\WatUX.exe,-601; C:\Windows\system32\Wat\WatAdminSvc.exe [] -----------------EOF----------------- Malwarebytes Log Malwarebytes Anti-Malware 1.70.0.1100 www.malwarebytes.org Database version: v2013.02.19.01 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 michael :: MA [administrator] 2/25/2013 11:52:47 AM mbam-log-2013-02-25 (11-52-47).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 203705 Time elapsed: 1 minute(s), 40 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 3 HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully. HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully. HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully. Folders Detected: 1 C:\Users\michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Disk Antivirus Professional (Rogue.FakeAV) -> Quarantined and deleted successfully. Files Detected: 3 C:\ProgramData\70BA8775C6C6A90A000070BA16BFAD07\70BA8775C6C6A90A000070BA16BFAD07.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Users\michael\Desktop\Disk Antivirus Professional.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully. C:\Users\michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Disk Antivirus Professional\Disk Antivirus Professional.lnk (Rogue.FakeAV) -> Quarantined and deleted successfully. (end)
- February 26, 2013
- 28 replies
Windows is not genuine FAKE message

arnolfini posted a topic in Resolved Malware Removal Logs

I am receiving a fake windows is not genuine message. The copy of windows is definitely genuine. I have tried to run the DDS program but it cannot complete because of the error message "Pev.dat has stopped working." Your help would be appreciated.
- February 25, 2013
- 3 replies
search-results redirect

arnolfini replied to arnolfini's topic in Resolved Malware Removal Logs

Thanks; I'll give it a shot. Otherwise, everything is running well. I appreciate your help and quick response times. Great work.
- January 10, 2013
- 19 replies
search-results redirect

arnolfini replied to arnolfini's topic in Resolved Malware Removal Logs

Thanks for all your help Gringo. I really appreciate it! Everything seems to be working well now with the exception of one thing. When I try to do windows update, 1 update always fails. It's .NET sp1 update.
- January 9, 2013
- 19 replies
search-results redirect

arnolfini replied to arnolfini's topic in Resolved Malware Removal Logs

Hi Gringo, the eset scan is now done; it took 8.5 hours to complete. It says it found 3 threats. C:\Documents and Settings\ang\My Documents\Downloads\cnet2_Setup_FreeBurner_exe.exe a variant of Win32/InstallCore.D application C:\Documents and Settings\ang\My Documents\Downloads\Setup_FreeBurner.exe Win32/Toolbar.SearchSuite application C:\Documents and Settings\ang\My Documents\EXTERNAL FILE BACKUPS\From External Hard Drive 1\RALPH\Natalieeee\Local Settings\Temporary Internet Files\Content.IE5\2UNOMG2D\scan[1].htm Win32/Adware.SpyShredder application
- January 9, 2013
- 19 replies
search-results redirect

arnolfini replied to arnolfini's topic in Resolved Malware Removal Logs

Thank you Gringo. The online scan is running. It's going to take a long time as it has been running over an hour and only at 18%. I will report back here when it finishes. Thanks again!
- January 9, 2013
- 19 replies
search-results redirect

arnolfini replied to arnolfini's topic in Resolved Malware Removal Logs

Okay, the previous instructions are done and the logs are provided below. The computer seems to be slow when switching between programs and windows. Malwarebytes Anti-Malware (Trial) 1.70.0.1100 www.malwarebytes.org Database version: v2013.01.08.12 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 ang :: DELLXPS [administrator] Protection: Disabled 1/8/2013 4:03:25 PM mbam-log-2013-01-08 (16-03-25).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 257747 Time elapsed: 39 minute(s), 4 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 5:01:34 PM, on 1/8/2013 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Microsoft Security Client\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\HitmanPro\hmpsched.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\PRISMSVR.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Java\jre7\bin\jqs.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\PRISMSVC.EXE C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe C:\Program Files\VERIZONDM\bin\sprtsvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\VERIZONDM\bin\tgsrvc.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\VERIZONDM\bin\sprtcmd.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\RunDLL32.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\Dell Wireless\PRISMCFG.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\explorer.exe C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe C:\Program Files\Microsoft Security Client\msseces.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Documents and Settings\ang\Desktop\Chris\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll O2 - BHO: Verizon Broadband Toolbar - {A057A204-BACC-4D26-8398-26FADCF27386} - C:\PROGRA~1\VERIZO~2\VERIZO~1.DLL O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~3\Office14\URLREDIR.DLL O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll O3 - Toolbar: Verizon Broadband Toolbar - {A057A204-BACC-4D26-8398-26FADCF27386} - C:\PROGRA~1\VERIZO~2\VERIZO~1.DLL O4 - HKLM\..\Run: [VERIZONDM] "C:\Program Files\VERIZONDM\bin\sprtcmd.exe" /P VERIZONDM O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000 O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~3\Office14\ONBttnIE.dll/105 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1357611395748 O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: HitmanPro Scheduler (HitmanProScheduler) - SurfRight B.V. - C:\Program Files\HitmanPro\hmpsched.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE O23 - Service: RosettaStoneDaemon - Rosetta Stone Ltd. - C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe O23 - Service: SupportSoft Sprocket Service (verizondm) (sprtsvc_verizondm) - SupportSoft, Inc. - C:\Program Files\VERIZONDM\bin\sprtsvc.exe O23 - Service: SupportSoft Repair Service (verizondm) (tgsrvc_verizondm) - SupportSoft, Inc. - C:\Program Files\VERIZONDM\bin\tgsrvc.exe -- End of file - 9152 bytes
- January 8, 2013
- 19 replies
search-results redirect

arnolfini replied to arnolfini's topic in Resolved Malware Removal Logs

I don't know why the last post showed up like that; I'll try it again. The ComboFix ran smoothly and the computer is working pretty well. Here's the log: ComboFix 13-01-08.01 - ang 01/08/2013 13:20:13.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2405 [GMT -5:00] Running from: c:\documents and settings\ang\Desktop\Chris\ComboFix.exe Command switches used :: c:\documents and settings\ang\Desktop\Chris\CFScript.txt AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} . . ((((((((((((((((((((((((( Files Created from 2012-12-08 to 2013-01-08 ))))))))))))))))))))))))))))))) . . 2013-01-08 03:40 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3B0EDB52-F11E-4917-A5BB-CAD6DA388B77}\mpengine.dll 2013-01-08 03:26 . 2013-01-08 03:26 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-01-08 03:11 . 2013-01-08 03:11 -------- d-----w- c:\documents and settings\ang\Application Data\Windows Search 2013-01-08 03:06 . 2013-01-08 03:06 -------- d-----w- c:\documents and settings\ang\Application Data\Windows Desktop Search 2013-01-08 03:05 . 2013-01-08 03:05 -------- d-----w- c:\program files\Windows Desktop Search 2013-01-08 03:05 . 2013-01-08 03:05 -------- d-----w- c:\windows\system32\GroupPolicy 2013-01-08 03:04 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll 2013-01-08 03:04 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll 2013-01-08 03:04 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll 2013-01-08 03:03 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll 2013-01-08 02:52 . 2013-01-08 02:52 12872 ----a-w- c:\windows\system32\bootdelete.exe 2013-01-08 02:49 . 2013-01-08 02:49 -------- d-----w- c:\documents and settings\UpdatusUser 2013-01-08 02:49 . 2013-01-08 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation 2013-01-08 02:49 . 2012-09-23 13:04 164200 ----a-w- c:\windows\system32\nvsvc32.exe 2013-01-08 02:49 . 2012-09-23 13:04 143720 ----a-w- c:\windows\system32\nvcolor.exe 2013-01-08 02:49 . 2012-09-23 13:04 15512424 ----a-w- c:\windows\system32\nvcpl.dll 2013-01-08 02:49 . 2012-09-23 13:04 108392 ----a-w- c:\windows\system32\nvmctray.dll 2013-01-08 02:49 . 2012-09-23 13:04 54272 ----a-w- c:\windows\system32\nvwddi.dll 2013-01-08 02:49 . 2012-09-23 14:28 65536 ----a-w- c:\windows\system32\OpenCL.dll 2013-01-08 02:47 . 2013-01-08 02:47 -------- d-----w- C:\NVIDIA 2013-01-08 02:42 . 2013-01-08 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA 2013-01-08 02:42 . 2013-01-08 02:42 -------- d-----w- c:\program files\Common Files\Java 2013-01-08 02:41 . 2013-01-08 02:40 143872 ----a-w- c:\windows\system32\javacpl.cpl 2013-01-08 02:41 . 2013-01-08 02:40 93640 ----a-w- c:\windows\system32\WindowsAccessBridge.dll 2013-01-08 02:38 . 2013-01-08 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2013-01-08 01:46 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2013-01-08 01:40 . 2013-01-08 02:03 -------- d-----w- c:\program files\Eusing Free Registry Cleaner 2013-01-08 01:39 . 2013-01-08 01:39 -------- d-----w- c:\program files\CCleaner 2013-01-08 00:36 . 2013-01-08 00:36 -------- d-----w- c:\program files\HitmanPro 2013-01-08 00:35 . 2013-01-08 02:52 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro 2013-01-08 00:35 . 2013-01-08 00:35 -------- d-----w- c:\documents and settings\ang\Application Data\Malwarebytes 2013-01-08 00:35 . 2013-01-08 00:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2013-01-08 00:35 . 2013-01-08 00:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2013-01-08 00:35 . 2012-12-14 21:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys 2013-01-07 05:44 . 2013-01-07 05:44 -------- d-----w- C:\found.000 2013-01-07 03:13 . 2013-01-07 23:23 -------- d---a-w- C:\.Trashes 2013-01-02 15:43 . 2013-01-07 17:44 -------- d-----w- c:\program files\Dropbox 2012-12-24 04:31 . 2012-12-24 04:31 -------- d-----w- c:\windows\Sun 2012-12-24 04:31 . 2012-12-24 04:31 -------- d-----w- c:\documents and settings\ang\Local Settings\Application Data\Sun 2012-12-24 04:27 . 2013-01-08 02:40 859072 ----a-w- c:\windows\system32\npDeployJava1.dll 2012-12-24 04:27 . 2013-01-08 02:40 779704 ----a-w- c:\windows\system32\deployJava1.dll 2012-12-24 04:25 . 2012-12-24 04:26 -------- d-----w- c:\program files\Java . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-01-08 03:26 . 2012-08-19 18:58 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-12-16 12:23 . 2004-08-10 12:00 290560 ----a-w- c:\windows\system32\atmfd.dll 2012-11-13 01:25 . 2004-08-10 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys 2012-11-02 02:02 . 2004-08-10 12:00 375296 ----a-w- c:\windows\system32\dpnet.dll 2012-11-01 12:17 . 2004-08-10 12:00 916992 ----a-w- c:\windows\system32\wininet.dll 2012-11-01 12:17 . 2004-08-10 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2012-11-01 12:17 . 2004-08-10 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2012-11-01 00:35 . 2004-08-10 12:00 385024 ----a-w- c:\windows\system32\html.iec 2012-10-07 23:32 . 2012-06-21 22:30 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" [2010-06-11 206120] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-09-23 15512424] "NvMediaCenter"="NvMCTray.dll" [2012-09-23 108392] "nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-09-23 1634112] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2010-7-17 921704] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL] 2005-12-23 03:08 450646 ----a-w- c:\windows\system32\PRISMAPI.dll . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Documents and Settings\\ang\\Application Data\\Dropbox\\bin\\Dropbox.exe"= "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"= "c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Ltd Services "c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Daemon "c:\\Program Files\\Rosetta Stone\\Rosetta Stone TOTALe\\RosettaStoneTOTALe.exe"= "c:\\WINDOWS\\system32\\LEXPPS.EXE"= "c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"= . R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [1/7/2013 7:36 PM 105832] R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [1/7/2013 7:35 PM 398184] R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [7/17/2010 6:40 PM 61526] R2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe [6/19/2012 4:21 PM 1646608] R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [6/11/2010 11:37 AM 206120] R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [6/11/2010 11:37 AM 185640] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/7/2013 7:35 PM 21104] S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/7/2013 7:35 PM 682344] S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [9/28/2012 4:04 PM 20032] S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [10/1/2012 8:53 AM 121192] S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [10/1/2012 9:09 AM 12776] S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [10/1/2012 9:09 AM 136680] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . Contents of the 'Scheduled Tasks' folder . 2013-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-07 14:10] . 2013-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-07 14:10] . 2013-01-08 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job - c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 21:25] . 2013-01-08 c:\windows\Tasks\User_Feed_Synchronization-{5E635B6A-8DE6-4E3B-9A87-4ED2A161D6D0}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 11:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105 TCP: DhcpNameServer = 74.5.116.246 205.244.194.36 FF - ProfilePath - c:\documents and settings\ang\Application Data\Mozilla\Firefox\Profiles\y62awjva.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.google.com FF - ExtSQL: 2013-01-07 22:15; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\ang\Application Data\Mozilla\Firefox\Profiles\y62awjva.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi FF - ExtSQL: 2013-01-07 22:38; adblockpopups@jessehakanen.net; c:\documents and settings\ang\Application Data\Mozilla\Firefox\Profiles\y62awjva.default\extensions\adblockpopups@jessehakanen.net.xpi FF - ExtSQL: 2013-01-07 22:38; {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}; c:\documents and settings\ang\Application Data\Mozilla\Firefox\Profiles\y62awjva.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}.xpi FF - ExtSQL: !HIDDEN! 2010-11-29 09:26; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-01-08 13:43 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'lsass.exe'(824) c:\windows\system32\PRISMAPI.DLL . - - - - - - - > 'explorer.exe'(3592) c:\windows\system32\WININET.dll c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf c:\progra~1\MICROS~3\Office14\1033\GrooveIntlResource.dll c:\program files\Windows Desktop Search\deskbar.dll c:\program files\Windows Desktop Search\en-us\dbres.dll.mui c:\program files\Windows Desktop Search\dbres.dll c:\program files\Windows Desktop Search\wordwheel.dll c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui c:\program files\Windows Desktop Search\msnlExtRes.dll c:\windows\system32\msi.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2013-01-08 13:45:39 ComboFix-quarantined-files.txt 2013-01-08 18:45 ComboFix2.txt 2013-01-08 17:44 . Pre-Run: 34,444,263,424 bytes free Post-Run: 34,428,248,064 bytes free . - - End Of File - - 3CB2BF941B90DEF7E462108B066FE9A4
- January 8, 2013
- 19 replies
search-results redirect

arnolfini replied to arnolfini's topic in Resolved Malware Removal Logs

<p>Everything ran smoothly Gringo. Computer is running pretty well.</p> <p> </p> <p>Here's the report:</p> <p> </p> <p> </p> <p> </p> <div>ComboFix 13-01-08.01 - ang 01/08/2013 13:20:13.2.1 - x86</div> <div>Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2405 [GMT -5:00]</div> <div>Running from: c:\documents and settings\ang\Desktop\Chris\ComboFix.exe</div> <div>Command switches used :: c:\documents and settings\ang\Desktop\Chris\CFScript.txt</div> <div>AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}</div> <div>.</div> <div>.</div> <div>((((((((((((((((((((((((( Files Created from 2012-12-08 to 2013-01-08 )))))))))))))))))))))))))))))))</div> <div>.</div> <div>.</div> <div>2013-01-08 03:40 . 2012-11-08 18:00<span class="Apple-tab-span" style="white-space:pre"> </span>6812136<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3B0EDB52-F11E-4917-A5BB-CAD6DA388B77}\mpengine.dll</div> <div>2013-01-08 03:26 . 2013-01-08 03:26<span class="Apple-tab-span" style="white-space:pre"> </span>697272<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\FlashPlayerApp.exe</div> <div>2013-01-08 03:11 . 2013-01-08 03:11<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\ang\Application Data\Windows Search</div> <div>2013-01-08 03:06 . 2013-01-08 03:06<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\ang\Application Data\Windows Desktop Search</div> <div>2013-01-08 03:05 . 2013-01-08 03:05<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Windows Desktop Search</div> <div>2013-01-08 03:05 . 2013-01-08 03:05<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\GroupPolicy</div> <div>2013-01-08 03:04 . 2008-03-07 17:02<span class="Apple-tab-span" style="white-space:pre"> </span>29696<span class="Apple-tab-span" style="white-space:pre"> </span>-c----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\dllcache\mimefilt.dll</div> <div>2013-01-08 03:04 . 2008-03-07 17:02<span class="Apple-tab-span" style="white-space:pre"> </span>98304<span class="Apple-tab-span" style="white-space:pre"> </span>-c----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\dllcache\nlhtml.dll</div> <div>2013-01-08 03:04 . 2008-03-07 17:02<span class="Apple-tab-span" style="white-space:pre"> </span>192000<span class="Apple-tab-span" style="white-space:pre"> </span>-c----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\dllcache\offfilt.dll</div> <div>2013-01-08 03:03 . 2011-08-16 10:45<span class="Apple-tab-span" style="white-space:pre"> </span>6144<span class="Apple-tab-span" style="white-space:pre"> </span>-c----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\dllcache\iecompat.dll</div> <div>2013-01-08 02:52 . 2013-01-08 02:52<span class="Apple-tab-span" style="white-space:pre"> </span>12872<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\bootdelete.exe</div> <div>2013-01-08 02:49 . 2013-01-08 02:49<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\UpdatusUser</div> <div>2013-01-08 02:49 . 2013-01-08 02:49<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\NVIDIA Corporation</div> <div>2013-01-08 02:49 . 2012-09-23 13:04<span class="Apple-tab-span" style="white-space:pre"> </span>164200<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\nvsvc32.exe</div> <div>2013-01-08 02:49 . 2012-09-23 13:04<span class="Apple-tab-span" style="white-space:pre"> </span>143720<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\nvcolor.exe</div> <div>2013-01-08 02:49 . 2012-09-23 13:04<span class="Apple-tab-span" style="white-space:pre"> </span>15512424<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\nvcpl.dll</div> <div>2013-01-08 02:49 . 2012-09-23 13:04<span class="Apple-tab-span" style="white-space:pre"> </span>108392<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\nvmctray.dll</div> <div>2013-01-08 02:49 . 2012-09-23 13:04<span class="Apple-tab-span" style="white-space:pre"> </span>54272<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\nvwddi.dll</div> <div>2013-01-08 02:49 . 2012-09-23 14:28<span class="Apple-tab-span" style="white-space:pre"> </span>65536<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\OpenCL.dll</div> <div>2013-01-08 02:47 . 2013-01-08 02:47<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>C:\NVIDIA</div> <div>2013-01-08 02:42 . 2013-01-08 02:49<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\NVIDIA</div> <div>2013-01-08 02:42 . 2013-01-08 02:42<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Common Files\Java</div> <div>2013-01-08 02:41 . 2013-01-08 02:40<span class="Apple-tab-span" style="white-space:pre"> </span>143872<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\javacpl.cpl</div> <div>2013-01-08 02:41 . 2013-01-08 02:40<span class="Apple-tab-span" style="white-space:pre"> </span>93640<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\WindowsAccessBridge.dll</div> <div>2013-01-08 02:38 . 2013-01-08 02:38<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\McAfee</div> <div>2013-01-08 01:46 . 2012-11-08 18:00<span class="Apple-tab-span" style="white-space:pre"> </span>6812136<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll</div> <div>2013-01-08 01:40 . 2013-01-08 02:03<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Eusing Free Registry Cleaner</div> <div>2013-01-08 01:39 . 2013-01-08 01:39<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\CCleaner</div> <div>2013-01-08 00:36 . 2013-01-08 00:36<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\HitmanPro</div> <div>2013-01-08 00:35 . 2013-01-08 02:52<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\HitmanPro</div> <div>2013-01-08 00:35 . 2013-01-08 00:35<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\ang\Application Data\Malwarebytes</div> <div>2013-01-08 00:35 . 2013-01-08 00:35<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\Malwarebytes</div> <div>2013-01-08 00:35 . 2013-01-08 00:35<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Malwarebytes' Anti-Malware</div> <div>2013-01-08 00:35 . 2012-12-14 21:49<span class="Apple-tab-span" style="white-space:pre"> </span>21104<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\mbam.sys</div> <div>2013-01-07 05:44 . 2013-01-07 05:44<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>C:\found.000</div> <div>2013-01-07 03:13 . 2013-01-07 23:23<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d---a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>C:\.Trashes</div> <div>2013-01-02 15:43 . 2013-01-07 17:44<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Dropbox</div> <div>2012-12-24 04:31 . 2012-12-24 04:31<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\Sun</div> <div>2012-12-24 04:31 . 2012-12-24 04:31<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\ang\Local Settings\Application Data\Sun</div> <div>2012-12-24 04:27 . 2013-01-08 02:40<span class="Apple-tab-span" style="white-space:pre"> </span>859072<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\npDeployJava1.dll</div> <div>2012-12-24 04:27 . 2013-01-08 02:40<span class="Apple-tab-span" style="white-space:pre"> </span>779704<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\deployJava1.dll</div> <div>2012-12-24 04:25 . 2012-12-24 04:26<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Java</div> <div>.</div> <div>.</div> <div>.</div> <div>(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))</div> <div>.</div> <div>2013-01-08 03:26 . 2012-08-19 18:58<span class="Apple-tab-span" style="white-space:pre"> </span>73656<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\FlashPlayerCPLApp.cpl</div> <div>2012-12-16 12:23 . 2004-08-10 12:00<span class="Apple-tab-span" style="white-space:pre"> </span>290560<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atmfd.dll</div> <div>2012-11-13 01:25 . 2004-08-10 12:00<span class="Apple-tab-span" style="white-space:pre"> </span>1866368<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\win32k.sys</div> <div>2012-11-02 02:02 . 2004-08-10 12:00<span class="Apple-tab-span" style="white-space:pre"> </span>375296<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\dpnet.dll</div> <div>2012-11-01 12:17 . 2004-08-10 12:00<span class="Apple-tab-span" style="white-space:pre"> </span>916992<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\wininet.dll</div> <div>2012-11-01 12:17 . 2004-08-10 12:00<span class="Apple-tab-span" style="white-space:pre"> </span>43520<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\licmgr10.dll</div> <div>2012-11-01 12:17 . 2004-08-10 12:00<span class="Apple-tab-span" style="white-space:pre"> </span>1469440<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\inetcpl.cpl</div> <div>2012-11-01 00:35 . 2004-08-10 12:00<span class="Apple-tab-span" style="white-space:pre"> </span>385024<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\html.iec</div> <div>2012-10-07 23:32 . 2012-06-21 22:30<span class="Apple-tab-span" style="white-space:pre"> </span>266720<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\mozilla firefox\components\browsercomps.dll</div> <div>.</div> <div>.</div> <div>((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))</div> <div>.</div> <div>.</div> <div>*Note* empty entries & legit default entries are not shown </div> <div>REGEDIT4</div> <div>.</div> <div>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]</div> <div>"VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" [2010-06-11 206120]</div> <div>"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]</div> <div>"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-09-23 15512424]</div> <div>"NvMediaCenter"="NvMCTray.dll" [2012-09-23 108392]</div> <div>"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-09-23 1634112]</div> <div>.</div> <div>c:\documents and settings\All Users\Start Menu\Programs\Startup\</div> <div>Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]</div> <div>Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2010-7-17 921704]</div> <div>.</div> <div>[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]</div> <div>"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]</div> <div>.</div> <div>[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL]</div> <div>2005-12-23 03:08<span class="Apple-tab-span" style="white-space:pre"> </span>450646<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\PRISMAPI.dll</div> <div>.</div> <div>[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]</div> <div>Authentication Packages<span class="Apple-tab-span" style="white-space:pre"> </span>REG_MULTI_SZ <span class="Apple-tab-span" style="white-space:pre"> </span>msv1_0 nwprovau</div> <div>.</div> <div>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]</div> <div>@=""</div> <div>.</div> <div>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]</div> <div>@=""</div> <div>.</div> <div>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]</div> <div>@=""</div> <div>.</div> <div>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]</div> <div>@=""</div> <div>.</div> <div>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]</div> <div>@="Service"</div> <div>.</div> <div>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]</div> <div>"%windir%\\system32\\sessmgr.exe"=</div> <div>"c:\\Documents and Settings\\ang\\Application Data\\Dropbox\\bin\\Dropbox.exe"=</div> <div>"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=</div> <div>"%windir%\\Network Diagnostic\\xpnetdiag.exe"=</div> <div>"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=</div> <div>"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=</div> <div>"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=</div> <div>"c:\\Program Files\\Messenger\\msmsgs.exe"=</div> <div>"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=</div> <div>"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=</div> <div>"c:\\Program Files\\iTunes\\iTunes.exe"=</div> <div>"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=</div> <div>"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=</div> <div>"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=</div> <div>"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=</div> <div>"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=</div> <div>"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=</div> <div>"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=</div> <div>"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=</div> <div>"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=</div> <div>"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=</div> <div>"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=</div> <div>"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=</div> <div>"c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Ltd Services</div> <div>"c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Daemon</div> <div>"c:\\Program Files\\Rosetta Stone\\Rosetta Stone TOTALe\\RosettaStoneTOTALe.exe"=</div> <div>"c:\\WINDOWS\\system32\\LEXPPS.EXE"=</div> <div>"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=</div> <div>.</div> <div>R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [1/7/2013 7:36 PM 105832]</div> <div>R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [1/7/2013 7:35 PM 398184]</div> <div>R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [7/17/2010 6:40 PM 61526]</div> <div>R2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe [6/19/2012 4:21 PM 1646608]</div> <div>R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [6/11/2010 11:37 AM 206120]</div> <div>R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [6/11/2010 11:37 AM 185640]</div> <div>R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/7/2013 7:35 PM 21104]</div> <div>S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/7/2013 7:35 PM 682344]</div> <div>S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [9/28/2012 4:04 PM 20032]</div> <div>S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [10/1/2012 8:53 AM 121192]</div> <div>S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [10/1/2012 9:09 AM 12776]</div> <div>S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [10/1/2012 9:09 AM 136680]</div> <div>.</div> <div>--- Other Services/Drivers In Memory ---</div> <div>.</div> <div>*NewlyCreated* - WS2IFSL</div> <div>.</div> <div>Contents of the 'Scheduled Tasks' folder</div> <div>.</div> <div>2013-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job</div> <div>- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-07 14:10]</div> <div>.</div> <div>2013-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job</div> <div>- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-07 14:10]</div> <div>.</div> <div>2013-01-08 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job</div> <div>- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 21:25]</div> <div>.</div> <div>2013-01-08 c:\windows\Tasks\User_Feed_Synchronization-{5E635B6A-8DE6-4E3B-9A87-4ED2A161D6D0}.job</div> <div>- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]</div> <div>.</div> <div>.</div> <div>------- Supplementary Scan -------</div> <div>.</div> <div>uStart Page = hxxp://www.google.com/</div> <div>uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"</div> <div>uInternet Settings,ProxyOverride = *.local</div> <div>IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000</div> <div>IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105</div> <div>TCP: DhcpNameServer = 74.5.116.246 205.244.194.36</div> <div>FF - ProfilePath - c:\documents and settings\ang\Application Data\Mozilla\Firefox\Profiles\y62awjva.default\</div> <div>FF - prefs.js: browser.search.selectedEngine - Google</div> <div>FF - prefs.js: browser.startup.homepage - hxxp://www.google.com</div> <div>FF - ExtSQL: 2013-01-07 22:15; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\ang\Application Data\Mozilla\Firefox\Profiles\y62awjva.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi</div> <div>FF - ExtSQL: 2013-01-07 22:38; adblockpopups@jessehakanen.net; c:\documents and settings\ang\Application Data\Mozilla\Firefox\Profiles\y62awjva.default\extensions\adblockpopups@jessehakanen.net.xpi</div> <div>FF - ExtSQL: 2013-01-07 22:38; {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}; c:\documents and settings\ang\Application Data\Mozilla\Firefox\Profiles\y62awjva.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}.xpi</div> <div>FF - ExtSQL: !HIDDEN! 2010-11-29 09:26; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension</div> <div>.</div> <div>.</div> <div>**************************************************************************</div> <div>.</div> <div>catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net</div> <div>Rootkit scan 2013-01-08 13:43</div> <div>Windows 5.1.2600 Service Pack 3 NTFS</div> <div>.</div> <div>scanning hidden processes ... </div> <div>.</div> <div>scanning hidden autostart entries ... </div> <div>.</div> <div>scanning hidden files ... </div> <div>.</div> <div>scan completed successfully</div> <div>hidden files: 0</div> <div>.</div> <div>**************************************************************************</div> <div>.</div> <div>--------------------- DLLs Loaded Under Running Processes ---------------------</div> <div>.</div> <div>- - - - - - - > 'lsass.exe'(824)</div> <div>c:\windows\system32\PRISMAPI.DLL</div> <div>.</div> <div>- - - - - - - > 'explorer.exe'(3592)</div> <div>c:\windows\system32\WININET.dll</div> <div>c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf</div> <div>c:\progra~1\MICROS~3\Office14\1033\GrooveIntlResource.dll</div> <div>c:\program files\Windows Desktop Search\deskbar.dll</div> <div>c:\program files\Windows Desktop Search\en-us\dbres.dll.mui</div> <div>c:\program files\Windows Desktop Search\dbres.dll</div> <div>c:\program files\Windows Desktop Search\wordwheel.dll</div> <div>c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui</div> <div>c:\program files\Windows Desktop Search\msnlExtRes.dll</div> <div>c:\windows\system32\msi.dll</div> <div>c:\windows\system32\ieframe.dll</div> <div>c:\windows\system32\webcheck.dll</div> <div>c:\windows\system32\WPDShServiceObj.dll</div> <div>c:\windows\system32\PortableDeviceTypes.dll</div> <div>c:\windows\system32\PortableDeviceApi.dll</div> <div>.</div> <div>Completion time: 2013-01-08 13:45:39</div> <div>ComboFix-quarantined-files.txt 2013-01-08 18:45</div> <div>ComboFix2.txt 2013-01-08 17:44</div> <div>.</div> <div>Pre-Run: 34,444,263,424 bytes free</div> <div>Post-Run: 34,428,248,064 bytes free</div> <div>.</div> <div>- - End Of File - - 3CB2BF941B90DEF7E462108B066FE9A4</div> <div> </div>
- January 8, 2013
- 19 replies
search-results redirect

arnolfini replied to arnolfini's topic in Resolved Malware Removal Logs

Great, thank you. The ComboFix went through and told me to install recovery console, which I did. Then the computer restarted. I had to run ComboFix again and it finished. Searches seem to be working properly now. Here is the log: ComboFix 13-01-08.01 - ang 01/08/2013 12:23:42.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2439 [GMT -5:00] Running from: c:\documents and settings\ang\Desktop\Chris\ComboFix.exe AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\ang\Desktop\Search.lnk c:\windows\system32\muzapp.exe c:\windows\system32\Oleaut32.1 c:\windows\system32\URTTemp c:\windows\system32\URTTemp\fusion.dll c:\windows\system32\URTTemp\mscoree.dll c:\windows\system32\URTTemp\mscoree.dll.local c:\windows\system32\URTTemp\mscorsn.dll c:\windows\system32\URTTemp\mscorwks.dll c:\windows\system32\URTTemp\msvcr71.dll c:\windows\system32\URTTemp\regtlib.exe c:\windows\WindowsUpdate.log c:\windows\wininit.ini . . ((((((((((((((((((((((((( Files Created from 2012-12-08 to 2013-01-08 ))))))))))))))))))))))))))))))) . . 2013-01-08 03:40 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3B0EDB52-F11E-4917-A5BB-CAD6DA388B77}\mpengine.dll 2013-01-08 03:26 . 2013-01-08 03:26 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-01-08 03:11 . 2013-01-08 03:11 -------- d-----w- c:\documents and settings\ang\Application Data\Windows Search 2013-01-08 03:06 . 2013-01-08 03:06 -------- d-----w- c:\documents and settings\ang\Application Data\Windows Desktop Search 2013-01-08 03:05 . 2013-01-08 03:05 -------- d-----w- c:\program files\Windows Desktop Search 2013-01-08 03:05 . 2013-01-08 03:05 -------- d-----w- c:\windows\system32\GroupPolicy 2013-01-08 03:04 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll 2013-01-08 03:04 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll 2013-01-08 03:04 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll 2013-01-08 03:03 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll 2013-01-08 02:52 . 2013-01-08 02:52 12872 ----a-w- c:\windows\system32\bootdelete.exe 2013-01-08 02:49 . 2013-01-08 02:49 -------- d-----w- c:\documents and settings\UpdatusUser 2013-01-08 02:49 . 2013-01-08 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation 2013-01-08 02:49 . 2012-09-23 13:04 164200 ----a-w- c:\windows\system32\nvsvc32.exe 2013-01-08 02:49 . 2012-09-23 13:04 143720 ----a-w- c:\windows\system32\nvcolor.exe 2013-01-08 02:49 . 2012-09-23 13:04 15512424 ----a-w- c:\windows\system32\nvcpl.dll 2013-01-08 02:49 . 2012-09-23 13:04 108392 ----a-w- c:\windows\system32\nvmctray.dll 2013-01-08 02:49 . 2012-09-23 13:04 54272 ----a-w- c:\windows\system32\nvwddi.dll 2013-01-08 02:49 . 2012-09-23 14:28 65536 ----a-w- c:\windows\system32\OpenCL.dll 2013-01-08 02:47 . 2013-01-08 02:47 -------- d-----w- C:\NVIDIA 2013-01-08 02:42 . 2013-01-08 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA 2013-01-08 02:42 . 2013-01-08 02:42 -------- d-----w- c:\program files\Common Files\Java 2013-01-08 02:41 . 2013-01-08 02:40 143872 ----a-w- c:\windows\system32\javacpl.cpl 2013-01-08 02:41 . 2013-01-08 02:40 93640 ----a-w- c:\windows\system32\WindowsAccessBridge.dll 2013-01-08 02:38 . 2013-01-08 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2013-01-08 01:46 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2013-01-08 01:40 . 2013-01-08 02:03 -------- d-----w- c:\program files\Eusing Free Registry Cleaner 2013-01-08 01:39 . 2013-01-08 01:39 -------- d-----w- c:\program files\CCleaner 2013-01-08 00:36 . 2013-01-08 00:36 -------- d-----w- c:\program files\HitmanPro 2013-01-08 00:35 . 2013-01-08 02:52 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro 2013-01-08 00:35 . 2013-01-08 00:35 -------- d-----w- c:\documents and settings\ang\Application Data\Malwarebytes 2013-01-08 00:35 . 2013-01-08 00:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2013-01-08 00:35 . 2013-01-08 00:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2013-01-08 00:35 . 2012-12-14 21:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys 2013-01-07 05:44 . 2013-01-07 05:44 -------- d-----w- C:\found.000 2013-01-07 03:13 . 2013-01-07 23:23 -------- d---a-w- C:\.Trashes 2013-01-02 15:43 . 2013-01-07 17:44 -------- d-----w- c:\program files\Dropbox 2012-12-24 04:31 . 2012-12-24 04:31 -------- d-----w- c:\windows\Sun 2012-12-24 04:31 . 2012-12-24 04:31 -------- d-----w- c:\documents and settings\ang\Local Settings\Application Data\Sun 2012-12-24 04:27 . 2013-01-08 02:40 859072 ----a-w- c:\windows\system32\npDeployJava1.dll 2012-12-24 04:27 . 2013-01-08 02:40 779704 ----a-w- c:\windows\system32\deployJava1.dll 2012-12-24 04:25 . 2012-12-24 04:26 -------- d-----w- c:\program files\Java . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-01-08 03:26 . 2012-08-19 18:58 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-12-16 12:23 . 2004-08-10 12:00 290560 ----a-w- c:\windows\system32\atmfd.dll 2012-11-13 01:25 . 2004-08-10 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys 2012-11-02 02:02 . 2004-08-10 12:00 375296 ----a-w- c:\windows\system32\dpnet.dll 2012-11-01 12:17 . 2004-08-10 12:00 916992 ----a-w- c:\windows\system32\wininet.dll 2012-11-01 12:17 . 2004-08-10 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2012-11-01 12:17 . 2004-08-10 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2012-11-01 00:35 . 2004-08-10 12:00 385024 ----a-w- c:\windows\system32\html.iec 2012-10-07 23:32 . 2012-06-21 22:30 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" [2010-06-11 206120] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-09-23 15512424] "NvMediaCenter"="NvMCTray.dll" [2012-09-23 108392] "nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-09-23 1634112] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2010-7-17 921704] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL] 2005-12-23 03:08 450646 ----a-w- c:\windows\system32\PRISMAPI.dll . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Documents and Settings\\ang\\Application Data\\Dropbox\\bin\\Dropbox.exe"= "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"= "c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Ltd Services "c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Daemon "c:\\Program Files\\Rosetta Stone\\Rosetta Stone TOTALe\\RosettaStoneTOTALe.exe"= "c:\\WINDOWS\\system32\\LEXPPS.EXE"= "c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"= . R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [1/7/2013 7:36 PM 105832] R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [1/7/2013 7:35 PM 398184] R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [7/17/2010 6:40 PM 61526] R2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe [6/19/2012 4:21 PM 1646608] R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [6/11/2010 11:37 AM 206120] R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [6/11/2010 11:37 AM 185640] R3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys [1/8/2013 12:40 PM 30616] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/7/2013 7:35 PM 21104] S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/7/2013 7:35 PM 682344] S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [9/28/2012 4:04 PM 20032] S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [10/1/2012 8:53 AM 121192] S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [10/1/2012 9:09 AM 12776] S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [10/1/2012 9:09 AM 136680] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - HITMANPRO37 *NewlyCreated* - WS2IFSL . Contents of the 'Scheduled Tasks' folder . 2013-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-07 14:10] . 2013-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-07 14:10] . 2013-01-08 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job - c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 21:25] . 2013-01-08 c:\windows\Tasks\User_Feed_Synchronization-{5E635B6A-8DE6-4E3B-9A87-4ED2A161D6D0}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 11:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105 TCP: DhcpNameServer = 74.5.116.246 205.244.194.36 FF - ProfilePath - c:\documents and settings\ang\Application Data\Mozilla\Firefox\Profiles\y62awjva.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.google.com FF - ExtSQL: 2013-01-07 22:15; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\ang\Application Data\Mozilla\Firefox\Profiles\y62awjva.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi FF - ExtSQL: 2013-01-07 22:38; adblockpopups@jessehakanen.net; c:\documents and settings\ang\Application Data\Mozilla\Firefox\Profiles\y62awjva.default\extensions\adblockpopups@jessehakanen.net.xpi FF - ExtSQL: 2013-01-07 22:38; {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}; c:\documents and settings\ang\Application Data\Mozilla\Firefox\Profiles\y62awjva.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}.xpi FF - ExtSQL: !HIDDEN! 2010-11-29 09:26; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension . - - - - ORPHANS REMOVED - - - - . ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file) ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file) ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file) ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file) . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-01-08 12:35 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'lsass.exe'(824) c:\windows\system32\PRISMAPI.DLL . - - - - - - - > 'explorer.exe'(136) c:\windows\system32\WININET.dll c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf c:\progra~1\MICROS~3\Office14\1033\GrooveIntlResource.dll c:\program files\Windows Desktop Search\deskbar.dll c:\program files\Windows Desktop Search\en-us\dbres.dll.mui c:\program files\Windows Desktop Search\dbres.dll c:\program files\Windows Desktop Search\wordwheel.dll c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui c:\program files\Windows Desktop Search\msnlExtRes.dll c:\windows\system32\ieframe.dll c:\windows\system32\msi.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Microsoft Security Client\MsMpEng.exe c:\windows\system32\LEXBCES.EXE c:\windows\system32\LEXPPS.EXE c:\windows\system32\PRISMSVR.EXE c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\CTsvcCDA.EXE c:\windows\eHome\ehRecvr.exe c:\windows\eHome\ehSched.exe c:\program files\Java\jre7\bin\jqs.exe c:\windows\system32\nvsvc32.exe c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe c:\windows\system32\HPZipm12.exe c:\windows\system32\SearchIndexer.exe c:\windows\ehome\mcrdsvc.exe c:\windows\system32\wscntfy.exe c:\windows\system32\dllhost.exe c:\windows\system32\RunDLL32.exe c:\windows\system32\SearchProtocolHost.exe c:\windows\system32\SearchFilterHost.exe . ************************************************************************** . Completion time: 2013-01-08 12:44:05 - machine was rebooted ComboFix-quarantined-files.txt 2013-01-08 17:44 . Pre-Run: 32,906,067,968 bytes free Post-Run: 34,497,859,584 bytes free . - - End Of File - - 426C531F36F5D147FF505DA3B0305D20
- January 8, 2013
- 19 replies
search-results redirect

arnolfini replied to arnolfini's topic in Resolved Malware Removal Logs

Gringo, thank you very much for your assistance! Here are the logs you requested: Results of screen317's Security Check version 0.99.56 Windows XP Service Pack 3 x86 Internet Explorer 8 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! Microsoft Security Essentials Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.70.0.1100 CCleaner Eusing Free Registry Cleaner Java 7 Update 10 Java SE Development Kit 7 Update 10 Java version out of Date! Adobe Flash Player 11.5.502.135 Adobe Reader 8 Adobe Reader out of Date! Mozilla Firefox 15.0.1 Firefox out of Date! Google Chrome 23.0.1271.97 ````````Process Check: objlist.exe by Laurent```````` Microsoft Security Essentials MSMpEng.exe Malwarebytes' Anti-Malware mbamscheduler.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C:: 7% ````````````````````End of Log`````````````````````` # AdwCleaner v2.105 - Logfile created 01/08/2013 at 10:50:55 # Updated 08/01/2013 by Xplode # Operating system : Microsoft Windows XP Service Pack 3 (32 bits) # User : ang - DELLXPS # Boot Mode : Normal # Running from : C:\Documents and Settings\ang\Desktop\Chris\adwcleaner.exe # Option [Delete] ***** [services] ***** ***** [Files / Folders] ***** File Deleted : C:\DOCUME~1\ang\LOCALS~1\Temp\Searchqu.ini File Deleted : C:\DOCUME~1\ang\LOCALS~1\Temp\searchqutoolbar-manifest.xml File Deleted : C:\DOCUME~1\ang\LOCALS~1\Temp\SetupDataMngr_Searchqu.exe File Deleted : C:\Program Files\Mozilla Firefox\plugins\npdnu.dll File Deleted : C:\Program Files\Mozilla Firefox\plugins\npdnu.xpt File Deleted : C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.dll File Deleted : C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.xpt File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\SearchResults.xml Folder Deleted : C:\Documents and Settings\All Users\Application Data\boost_interprocess Folder Deleted : C:\Documents and Settings\ang\Application Data\searchquband Folder Deleted : C:\Program Files\Common Files\Software Update Utility Folder Deleted : C:\Program Files\Windows Searchqu Toolbar ***** [Registry] ***** Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2421} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{99079A25-328F-4BD4-BE04-00955ACAA0A7} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9D717F81-9148-4F12-8568-69135F087DB0} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{99079A25-328F-4BD4-BE04-00955ACAA0A7} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9D717F81-9148-4F12-8568-69135F087DB0} Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1} Key Deleted : HKLM\SOFTWARE\Classes\AppID\dnu.EXE Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{99079A25-328F-4BD4-BE04-00955ACAA0A7} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70} Key Deleted : HKLM\SOFTWARE\Classes\dnUpdate Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1 Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1 Key Deleted : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2421} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SoftwareUpdUtility Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [10] ***** [internet Browsers] ***** -\\ Internet Explorer v8.0.6001.18702 [OK] Registry is clean. -\\ Mozilla Firefox v15.0.1 (en-US) File : C:\Documents and Settings\ang\Application Data\Mozilla\Firefox\Profiles\y62awjva.default\prefs.js C:\Documents and Settings\ang\Application Data\Mozilla\Firefox\Profiles\y62awjva.default\user.js ... Deleted ! Deleted : user_pref("browser.search.defaultenginename", "Searchqu Web Search"); Deleted : user_pref("browser.search.order.1", "Searchqu Web Search"); Deleted : user_pref("keyword.URL", "hxxp://www.searchqu.com/web?src=ffb&appid=0&systemid=421&sr=0&q="); File : C:\Documents and Settings\Josh\Application Data\Mozilla\Firefox\Profiles\sogym1pt.default\prefs.js [OK] File is clean. -\\ Google Chrome v23.0.1271.97 File : C:\Documents and Settings\ang\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences [OK] File is clean. ************************* AdwCleaner[s1].txt - [4653 octets] - [08/01/2013 10:50:55] ########## EOF - C:\AdwCleaner[s1].txt - [4713 octets] ########## RogueKiller V8.4.2 [Jan 6 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : ang [Admin rights] Mode : Scan -- Date : 01/08/2013 10:58:25 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 1 ¤¤¤ [PROXY IE] HKCU\[...]\Internet Settings : ProxyEnable (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\WINDOWS\system32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD2500JS-75NCB3 +++++ --- User --- [MBR] 5129beacb923da222b40d067644ddbfc [bSP] 234d729f4dfb7cb73549226db6e733de : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238409 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: WDC WD2500JS-75NCB3 +++++ --- User --- [MBR] cd3abb5725b5754cb1e3c9ea7e9e2447 [bSP] 3b8b473e06d9db989618bba793589d1d : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238409 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[5]_S_01082013_02d1058.txt >> RKreport[1]_S_01082013_02d1057.txt ; RKreport[2]_S_01082013_02d1057.txt ; RKreport[3]_D_01082013_02d1058.txt ; RKreport[4]_D_01082013_02d1058.txt ; RKreport[5]_S_01082013_02d1058.txt
- January 8, 2013
- 19 replies
search-results redirect

arnolfini posted a topic in Resolved Malware Removal Logs

Hi Malwarebytes folks, I have a computer who's browsers are redirecting to search-results .com now. Any help would be greatly appreciated. Thanks! dds.txt attach.txt
- January 8, 2013
- 19 replies
browser redirects to search-results . com and windows time wrong

arnolfini replied to arnolfini's topic in Resolved Malware Removal Logs

From what I gather, it seems to be working properly again. Thank you for your work.
- July 23, 2012
- 8 replies
browser redirects to search-results . com and windows time wrong

arnolfini replied to arnolfini's topic in Resolved Malware Removal Logs

Thank you for the quick response time, Maniac. OTL was run with the custom scan/fix. Here is the fix log: All processes killed ========== OTL ========== HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully! HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully! HKU\S-1-5-21-591084242-1256559719-2965977113-1001\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page Redirect Cache AcceptLangs| /E : value set successfully! HKU\S-1-5-21-591084242-1256559719-2965977113-1001\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page Redirect Cache_TIMESTAMP| /E : value set successfully! HKEY_USERS\S-1-5-21-591084242-1256559719-2965977113-1001\Software\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully! Registry key HKEY_USERS\S-1-5-21-591084242-1256559719-2965977113-1001\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}\ not found. Registry key HKEY_USERS\S-1-5-21-591084242-1256559719-2965977113-1001\Software\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}\ not found. Registry key HKEY_USERS\S-1-5-21-591084242-1256559719-2965977113-1001\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}\ not found. Prefs.js: "" removed from browser.search.order.1 Prefs.js: "Ask.com" removed from browser.search.selectedEngine ========== FILES ========== < ipconfig /flushdns /c > Windows IP Configuration Successfully flushed the DNS Resolver Cache. C:\Users\Michael\Desktop\Malware Fix\cmd.bat deleted successfully. C:\Users\Michael\Desktop\Malware Fix\cmd.txt deleted successfully. ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Chris ->Temp folder emptied: 0 bytes User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Michael ->Temp folder emptied: 6535750 bytes ->Temporary Internet Files folder emptied: 19658930 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 0 bytes ->Google Chrome cache emptied: 42483755 bytes ->Apple Safari cache emptied: 0 bytes ->Flash cache emptied: 506 bytes User: Public ->Temp folder emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32 (64bit) .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 44 bytes %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 65.00 mb OTL by OldTimer - Version 3.2.54.0 log created on 07232012_122509 Files\Folders moved on Reboot... C:\Users\Michael\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\activityi;src=3106981;type=kitco800;cat=kitco909;ord=1;num=1283377233841.6943;~oref=http___www.kitco.com_charts_livegold[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\bind[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\charts_bottom_ads[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\checkOAuth[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\countCA1M3NEJ.js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\countCACL5T2U.js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\countCAVCDO9Y.js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\countCAXRQ327.js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\count[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\count[2].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\count[3].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\fastbutton[2].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\FZa_MODmDkR9DTu5jHSnSVQlYEbsez9cZjKsNMjLOwM[1].eot moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\goldcharts_header_ad[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\j[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\koFYE26bhT88HgRA8f4vbVQlYEbsez9cZjKsNMjLOwM[1].eot moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\like[2].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\mail[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\msnhomepagehistory[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\rotatedads3[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\si[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\si[2].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\tweet_button.1340179658CA14NRS3.htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\tweet_button.1340179658CAU82V3E.htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\VXdqIs7WDCt-XY_CZ2hksw[2].eot moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\xd_arbiter[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\100817966[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\160x600[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\160x600[2].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\160x600[3].js moved successfully. File\Folder C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\bind[1].htm not found! C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\charts_bottom_ads[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\countCA0XSIOE.js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\countCA1B33CZ.js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\countCA8K0EQO.js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\countCAMRFV2L.js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\countCAOORW4H.js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\count[10].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\count[11].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\count[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\count[2].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\count[3].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\count[4].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\count[5].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\count[6].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\count[7].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\count[9].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\dmg_banner_001[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\ga_track[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\hovercard[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\j[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\like[5].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\mail[2].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\mail[3].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\mail[5].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\max_log[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\max_log[2].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\pickstyle[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\presignin[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\si[7].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\si[8].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\visit[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\yql[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\100817966[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\100817966[2].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\728x90[2].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\adsCAQMPPZ0.htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\ads[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\ads[2].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\allScripts[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\c=581_rand=650484345_pv=y_p=3074_p=3075_dp=y_rt=ifr[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\charts_gold_ox_deanmg[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\charts_gold_ox_deanmg[2].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\countCA1WQAWS.js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\countCANRFTXM.js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\countCAULFSXB.js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\count[10].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\count[11].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\count[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\count[2].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\count[3].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\count[4].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\count[5].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\count[6].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\count[7].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\count[8].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\documentwrite[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\Empty[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\guest-post-why-us-dollar-not-going-zero-anytime-soon[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\livegold[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\max_log[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\max_log[2].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\max_log[3].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\rotatedads4[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\siCAQMTH8F.htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\si[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\visit[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\100817966[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\300x250[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\300x250[2].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\728x90[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\activityi;src=3106981;type=kitco800;cat=kitco909;ord=1;num=756961960745.7273;~oref=http___www.kitco.com_charts_livegold[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\ads[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\ads[4].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\checkOAuth[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\countCA6YC08A.js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\countCAQBEXWL.js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\countCAUZ5R4I.js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\count[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\count[2].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\count[3].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\count[4].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\count[5].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\count[8].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\dmg_banner_001[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\Empty[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\goldcharts_header_ad[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\like[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\like[2].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\mail[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\max_log[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\max_log[2].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\max_log[3].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\max_log[4].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\max_log[5].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\max_log[6].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\msn_landing[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\oauth[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\openhand[1].txt moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\rotatedads3[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\rotatedads4[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\rpc[1].js moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\si[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\si[6].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\tweet_button.1340179658[1].htm moved successfully. C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\xd_arbiter[1].htm moved successfully. File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot. PendingFileRenameOperations files... File C:\Users\Michael\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\activityi;src=3106981;type=kitco800;cat=kitco909;ord=1;num=1283377233841.6943;~oref=http___www.kitco.com_charts_livegold[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\bind[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\charts_bottom_ads[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\checkOAuth[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\countCA1M3NEJ.js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\countCACL5T2U.js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\countCAVCDO9Y.js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\countCAXRQ327.js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\count[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\count[2].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\count[3].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\fastbutton[2].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\FZa_MODmDkR9DTu5jHSnSVQlYEbsez9cZjKsNMjLOwM[1].eot not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\goldcharts_header_ad[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\j[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\koFYE26bhT88HgRA8f4vbVQlYEbsez9cZjKsNMjLOwM[1].eot not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\like[2].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\mail[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\msnhomepagehistory[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\rotatedads3[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\si[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\si[2].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\tweet_button.1340179658CA14NRS3.htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\tweet_button.1340179658CAU82V3E.htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\VXdqIs7WDCt-XY_CZ2hksw[2].eot not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFP66KKF\xd_arbiter[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\100817966[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\160x600[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\160x600[2].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\160x600[3].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\bind[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\charts_bottom_ads[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\countCA0XSIOE.js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\countCA1B33CZ.js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\countCA8K0EQO.js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\countCAMRFV2L.js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\countCAOORW4H.js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\count[10].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\count[11].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\count[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\count[2].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\count[3].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\count[4].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\count[5].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\count[6].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\count[7].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\count[9].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\dmg_banner_001[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\ga_track[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\hovercard[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\j[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\like[5].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\mail[2].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\mail[3].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\mail[5].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\max_log[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\max_log[2].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\pickstyle[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\presignin[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\si[7].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\si[8].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\visit[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8X95U48\yql[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\100817966[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\100817966[2].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\728x90[2].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\adsCAQMPPZ0.htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\ads[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\ads[2].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\allScripts[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\c=581_rand=650484345_pv=y_p=3074_p=3075_dp=y_rt=ifr[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\charts_gold_ox_deanmg[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\charts_gold_ox_deanmg[2].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\countCA1WQAWS.js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\countCANRFTXM.js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\countCAULFSXB.js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\count[10].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\count[11].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\count[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\count[2].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\count[3].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\count[4].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\count[5].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\count[6].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\count[7].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\count[8].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\documentwrite[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\Empty[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\guest-post-why-us-dollar-not-going-zero-anytime-soon[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\livegold[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\max_log[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\max_log[2].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\max_log[3].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\rotatedads4[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\siCAQMTH8F.htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\si[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IA3E21SS\visit[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\100817966[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\300x250[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\300x250[2].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\728x90[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\activityi;src=3106981;type=kitco800;cat=kitco909;ord=1;num=756961960745.7273;~oref=http___www.kitco.com_charts_livegold[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\ads[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\ads[4].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\checkOAuth[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\countCA6YC08A.js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\countCAQBEXWL.js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\countCAUZ5R4I.js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\count[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\count[2].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\count[3].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\count[4].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\count[5].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\count[8].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\dmg_banner_001[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\Empty[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\goldcharts_header_ad[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\like[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\like[2].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\mail[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\max_log[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\max_log[2].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\max_log[3].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\max_log[4].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\max_log[5].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\max_log[6].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\msn_landing[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\oauth[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\openhand[1].txt not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\rotatedads3[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\rotatedads4[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\rpc[1].js not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\si[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\si[6].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\tweet_button.1340179658[1].htm not found! File C:\Users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A4456Q06\xd_arbiter[1].htm not found! [2012/07/23 12:37:33 | 000,000,000 | ---- | M] () C:\Windows\temp\_avast_\Webshlock.txt : Unable to obtain MD5 Registry entries deleted on Reboot...
- July 23, 2012
- 8 replies
browser redirects to search-results . com and windows time wrong

arnolfini replied to arnolfini's topic in Resolved Malware Removal Logs

Thank you for your reply and instructions, Maniac. I proceeded with your instructions to uninstall the 2 items and run OTL. Here are the logs: OTL OTL logfile created on: 7/23/2012 1:45:42 PM - Run 1 OTL by OldTimer - Version 3.2.54.0 Folder = C:\Users\Michael\Desktop 64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.97 Gb Total Physical Memory | 2.11 Gb Available Physical Memory | 71.09% Memory free 8.91 Gb Paging File | 8.04 Gb Available in Paging File | 90.24% Paging File free Paging file location(s): c:\pagefile.sys 0 0d:\pagefile.sys 0 0 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 28.09 Gb Total Space | 5.29 Gb Free Space | 18.83% Space Free | Partition Type: NTFS Drive D: | 232.56 Gb Total Space | 100.75 Gb Free Space | 43.32% Space Free | Partition Type: NTFS Drive E: | 232.39 Gb Total Space | 186.31 Gb Free Space | 80.17% Space Free | Partition Type: HFS Drive F: | 27.01 Gb Total Space | 9.50 Gb Free Space | 35.16% Space Free | Partition Type: HFS Computer Name: MICHAEL-PC | User Name: Michael | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012/07/23 13:21:54 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Michael\Desktop\OTL.exe PRC - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) -- D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe PRC - [2012/07/03 12:21:30 | 004,273,976 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe PRC - [2012/07/03 12:21:29 | 000,044,808 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe PRC - [2009/11/11 16:17:02 | 000,771,360 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\AirPort\APAgent.exe ========== Modules (No Company Name) ========== ========== Win32 Services (SafeList) ========== SRV:64bit: - [2012/07/03 12:21:29 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus) SRV:64bit: - [2011/06/29 08:49:38 | 000,111,488 | ---- | M] (Apple Inc.) [Disabled | Stopped] -- C:\Windows\SysNative\AppleTimeSrv.exe -- (AppleTimeSrv) SRV:64bit: - [2011/06/29 08:49:36 | 000,224,640 | ---- | M] () [Disabled | Stopped] -- C:\Windows\SysNative\AppleOSSMgr.exe -- (AppleOSSMgr) SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend) SRV:64bit: - [2009/07/13 21:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt) SRV - [2012/07/21 03:20:54 | 000,113,120 | ---- | M] (Mozilla Foundation) [Disabled | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2012/07/11 17:44:26 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService) SRV - [2012/01/03 09:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2011/03/25 03:38:12 | 000,251,680 | ---- | M] (IDT, Inc.) [Auto | Running] -- c:\Program Files (x86)\IDT\Apple_v50\WDM\stacsv64.exe -- (STacSV) SRV - [2010/03/23 06:27:48 | 000,639,616 | ---- | M] (eBoostr.com) [Disabled | Stopped] -- C:\Program Files (x86)\eBoostr\EBstrSvc.exe -- (EBOOSTRSVC) SRV - [2010/03/18 14:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) ========== Driver Services (SafeList) ========== DRV:64bit: - [2012/07/03 13:46:44 | 000,024,904 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector) DRV:64bit: - [2012/07/03 12:21:52 | 000,958,400 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\SysNative\drivers\aswSnx.sys -- (aswSnx) DRV:64bit: - [2012/07/03 12:21:52 | 000,355,856 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswSP.sys -- (aswSP) DRV:64bit: - [2012/07/03 12:21:52 | 000,071,064 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt) DRV:64bit: - [2012/07/03 12:21:52 | 000,059,728 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswTdi.sys -- (aswTdi) DRV:64bit: - [2012/07/03 12:21:52 | 000,054,072 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr2.sys -- (aswRdr) DRV:64bit: - [2012/07/03 12:21:51 | 000,025,232 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswFsBlk.sys -- (aswFsBlk) DRV:64bit: - [2012/03/29 23:43:44 | 000,118,536 | ---- | M] (Parallels Holdings, Ltd. and its affiliates.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\prl_pv64.sys -- (prl_pv64) DRV:64bit: - [2012/03/29 23:43:44 | 000,045,832 | ---- | M] (Parallels Holdings, Ltd. and its affiliates.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\prl_boot.sys -- (prl_boot) DRV:64bit: - [2012/03/18 14:26:27 | 000,153,880 | ---- | M] (Doctor Web, Ltd.) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\dwprot.sys -- (DwProt) DRV:64bit: - [2012/03/01 02:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:64bit: - [2011/06/29 08:49:44 | 000,072,024 | ---- | M] (Apple Inc.) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\AppleHFS.sys -- (AppleHFS) DRV:64bit: - [2011/06/29 08:49:44 | 000,016,216 | ---- | M] (Apple Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\AppleMNT.sys -- (AppleMNT) DRV:64bit: - [2011/06/29 08:49:42 | 000,022,872 | ---- | M] (Apple Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\MacHALDriver.sys -- (MacHALDriver) DRV:64bit: - [2011/06/29 08:49:42 | 000,017,752 | ---- | M] (Apple Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\KeyAgent.sys -- (KeyAgent) DRV:64bit: - [2011/06/13 19:36:30 | 002,647,552 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr) DRV:64bit: - [2011/05/26 22:13:25 | 000,032,256 | ---- | M] (Apple Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\KeyMagic.sys -- (KeyMagic) DRV:64bit: - [2011/03/25 04:38:13 | 000,454,656 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\stwrt64.sys -- (STHDA) DRV:64bit: - [2011/03/25 04:32:04 | 000,018,432 | ---- | M] (Apple Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IRFilter.sys -- (IRRemoteFlt) DRV:64bit: - [2011/03/25 04:32:00 | 000,008,704 | ---- | M] (Apple Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AppleODD.sys -- (AppleODD) DRV:64bit: - [2011/03/25 04:31:37 | 000,008,704 | ---- | M] (Apple Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\BthKicker.sys -- (BthKicker) DRV:64bit: - [2011/03/11 02:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:64bit: - [2011/03/11 02:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:64bit: - [2010/11/20 23:24:43 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport) DRV:64bit: - [2010/11/20 23:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:64bit: - [2010/11/20 23:23:48 | 000,117,248 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tsusbhub.sys -- (tsusbhub) DRV:64bit: - [2010/11/20 23:23:48 | 000,088,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Synth3dVsc.sys -- (Synth3dVsc) DRV:64bit: - [2010/11/20 23:23:48 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc) DRV:64bit: - [2010/11/20 23:23:48 | 000,034,816 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\terminpt.sys -- (terminpt) DRV:64bit: - [2010/11/20 23:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:64bit: - [2010/11/20 23:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD) DRV:64bit: - [2010/04/12 04:55:00 | 000,091,568 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\scdemu.sys -- (SCDEmu) DRV:64bit: - [2009/09/28 10:22:00 | 000,395,264 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\yk62x64.sys -- (yukonw7) DRV:64bit: - [2009/09/23 20:23:02 | 006,180,832 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx) DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) DRV:64bit: - [2009/05/20 10:38:58 | 000,156,648 | ---- | M] (eBoostr.com) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\eBoost.sys -- (eBoost) DRV:64bit: - [2009/05/18 14:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM) DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\..\SearchScopes,DefaultScope = IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\..\SearchScopes,DefaultScope = IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-591084242-1256559719-2965977113-1001\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search IE - HKU\S-1-5-21-591084242-1256559719-2965977113-1001\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 IE - HKU\S-1-5-21-591084242-1256559719-2965977113-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.zerohedge.com/ [binary data] IE - HKU\S-1-5-21-591084242-1256559719-2965977113-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ IE - HKU\S-1-5-21-591084242-1256559719-2965977113-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US IE - HKU\S-1-5-21-591084242-1256559719-2965977113-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 97 CC 71 DA 2A 23 CC 01 [binary data] IE - HKU\S-1-5-21-591084242-1256559719-2965977113-1001\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie IE - HKU\S-1-5-21-591084242-1256559719-2965977113-1001\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie IE - HKU\S-1-5-21-591084242-1256559719-2965977113-1001\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} IE - HKU\S-1-5-21-591084242-1256559719-2965977113-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKU\S-1-5-21-591084242-1256559719-2965977113-1001\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=&apn_dtid=OSJ000&apn_uid=561B9E6B-A981-4B6A-A479-32D7E8965A03&apn_sauid=E0B305E4-E3A0-4A52-AB7A-A147BFC4E8CA IE - HKU\S-1-5-21-591084242-1256559719-2965977113-1001\..\SearchScopes\{60D92149-13DB-45F3-9AFB-F1B16A710A4C}: "URL" = http://search.yahoo.com/search?p={searchterms}&ei=UTF-8&fr=w3i&type=W3i_DS,136,0_0,Search,20120519,6901,0,8,0 IE - HKU\S-1-5-21-591084242-1256559719-2965977113-1001\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7 IE - HKU\S-1-5-21-591084242-1256559719-2965977113-1001\..\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}: "URL" = http://www.searchqu.com/web?src=ieb&systemid=406&q={searchTerms} IE - HKU\S-1-5-21-591084242-1256559719-2965977113-1001\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=119&systemid=406&sr=0&q={searchTerms} IE - HKU\S-1-5-21-591084242-1256559719-2965977113-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-591084242-1256559719-2965977113-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - prefs.js..browser.search.defaultengine: "Google" FF - prefs.js..browser.search.defaultenginename: "Google" FF - prefs.js..browser.search.order.1: "" FF - prefs.js..browser.search.selectedEngine: "Ask.com" FF - user.js - File not found FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_3_300_265.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dll () FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Michael\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.) FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Michael\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2012/07/16 11:12:13 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/07/21 03:20:54 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012/03/07 00:49:51 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Michael\AppData\Roaming\Mozilla\Extensions [2012/07/21 22:35:55 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\gql8e4vd.default\extensions [2012/07/21 03:20:24 | 000,000,000 | ---D | M] (Reader) -- C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\gql8e4vd.default\extensions\{20068ab2-1901-4140-9f3c-81207d4dacc4} [2012/06/29 14:07:57 | 000,000,000 | ---D | M] (DoNotTrackPlus) -- C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\gql8e4vd.default\extensions\donottrackplus@abine.com [2012/03/08 02:31:15 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions File not found (No name found) -- C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\GQL8E4VD.DEFAULT\EXTENSIONS\CROSSRIDERAPP2258@CROSSRIDER.COM [1832/11/29 00:44:26 | 000,004,819 | ---- | M] () (No name found) -- C:\USERS\MICHAEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\GQL8E4VD.DEFAULT\EXTENSIONS\TUYPHMMWCG@TUYPHMMWCG.ORG.XPI [2012/07/21 03:20:54 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll [2012/07/04 17:36:50 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml [2012/07/04 17:36:50 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml ========== Chrome ========== CHR - homepage: http://www.google.com/ CHR - default_search_provider: Google (Enabled) CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms} CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}, CHR - homepage: http://www.google.com/ CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer CHR - plugin: Native Client (Enabled) = C:\Users\Michael\AppData\Local\Google\Chrome\Application\20.0.1132.57\ppGoogleNaClPluginChrome.dll CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Michael\AppData\Local\Google\Chrome\Application\20.0.1132.57\pdf.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Michael\AppData\Local\Google\Chrome\Application\20.0.1132.57\gcswf32.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL CHR - plugin: Java Platform SE 6 U31 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll CHR - plugin: Google Update (Enabled) = C:\Users\Michael\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll CHR - Extension: YouTube = C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\ CHR - Extension: Google Search = C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\ CHR - Extension: AdBlock = C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.5.38_0\ CHR - Extension: avast! WebRep = C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1456_0\ CHR - Extension: Gmail = C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\ O1 HOSTS File: ([2012/07/21 12:23:49 | 000,000,098 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2:64bit: - BHO: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software) O2:64bit: - BHO: (SimpleAdblock Class) - {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files (x86)\Common Files\Simple Adblock\SimpleAdblockx64.dll (Simple Adblock) O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) O2 - BHO: (SimpleAdblock Class) - {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files (x86)\Common Files\Simple Adblock\SimpleAdblock.dll (Simple Adblock) O3:64bit: - HKLM\..\Toolbar: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software) O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) O4:64bit: - HKLM..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\Bootcamp.exe (Apple Inc.) O4:64bit: - HKLM..\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe (IDT, Inc.) O4 - HKLM..\Run: [AirPort Base Station Agent] C:\Program Files (x86)\AirPort\APAgent.exe (Apple Inc.) O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.) O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-591084242-1256559719-2965977113-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-591084242-1256559719-2965977113-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-591084242-1256559719-2965977113-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O8:64bit: - Extra context menu item: Add to Evernote 4.0 - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041) O8 - Extra context menu item: Add to Evernote 4.0 - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041) O9 - Extra Button: @C:\Program Files (x86)\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041) O9 - Extra 'Tools' menuitem : @C:\Program Files (x86)\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041) O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.) O15 - HKU\S-1-5-21-591084242-1256559719-2965977113-1001\..Trusted Domains: internet ([]about in Trusted sites) O15 - HKU\S-1-5-21-591084242-1256559719-2965977113-1001\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites) O15 - HKU\S-1-5-21-591084242-1256559719-2965977113-1001\..Trusted Domains: mcafee.com ([]http in Trusted sites) O15 - HKU\S-1-5-21-591084242-1256559719-2965977113-1001\..Trusted Domains: mcafee.com ([]https in Trusted sites) O15 - HKU\S-1-5-21-591084242-1256559719-2965977113-1001\..Trusted Domains: microsoft.com ([office] http in Trusted sites) O15 - HKU\S-1-5-21-591084242-1256559719-2965977113-1001\..Trusted Domains: microsoft.com ([update] http in Trusted sites) O15 - HKU\S-1-5-21-591084242-1256559719-2965977113-1001\..Trusted Domains: office.com ([]https in Trusted sites) O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31) O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 74.5.116.246 205.244.194.36 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BE079FC1-E635-4995-AF77-4C7C38F32FE2}: DhcpNameServer = 74.5.116.242 74.5.116.246 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{CCADE9DC-1763-4062-BA5A-00EF95BF4B13}: DhcpNameServer = 74.5.116.246 205.244.194.36 O18 - Protocol\Handler\ms-help - No CLSID value found O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - D:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2012/07/23 13:23:59 | 000,638,976 | ---- | C] (ESET) -- C:\Users\Michael\Desktop\ESETUninstaller.exe [2012/07/22 18:21:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET [2012/07/22 00:11:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2012/07/22 00:11:44 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys [2012/07/21 23:59:06 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN [2012/07/21 23:57:32 | 000,000,000 | ---D | C] -- C:\Windows\temp [2012/07/21 23:50:57 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe [2012/07/21 23:50:57 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe [2012/07/21 23:50:57 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe [2012/07/21 23:50:34 | 000,000,000 | ---D | C] -- C:\Qoobox [2012/07/21 23:49:06 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Users\Michael\Desktop\OTL.exe [2012/07/21 14:22:13 | 000,000,000 | -HSD | C] -- C:\found.000 [2012/07/21 12:59:04 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Roaming\ESET [2012/07/21 12:59:04 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Local\ESET [2012/07/21 12:53:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab [2012/07/20 23:36:10 | 000,000,000 | ---D | C] -- C:\Temp [2012/07/20 23:14:39 | 000,000,000 | ---D | C] -- C:\Boot [2012/07/20 21:28:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes [2012/07/20 21:28:37 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes [2012/07/20 21:28:37 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\iTunes [2012/07/20 21:28:37 | 000,000,000 | ---D | C] -- C:\Program Files\iPod [2012/07/20 21:24:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AirPort [2012/07/20 20:57:42 | 000,000,000 | ---D | C] -- C:\$WINDOWS.~BT [2012/07/20 19:48:37 | 005,646,848 | ---- | C] (IDT, Inc.) -- C:\Windows\SysNative\idtcpl64.cpl [2012/07/20 19:48:37 | 002,477,344 | ---- | C] (IDT, Inc.) -- C:\Windows\SysNative\stlang64.dll [2012/07/20 19:48:37 | 000,548,128 | ---- | C] (IDT, Inc.) -- C:\Windows\SysNative\idt64mp1.exe [2012/07/20 19:48:37 | 000,251,680 | ---- | C] (IDT, Inc.) -- C:\Windows\SysNative\stacsv64.exe [2012/07/20 19:47:47 | 000,653,088 | ---- | C] (IDT, Inc.) -- C:\Windows\SysNative\stapo64.dll [2012/07/20 19:47:47 | 000,372,512 | ---- | C] (IDT, Inc.) -- C:\Windows\SysNative\stcplx64.dll [2012/07/20 19:47:44 | 000,505,120 | ---- | C] (IDT, Inc.) -- C:\Windows\SysNative\stapi64.dll [2012/07/20 19:19:10 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Simple Adblock [2012/07/20 16:09:01 | 000,000,000 | ---D | C] -- C:\$UPGRADE.~OS [2012/07/18 10:50:30 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Wat [2012/07/18 10:50:30 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Wat [2012/07/17 10:12:56 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Local\NeoSmart_Technologies [2012/07/17 10:09:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NeoSmart Technologies [2012/07/16 11:14:16 | 000,000,000 | ---D | C] -- C:\Program Files\Google [2012/07/16 11:12:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Google [2012/07/16 11:12:20 | 000,355,856 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys [2012/07/16 11:12:20 | 000,025,232 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswFsBlk.sys [2012/07/16 11:12:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus [2012/07/16 11:12:19 | 000,958,400 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys [2012/07/16 11:12:19 | 000,285,328 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe [2012/07/16 11:12:19 | 000,071,064 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys [2012/07/16 11:12:19 | 000,059,728 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswTdi.sys [2012/07/16 11:12:19 | 000,054,072 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswRdr2.sys [2012/07/16 11:12:07 | 000,227,648 | ---- | C] (AVAST Software) -- C:\Windows\SysWow64\aswBoot.exe [2012/07/16 11:12:07 | 000,041,224 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr [2012/07/16 11:11:55 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software [2012/07/16 11:11:55 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software [2012/07/15 21:14:07 | 000,000,000 | ---D | C] -- C:\Windows\Minidump [2012/06/24 12:26:55 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Local\Macromedia [1 C:\Users\Michael\Desktop\*.tmp files -> C:\Users\Michael\Desktop\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2012/07/23 13:49:08 | 000,726,316 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2012/07/23 13:49:08 | 000,623,940 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2012/07/23 13:49:08 | 000,106,316 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2012/07/23 13:48:47 | 000,026,352 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2012/07/23 13:48:47 | 000,026,352 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2012/07/23 13:44:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2012/07/23 13:43:44 | 000,000,896 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2012/07/23 13:43:31 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012/07/23 13:43:29 | 1593,995,264 | -HS- | M] () -- C:\hiberfil.sys [2012/07/23 13:24:00 | 000,638,976 | ---- | M] (ESET) -- C:\Users\Michael\Desktop\ESETUninstaller.exe [2012/07/23 13:21:54 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Michael\Desktop\OTL.exe [2012/07/23 02:35:00 | 000,000,900 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2012/07/23 02:33:00 | 000,000,916 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-591084242-1256559719-2965977113-1001UA.job [2012/07/22 23:33:00 | 000,000,864 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-591084242-1256559719-2965977113-1001Core.job [2012/07/21 22:52:00 | 000,072,822 | ---- | M] () -- C:\Windows\SysWow64\ieuinit.inf [2012/07/21 22:52:00 | 000,072,822 | ---- | M] () -- C:\Windows\SysNative\ieuinit.inf [2012/07/21 22:03:53 | 000,783,424 | ---- | M] () -- C:\Windows\pkeyconfig.xrm-ms [2012/07/21 22:03:52 | 000,000,003 | RHS- | M] () -- C:\win7ldr [2012/07/21 22:03:36 | 000,203,316 | RHS- | M] () -- C:\grldr [2012/07/21 17:27:07 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt [2012/07/21 12:23:49 | 000,000,098 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\Hosts [2012/07/21 09:45:56 | 000,001,908 | ---- | M] () -- C:\Windows\diagwrn.xml [2012/07/21 09:45:56 | 000,001,908 | ---- | M] () -- C:\Windows\diagerr.xml [2012/07/20 21:47:37 | 000,015,364 | ---- | M] () -- C:\.DS_Store [2012/07/20 14:04:48 | 000,006,148 | ---- | M] () -- C:\ProgramData\.DS_Store [2012/07/11 16:22:09 | 000,279,672 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT [2012/07/03 13:46:44 | 000,024,904 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys [2012/07/03 12:21:52 | 000,958,400 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys [2012/07/03 12:21:52 | 000,355,856 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys [2012/07/03 12:21:52 | 000,071,064 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys [2012/07/03 12:21:52 | 000,059,728 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswTdi.sys [2012/07/03 12:21:52 | 000,054,072 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswRdr2.sys [2012/07/03 12:21:51 | 000,025,232 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswFsBlk.sys [2012/07/03 12:21:32 | 000,041,224 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr [2012/07/03 12:21:28 | 000,227,648 | ---- | M] (AVAST Software) -- C:\Windows\SysWow64\aswBoot.exe [2012/07/03 12:21:18 | 000,285,328 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe [1 C:\Users\Michael\Desktop\*.tmp files -> C:\Users\Michael\Desktop\*.tmp -> ] ========== Files Created - No Company Name ========== [2012/07/21 23:50:57 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe [2012/07/21 23:50:57 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe [2012/07/21 23:50:57 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2012/07/21 23:50:57 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2012/07/21 23:50:57 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2012/07/21 22:52:00 | 000,072,822 | ---- | C] () -- C:\Windows\SysWow64\ieuinit.inf [2012/07/21 22:52:00 | 000,072,822 | ---- | C] () -- C:\Windows\SysNative\ieuinit.inf [2012/07/21 22:03:52 | 000,000,003 | RHS- | C] () -- C:\win7ldr [2012/07/20 19:31:53 | 000,783,424 | ---- | C] () -- C:\Windows\pkeyconfig.xrm-ms [2012/07/20 14:04:08 | 000,006,148 | ---- | C] () -- C:\ProgramData\.DS_Store [2012/07/16 11:12:25 | 000,000,900 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2012/07/16 11:12:24 | 000,000,896 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2012/07/16 11:12:19 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\config.nt [2012/03/22 20:39:04 | 000,115,636 | -H-- | C] () -- C:\Windows\SysWow64\mlfcache.dat [2012/03/09 21:46:27 | 000,001,769 | ---- | C] () -- C:\Windows\Language_trs.ini [2012/03/09 21:00:01 | 000,000,352 | ---- | C] () -- C:\Users\Michael\AppData\Roaming\Network Meter_Settings.ini [2011/01/20 09:18:09 | 010,485,760 | ---- | C] () -- C:\Users\Michael\test.10meg [2007/06/10 17:23:10 | 000,000,000 | ---- | C] () -- C:\Users\Michael\usb ========== LOP Check ========== [2012/03/18 12:18:34 | 000,000,000 | ---D | M] -- C:\Users\Michael\AppData\Roaming\abelhadigital.com [2012/03/09 21:30:43 | 000,000,000 | ---D | M] -- C:\Users\Michael\AppData\Roaming\Blitware [2012/05/24 23:23:36 | 000,000,000 | ---D | M] -- C:\Users\Michael\AppData\Roaming\Dropbox [2012/07/21 12:59:04 | 000,000,000 | ---D | M] -- C:\Users\Michael\AppData\Roaming\ESET [2012/03/07 00:49:51 | 000,000,000 | ---D | M] -- C:\Users\Michael\AppData\Roaming\Thunderbird [2012/07/20 19:32:47 | 000,000,000 | ---D | M] -- C:\Users\Michael\AppData\Roaming\transmission [2012/03/09 21:53:21 | 000,000,366 | ---- | M] () -- C:\Windows\Tasks\Driver Robot.job [2012/06/23 13:28:09 | 000,032,632 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== ========== Alternate Data Streams ========== @Alternate Data Stream - 64 bytes -> C:\Windows\.DS_Store:AFP_AfpInfo @Alternate Data Stream - 64 bytes -> C:\ProgramData\.DS_Store:AFP_AfpInfo @Alternate Data Stream - 64 bytes -> C:\.Trashes:AFP_AfpInfo @Alternate Data Stream - 64 bytes -> C:\.DS_Store:AFP_AfpInfo < End of report > Extras OTL Extras logfile created on: 7/23/2012 1:45:42 PM - Run 1 OTL by OldTimer - Version 3.2.54.0 Folder = C:\Users\Michael\Desktop 64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.97 Gb Total Physical Memory | 2.11 Gb Available Physical Memory | 71.09% Memory free 8.91 Gb Paging File | 8.04 Gb Available in Paging File | 90.24% Paging File free Paging file location(s): c:\pagefile.sys 0 0d:\pagefile.sys 0 0 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 28.09 Gb Total Space | 5.29 Gb Free Space | 18.83% Space Free | Partition Type: NTFS Drive D: | 232.56 Gb Total Space | 100.75 Gb Free Space | 43.32% Space Free | Partition Type: NTFS Drive E: | 232.39 Gb Total Space | 186.31 Gb Free Space | 80.17% Space Free | Partition Type: HFS Drive F: | 27.01 Gb Total Space | 9.50 Gb Free Space | 35.16% Space Free | Partition Type: HFS Computer Name: MICHAEL-PC | User Name: Michael | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation) ========== Shell Spawning ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation) inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation) InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation) InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 "FirewallDisableNotify" = 0 "AntiVirusDisableNotify" = 0 "UpdatesDisableNotify" = 0 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data] "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "UpdatesDisableNotify" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] ========== System Restore Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] "DisableSR" = 0 ========== Firewall Settings ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall] 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile] 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{0C689E36-1413-4940-891C-03D06B7A2674}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | "{0F45CF0D-81F7-4BEA-80F6-DCD4E23E55F6}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | "{10FDC319-9898-47F3-8D72-6523154274A6}" = rport=445 | protocol=6 | dir=out | app=system | "{14A6F707-DC46-443B-BF75-3F9C2D19E40A}" = lport=2869 | protocol=6 | dir=in | app=system | "{16D96684-574C-4936-90B9-473D67941D98}" = lport=10243 | protocol=6 | dir=in | app=system | "{1E551AA5-264E-4894-A406-8D6AD9E8A578}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{37E5220D-F4DB-404C-B05C-8D1F3CF6A2BD}" = lport=138 | protocol=17 | dir=in | app=system | "{3FA58E52-F7D2-4D57-8323-6F25EE70AC34}" = lport=5353 | protocol=17 | dir=in | name=bonjour | "{4E937F5A-A427-4D50-B518-D8C7ECF0C7F6}" = rport=139 | protocol=6 | dir=out | app=system | "{62CFFF9F-78E5-4764-997E-DBD83358284B}" = lport=137 | protocol=17 | dir=in | app=system | "{65C2751B-2970-4AAA-8DDA-0F30B13AAEBE}" = lport=139 | protocol=6 | dir=in | app=system | "{7BDCD195-05CD-4EF8-8DC0-9519BE067454}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{80F49DC9-44AE-4145-B109-4D41CEA84723}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | "{8C4A58CD-FB06-4E06-BB9C-8D1524CCD6C7}" = lport=445 | protocol=6 | dir=in | app=system | "{8CB22194-11BA-44CC-A14B-CBA915F2A44E}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{924BA259-D609-4F9D-9254-AFC69D0BB261}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{939DD8D0-89D3-4B29-AF97-495E2EDC72BE}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{9A0EB1DC-8C30-4752-93E0-8E45A184257E}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{A8479BF8-9DFB-42EF-BBFB-CE3BCABE1830}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | "{BF1559E8-695F-4B96-8BC7-EBDA31C8F4B7}" = rport=137 | protocol=17 | dir=out | app=system | "{C69A48BE-F6FF-4040-B1BE-4E4481595DCC}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | "{D3B76209-C236-453B-BE1C-6654E2EBC85D}" = rport=10243 | protocol=6 | dir=out | app=system | "{EC29BA76-05E7-427A-97B3-B7510073D505}" = rport=138 | protocol=17 | dir=out | app=system | "{F8785669-0ADF-473C-BDCA-371867FBED17}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{01B19F0A-6ADB-46F2-83BE-D4E99619369C}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office14\groove.exe | "{18402932-7C6B-4771-9562-BB709B4BC4BB}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | "{18DFDA92-302F-4DCD-9970-4E94E3633A71}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{200739CC-55A9-41D7-80EC-0914FCFEC380}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | "{28A9A86F-8CEF-40E4-A87A-B68FCD516C30}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | "{2957291B-631C-492C-AE93-D1AC2B0B6ED4}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | "{2C66EBC8-B968-4554-957C-FA429E99E065}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | "{3127E91C-28FA-4D8D-9891-5074FC39D3B7}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | "{32A36E24-7B3D-4D0D-9EC4-32717FE48039}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | "{4D6ECDBC-74D9-48CC-A3ED-D8C82DEEAC6E}" = protocol=6 | dir=out | app=system | "{5C37F5DE-81B3-4249-9EDA-E0E21AB3A4E4}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | "{5F2C2288-939C-4339-A0A7-AB931D812836}" = protocol=17 | dir=in | app=c:\users\michael\appdata\roaming\dropbox\bin\dropbox.exe | "{65BC5FB2-C234-4E71-8F76-9244313ADEDF}" = dir=in | app=c:\program files (x86)\common files\apple\apple application support\webkit2webprocess.exe | "{6F3E6F60-214F-451A-BD35-B86B102AF71B}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | "{78C4BAC0-3DCC-4B53-A842-7ECD60D681FC}" = protocol=6 | dir=in | app=c:\users\michael\appdata\roaming\dropbox\bin\dropbox.exe | "{81E9C72B-AA20-40B7-B5BE-91C160D3F2A3}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | "{85696CF5-DD5B-4031-A27B-FB5172A34DC7}" = dir=in | app=c:\program files (x86)\itunes\itunes.exe | "{8F2845E5-7E96-48A6-9934-748C944ECA73}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | "{9E783F2E-F421-4463-8AFA-19020DBE8D5B}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | "{A0E13995-8393-4BAF-B958-6D21AAA693A3}" = protocol=17 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe | "{A0FC65D8-23BE-44C4-89C5-EB54F9129395}" = dir=in | app=c:\program files (x86)\airport\apagent.exe | "{B65BAEBA-8020-4B47-949E-B5D6EABFB233}" = protocol=6 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe | "{BC20D87D-60D1-4DFF-B38F-69429FA32779}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{C571077E-1C60-4039-B7C2-216577ECB3F8}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{D9A5F2F8-F85C-408C-94BA-CC81B3611FB4}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | "{E2E57966-E844-49DA-8503-45E364B7E9AB}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe | "{E457503C-CA70-4475-9FB1-82EA049FC26F}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | "{EA152A7A-6549-45F0-A19E-682ED1DD0CAC}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office14\groove.exe | "{FD7061A8-FEFA-47C7-B5F5-9DFE6A81CE7C}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{FD857E06-F881-4606-B55F-02CBDE1331CD}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | "TCP Query User{287ED727-D26A-44DF-8EB0-983B86BABF36}C:\program files (x86)\transmission-qt\transmission-qt.exe" = protocol=6 | dir=in | app=c:\program files (x86)\transmission-qt\transmission-qt.exe | "TCP Query User{AFAB0F8B-CB85-49C5-A34B-E12A72BAADA8}C:\program files (x86)\airport\aputil.exe" = protocol=6 | dir=in | app=c:\program files (x86)\airport\aputil.exe | "UDP Query User{BB0646F7-26CD-4953-8053-B55B29E1D803}C:\program files (x86)\airport\aputil.exe" = protocol=17 | dir=in | app=c:\program files (x86)\airport\aputil.exe | "UDP Query User{D7FABAE0-D433-4229-B9DE-CC50FE933E24}C:\program files (x86)\transmission-qt\transmission-qt.exe" = protocol=17 | dir=in | app=c:\program files (x86)\transmission-qt\transmission-qt.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64) "{23170F69-40C1-2702-0920-000001000000}" = 7-Zip 9.20 (x64 edition) "{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 "{5F3A89AB-9EA8-6B75-EB86-FEEA6208296A}" = ATI Catalyst Install Manager "{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 "{6A76BEAF-6D1F-4273-A79B-DA8410A2E56B}" = Apple Mobile Device Support "{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}" = Bonjour "{840A3BAA-4C68-4581-9C7A-6F8D6CF531B9}" = iTunes "{8B485965-8EFE-464A-842F-CF8F18C3DFD7}" = iCloud "{90140000-0011-0000-1000-0000000FF1CE}" = Microsoft Office Professional Plus 2010 "{90140000-0011-0000-1000-0000000FF1CE}_Office14.PROPLUS_{7BC9B5EB-125A-4E9B-97E1-8D85B5E960B8}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-0015-0409-1000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010 "{90140000-0015-0409-1000-0000000FF1CE}_Office14.PROPLUS_{EC583796-6BBB-47DD-B9CE-B5DA12D71135}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-0016-0409-1000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010 "{90140000-0016-0409-1000-0000000FF1CE}_Office14.PROPLUS_{EC583796-6BBB-47DD-B9CE-B5DA12D71135}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-0018-0409-1000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010 "{90140000-0018-0409-1000-0000000FF1CE}_Office14.PROPLUS_{EC583796-6BBB-47DD-B9CE-B5DA12D71135}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-0019-0409-1000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010 "{90140000-0019-0409-1000-0000000FF1CE}_Office14.PROPLUS_{EC583796-6BBB-47DD-B9CE-B5DA12D71135}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-001A-0409-1000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010 "{90140000-001A-0409-1000-0000000FF1CE}_Office14.PROPLUS_{EC583796-6BBB-47DD-B9CE-B5DA12D71135}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-001B-0409-1000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010 "{90140000-001B-0409-1000-0000000FF1CE}_Office14.PROPLUS_{EC583796-6BBB-47DD-B9CE-B5DA12D71135}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-001F-0409-1000-0000000FF1CE}" = Microsoft Office Proof (English) 2010 "{90140000-001F-0409-1000-0000000FF1CE}_Office14.PROPLUS_{0242505C-4E90-407F-9299-B5B275F50D86}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-001F-040C-1000-0000000FF1CE}" = Microsoft Office Proof (French) 2010 "{90140000-001F-040C-1000-0000000FF1CE}_Office14.PROPLUS_{B51389C8-2890-4633-81D8-47D2A7402274}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-001F-0C0A-1000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010 "{90140000-001F-0C0A-1000-0000000FF1CE}_Office14.PROPLUS_{1779650B-2E44-4A19-8DF6-3866D645764A}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-002C-0409-1000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010 "{90140000-002C-0409-1000-0000000FF1CE}_Office14.PROPLUS_{270CA0B9-9881-44DB-BC3B-37C7E66A044A}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-0043-0000-1000-0000000FF1CE}" = Microsoft Office Office 32-bit Components 2010 "{90140000-0043-0000-1000-0000000FF1CE}_Office14.PROPLUS_{E8B6D35B-0B6F-4DCE-9493-859BF3809A7F}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-0043-0409-1000-0000000FF1CE}" = Microsoft Office Shared 32-bit MUI (English) 2010 "{90140000-0043-0409-1000-0000000FF1CE}_Office14.PROPLUS_{FCD1C311-8B02-4DBD-BA46-1079C629577E}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-0044-0409-1000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010 "{90140000-0044-0409-1000-0000000FF1CE}_Office14.PROPLUS_{EC583796-6BBB-47DD-B9CE-B5DA12D71135}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-006E-0409-1000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010 "{90140000-006E-0409-1000-0000000FF1CE}_Office14.PROPLUS_{516CA4A9-98E6-4F77-A863-CBD8487368E4}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-00A1-0409-1000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010 "{90140000-00A1-0409-1000-0000000FF1CE}_Office14.PROPLUS_{EC583796-6BBB-47DD-B9CE-B5DA12D71135}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-00BA-0409-1000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010 "{90140000-00BA-0409-1000-0000000FF1CE}_Office14.PROPLUS_{EC583796-6BBB-47DD-B9CE-B5DA12D71135}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-0115-0409-1000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010 "{90140000-0115-0409-1000-0000000FF1CE}_Office14.PROPLUS_{516CA4A9-98E6-4F77-A863-CBD8487368E4}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-0117-0409-1000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010 "{90140000-0117-0409-1000-0000000FF1CE}_Office14.PROPLUS_{EC583796-6BBB-47DD-B9CE-B5DA12D71135}" = Microsoft Office 2010 Service Pack 1 (SP1) "{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64) "{ADA3F9C8-A6D3-4FCF-BFBB-EAD69AC0884E}" = Boot Camp Services "{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile "0B6B49213CF56838AFC233905FA14AC47EAA9B28" = Windows Driver Package - Apple Inc. Apple Broadcom Bluetooth (10/05/2010 3.2.0.1) "110E24F054DE5F4F72985BC1F3A53F61985BD4CC" = Windows Driver Package - Broadcom (BCM43XX) Net (04/06/2011 5.100.198.22) "159439476E3A00F9FAE49DD6C1A78F2F6288A5B9" = Windows Driver Package - Intel (e1express) Net (03/26/2010 9.13.41.0) "26D089A9557429904D9851293EA25C911B64CCF8" = Windows Driver Package - Broadcom Corporation (bScsiSDa) SDHost (01/18/2011 1.0.0.220) "2CD6536AAFFF9B465A871060CF483EC9F3341D29" = Windows Driver Package - Apple Inc. Apple Bluetooth Enabler (06/27/2007 2.0.0.1) "43B83D262B11C05DBFE8BEB0E2CBD5A9EA1E7F9C" = Windows Driver Package - Cirrus Logic, Inc. (CirrusFilter) MEDIA (12/03/2010 6.6001.1.30) "455287ECCB4BABCDE9C6713B82B1BDA990D55398" = Windows Driver Package - Apple Inc. Apple Multitouch (05/05/2011 4.0.0.1) "57AFA39B22ADEC4E383572E9331167546EB3C9C7" = Windows Driver Package - Intel (e1qexpress) Net (12/04/2009 11.4.7.0) "5BEF08C10896D86DC13394FFA75874564B700368" = Windows Driver Package - Intel (e1kexpress) Net (04/12/2010 11.6.92.0) "703003CF14C8E79F68CA5A750AF4E02B9BD4B4D8" = Windows Driver Package - Apple Inc. Apple Keyboard (05/05/2011 4.0.0.1) "70C7CBB0824BF74552A2F28F5FFBF62A15053DA8" = Windows Driver Package - Apple Inc. Apple Built-in iSight (10/25/2007 2.0.1.0) "76830D11874044260C923425E7F5A72F25EDA758" = Windows Driver Package - Apple Inc. Apple Trackpad Enabler (07/13/2009 3.0.0.1) "7C9678A21221D0575C74AF7CE68E28C2771F9E41" = Windows Driver Package - Broadcom (b57nd60a) Net (12/02/2010 14.4.2.2) "A0A897639A1D288A8B472FE790EBF9DB71E52ACF" = Windows Driver Package - Apple Inc. Apple Trackpad (07/13/2009 3.0.0.1) "C7DD621795A42EAE550280D4D7601459F35C4EC2" = Windows Driver Package - Apple Inc. Apple Wireless Trackpad (01/17/2011 3.2.0.0) "CB599752301BCA080D135697FDD05900F5A5CF4C" = Windows Driver Package - Intel (e1yexpress) Net (04/07/2010 10.1.9.0) "CCleaner" = CCleaner "CDD703ED0B390A5643DB748EBFA5BD55FEEC0D8A" = Windows Driver Package - Marvell (yukonx64) Net (12/06/2007 10.51.1.3) "D088EE4BD2819FBA2B349EF9D55176F223419BE6" = Windows Driver Package - Apple Inc. Apple Wireless Mouse (06/01/2011 4.0.0.1) "D53CBF2C12DF51DA5E9C1A9DA97FF0DCA0C524C5" = Windows Driver Package - Apple Inc. (AppleUSBEthernet) Net (02/01/2008 3.10.3.10) "D5BB697E7D0C75712F3AD00AB1B85412CB5C0FD3" = Windows Driver Package - Apple Inc. Apple IR Receiver (02/21/2008 2.0.4.0) "D6B4CB6AD2F81752C2EF8DCF6AD5EBC567ADD45C" = Windows Driver Package - Apple Inc. Apple ODD (05/17/2010 3.1.0.0) "D76172B51B1ECB34E38F97F42F51B7A46FA15F52" = Windows Driver Package - Apple Inc. Apple System Device (04/05/2011 3.2.0.8) "E0EAD0CEA9119B77350ED4DE28D9A82E57014D94" = Windows Driver Package - Apple Inc. Apple Display (01/23/2009 3.0.0.0) "E2708073906571A0B56F17FD825EF19281ECE29B" = Windows Driver Package - Intel System (07/20/2007 1.2.76.0) "EA3C044F6FD39CEC8F4F596836BF4197E97E1D39" = Windows Driver Package - Apple Inc. Apple Bluetooth (03/01/2010 3.0.0.5) "F08FFCF5C857951E0CC5F736988F3D01BF425252" = Windows Driver Package - Apple Inc. Apple Multitouch Mouse (05/05/2011 4.0.0.1) "F0A3F8394866FA91E82C8D5AB92C918FE40FE1DF" = Windows Driver Package - Atheros Communications Inc. (athr) Net (11/13/2010 9.2.0.113) "F71DB41300D30088C8D3716343D1429488E605C1" = Windows Driver Package - Intel (e1rexpress) Net (01/07/2010 11.4.16.0) "HDMI" = Intel® Graphics Media Accelerator Driver "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Office14.PROPLUS" = Microsoft Office Professional Plus 2010 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{0E64B098-8018-4256-BA23-C316A43AD9B0}" = QuickTime "{122ADF8C-DDA1-480C-9936-C88F2825B265}" = Apple Application Support "{1A36CF15-DF66-4756-9482-A9ABF3DDACE6}_is1" = Driver Robot "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java 6 Update 31 "{2C1D4263-77F0-46F6-A3A3-F89A95F6EB8F}" = SSDlife Free "{59308225-510C-4492-A7E4-71625FAD545E}" = Simple Adblock "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable "{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update "{83FA601A-241A-4956-8A21-F7D525C4422F}_is1" = SSD Tweaker version 2.0.1 "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{AA68AAAE-41F0-40B5-8896-5947F5FD6889}" = AirPort "{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}" = Windows 7 Upgrade Advisor "{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3) "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy "{C779648B-410E-4BBA-B75B-5815BCEFE71D}" = Safari "{CCF298AF-9CE1-4B26-B251-486E98A34789}" = Windows 7 USB/DVD Download Tool "{D1F7C704-99F2-11E1-9C74-984BE15F174E}" = Evernote v. 4.5.6 "{DF005BE5-DF01-43D9-B6FB-6296446CA61F}_is1" = HostsMan 4.0.82 Beta3 "{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio "{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver "8538E49A-6FE5-4FDB-8649-922BB839F21F" = Transmission-Qt "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin "avast" = avast! Free Antivirus "EasyBCD" = EasyBCD 2.1.2 "eBoostr 1" = eBoostr 3 "ESET Online Scanner" = ESET Online Scanner v3 "Eusing Free Registry Cleaner" = Eusing Free Registry Cleaner "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300 "Mozilla Firefox 14.0.1 (x86 en-US)" = Mozilla Firefox 14.0.1 (x86 en-US) "MozillaMaintenanceService" = Mozilla Maintenance Service "PowerISO" = PowerISO ========== HKEY_USERS Uninstall List ========== [HKEY_USERS\S-1-5-21-591084242-1256559719-2965977113-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "Dropbox" = Dropbox "Google Chrome" = Google Chrome ========== Last 20 Event Log Errors ========== [ Application Events ] Error - 7/22/2012 2:01:20 PM | Computer Name = Michael-PC | Source = Application Error | ID = 1000 Description = Faulting application name: iexplore.exe, version: 9.0.8112.16447, time stamp: 0x4fc9cd53 Faulting module name: aswWebRepIE.dll, version: 7.0.1456.418, time stamp: 0x4ff31b8b Exception code: 0xc0000417 Fault offset: 0x0004d9fb Faulting process id: 0xedc Faulting application start time: 0x01cd682306594b27 Faulting application path: C:\Program Files (x86)\Internet Explorer\iexplore.exe Faulting module path: C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll Report Id: 3d269ff8-d427-11e1-94cb-0016cb13cdaf Error - 7/22/2012 2:01:25 PM | Computer Name = Michael-PC | Source = Application Error | ID = 1000 Description = Faulting application name: iexplore.exe, version: 9.0.8112.16447, time stamp: 0x4fc9cd53 Faulting module name: aswWebRepIE.dll, version: 7.0.1456.418, time stamp: 0x4ff31b8b Exception code: 0xc0000417 Fault offset: 0x0004d9fb Faulting process id: 0xe5c Faulting application start time: 0x01cd6819734297d9 Faulting application path: C:\Program Files (x86)\Internet Explorer\iexplore.exe Faulting module path: C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll Report Id: 4003c7cd-d427-11e1-94cb-0016cb13cdaf Error - 7/22/2012 6:21:13 PM | Computer Name = Michael-PC | Source = WinMgmt | ID = 10 Description = Error - 7/22/2012 7:41:24 PM | Computer Name = Michael-PC | Source = Application Error | ID = 1000 Description = Faulting application name: iexplore.exe, version: 9.0.8112.16447, time stamp: 0x4fc9cd53 Faulting module name: aswWebRepIE.dll, version: 7.0.1456.418, time stamp: 0x4ff31b8b Exception code: 0xc0000417 Fault offset: 0x0004d9fb Faulting process id: 0x5904 Faulting application start time: 0x01cd68637dd50ad1 Faulting application path: C:\Program Files (x86)\Internet Explorer\iexplore.exe Faulting module path: C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll Report Id: bf1cdaff-d456-11e1-b4a3-0016cb13cdaf Error - 7/22/2012 7:42:00 PM | Computer Name = Michael-PC | Source = Application Error | ID = 1000 Description = Faulting application name: iexplore.exe, version: 9.0.8112.16447, time stamp: 0x4fc9cd53 Faulting module name: aswWebRepIE.dll, version: 7.0.1456.418, time stamp: 0x4ff31b8b Exception code: 0xc0000417 Fault offset: 0x0004d9fb Faulting process id: 0x4ca8 Faulting application start time: 0x01cd6862b554ad26 Faulting application path: C:\Program Files (x86)\Internet Explorer\iexplore.exe Faulting module path: C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll Report Id: d4712e9d-d456-11e1-b4a3-0016cb13cdaf Error - 7/23/2012 1:11:45 AM | Computer Name = Michael-PC | Source = SideBySide | ID = 16842832 Description = Activation context generation failed for "c:\program files (x86)\ESET\eset online scanner\ESETSmartInstaller.exe".Error in manifest or policy file "" on line . A component version required by the application conflicts with another component version already active. Conflicting components are:. Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest. Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest. Error - 7/23/2012 1:11:49 AM | Computer Name = Michael-PC | Source = SideBySide | ID = 16842815 Description = Activation context generation failed for "c:\program files (x86)\spybot - search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program files (x86)\spybot - search & destroy\DelZip179.dll" on line 8. The value "*" of attribute "language" in element "assemblyIdentity" is invalid. Error - 7/23/2012 1:17:33 PM | Computer Name = Michael-PC | Source = WinMgmt | ID = 10 Description = Error - 7/23/2012 1:36:37 PM | Computer Name = Michael-PC | Source = WinMgmt | ID = 10 Description = Error - 7/23/2012 1:45:22 PM | Computer Name = Michael-PC | Source = WinMgmt | ID = 10 Description = [ System Events ] Error - 7/15/2012 9:15:36 PM | Computer Name = Michael-PC | Source = Service Control Manager | ID = 7023 Description = The Superfetch service terminated with the following error: %%2 Error - 7/16/2012 10:48:25 AM | Computer Name = Michael-PC | Source = Service Control Manager | ID = 7023 Description = The Superfetch service terminated with the following error: %%2 Error - 7/16/2012 10:50:38 AM | Computer Name = Michael-PC | Source = DCOM | ID = 10001 Description = Error - 7/16/2012 2:55:36 PM | Computer Name = Michael-PC | Source = Service Control Manager | ID = 7026 Description = The following boot-start or system-start driver(s) failed to load: cdrom Error - 7/16/2012 10:56:16 AM | Computer Name = Michael-PC | Source = Service Control Manager | ID = 7023 Description = The Superfetch service terminated with the following error: %%2 Error - 7/16/2012 10:57:25 AM | Computer Name = Michael-PC | Source = DCOM | ID = 10001 Description = Error - 7/16/2012 11:02:46 AM | Computer Name = Michael-PC | Source = Service Control Manager | ID = 7026 Description = The following boot-start or system-start driver(s) failed to load: cdrom Error - 7/16/2012 11:03:26 AM | Computer Name = Michael-PC | Source = Service Control Manager | ID = 7023 Description = The Superfetch service terminated with the following error: %%2 Error - 7/16/2012 9:38:03 PM | Computer Name = Michael-PC | Source = Service Control Manager | ID = 7023 Description = The Superfetch service terminated with the following error: %%2 Error - 7/16/2012 9:56:35 PM | Computer Name = Michael-PC | Source = Service Control Manager | ID = 7023 Description = The Superfetch service terminated with the following error: %%2 < End of report >
- July 23, 2012
- 8 replies
browser redirects to search-results . com and windows time wrong

arnolfini posted a topic in Resolved Malware Removal Logs

Post Merged We look for post with 0 replies, so when you reply to your own topic, we assume you're being helped. Please be patient, someone will assist you as soon as possible. Hi, your assistance would be much appreciated on web searches being redirected to search-results.com and also the windows time being wrong. The system has had a number of viruses recently. Additionally, Internet explorer 9 has had some breakpoint errors as well such as "(0x80000003) occurred in the application at location 0x77d5801d." Thank you. Here are the logs; thank you for any help. DDS: . DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421 Run by Michael at 18:45:00 on 2012-07-21 Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3040.1644 [GMT -4:00] . AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C} AV: ESET Smart Security 5.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1} SP: ESET Smart Security 5.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C} SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} FW: ESET Personal firewall *Disabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA} . ============== Running Processes =============== . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs c:\program files (x86)\idt\apple_v50\wdm\STacSV64.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Program Files\Boot Camp\Bootcamp.exe C:\Program Files\IDT\WDM\sttray64.exe C:\Program Files\ESET\ESET Smart Security\egui.exe C:\Windows\system32\svchost.exe -k bthsvcs C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Program Files\AVAST Software\Avast\AvastUI.exe C:\Program Files (x86)\AirPort\APAgent.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\System32\svchost.exe -k LocalServicePeerNet C:\Users\Michael\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Michael\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Michael\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Michael\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Michael\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Michael\AppData\Local\Google\Chrome\Application\chrome.exe D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Users\Michael\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Michael\AppData\Local\Google\Chrome\Application\chrome.exe C:\Windows\SysWOW64\rundll32.exe C:\Users\Michael\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Michael\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Michael\AppData\Local\Google\Chrome\Application\chrome.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\RunDll32.exe C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe C:\Windows\SysWOW64\cscript.exe C:\Windows\system32\wbem\wmiprvse.exe . ============== Pseudo HJT Report =============== . uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll BHO: SimpleAdblock Class: {ffcb3198-32f3-4e8b-9539-4324694ed664} - C:\Program Files (x86)\Common Files\Simple Adblock\SimpleAdblock.dll TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui mRun: [AirPort Base Station Agent] "C:\Program Files (x86)\AirPort\APAgent.exe" mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" StartupFolder: C:\Users\Michael\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\_uninst_.lnk - C:\Users\Michael\AppData\Local\temp\_uninst_.bat mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0) mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3) mPolicies-system: EnableLUA = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) mPolicies-system: PromptOnSecureDesktop = 0 (0x0) IE: Add to Evernote 4.0 - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204 IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000 IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204 Trusted Zone: internet Trusted Zone: intuit.com\ttlc Trusted Zone: mcafee.com Trusted Zone: microsoft.com\office Trusted Zone: microsoft.com\update Trusted Zone: office.com DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab TCP: DhcpNameServer = 74.5.116.246 205.244.194.36 TCP: Interfaces\{BE079FC1-E635-4995-AF77-4C7C38F32FE2} : DhcpNameServer = 74.5.116.242 74.5.116.246 TCP: Interfaces\{CCADE9DC-1763-4062-BA5A-00EF95BF4B13} : DhcpNameServer = 74.5.116.246 205.244.194.36 Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO-X64: 0x1 - No File BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO-X64: AcroIEHelperStub - No File BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL BHO-X64: URLRedirectionBHO - No File BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll BHO-X64: SimpleAdblock Class: {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files (x86)\Common Files\Simple Adblock\SimpleAdblock.dll TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui mRun-x64: [AirPort Base Station Agent] "C:\Program Files (x86)\AirPort\APAgent.exe" mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" IE-X64: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204 . ================= FIREFOX =================== . FF - ProfilePath - C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\gql8e4vd.default\ FF - prefs.js: browser.search.selectedEngine - Ask.com FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll FF - plugin: C:\Users\Michael\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dll . ============= SERVICES / DRIVERS =============== . R0 AppleHFS;AppleHFS;C:\Windows\system32\drivers\AppleHFS.sys --> C:\Windows\system32\drivers\AppleHFS.sys [?] R0 AppleMNT;AppleMNT;C:\Windows\system32\drivers\AppleMNT.sys --> C:\Windows\system32\drivers\AppleMNT.sys [?] R0 DwProt;DrWeb Protection;C:\Windows\system32\drivers\dwprot.sys --> C:\Windows\system32\drivers\dwprot.sys [?] R0 eBoost;eBoostr caching filter driver;C:\Windows\system32\drivers\eBoost.sys --> C:\Windows\system32\drivers\eBoost.sys [?] R0 epfwwfp;epfwwfp;C:\Windows\system32\DRIVERS\epfwwfp.sys --> C:\Windows\system32\DRIVERS\epfwwfp.sys [?] R0 prl_pv64;prl_pv64;C:\Windows\system32\DRIVERS\prl_pv64.sys --> C:\Windows\system32\DRIVERS\prl_pv64.sys [?] R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?] R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?] R1 eamonm;eamonm;C:\Windows\system32\DRIVERS\eamonm.sys --> C:\Windows\system32\DRIVERS\eamonm.sys [?] R1 EpfwLWF;Epfw NDIS LightWeight Filter;C:\Windows\system32\DRIVERS\EpfwLWF.sys --> C:\Windows\system32\DRIVERS\EpfwLWF.sys [?] R1 prl_boot;Parallels BootCamp Helper;C:\Windows\system32\DRIVERS\prl_boot.sys --> C:\Windows\system32\DRIVERS\prl_boot.sys [?] R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?] R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?] R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?] R2 ekrn;ESET Service;C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe [2012-3-7 913144] R2 KeyAgent;KeyAgent;\??\C:\Windows\system32\drivers\KeyAgent.sys --> C:\Windows\system32\drivers\KeyAgent.sys [?] R2 MacHALDriver;Mac HAL;\??\C:\Windows\system32\drivers\MacHALDriver.sys --> C:\Windows\system32\drivers\MacHALDriver.sys [?] R2 MBAMService;MBAMService;D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-22 655944] R3 AppleODD;Apple ODD;C:\Windows\system32\DRIVERS\AppleODD.sys --> C:\Windows\system32\DRIVERS\AppleODD.sys [?] R3 IRRemoteFlt;IR Receiver Filter Driver;C:\Windows\system32\DRIVERS\IRFilter.sys --> C:\Windows\system32\DRIVERS\IRFilter.sys [?] R3 KeyMagic;USB Keyboard HID Filter;C:\Windows\system32\DRIVERS\KeyMagic.sys --> C:\Windows\system32\DRIVERS\KeyMagic.sys [?] R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?] R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?] S2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-7-16 44808] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576] S3 BthKicker;Apple Bluetooth Device Driver;C:\Windows\system32\DRIVERS\BthKicker.sys --> C:\Windows\system32\DRIVERS\BthKicker.sys [?] S3 dmvsc;dmvsc;C:\Windows\system32\drivers\dmvsc.sys --> C:\Windows\system32\drivers\dmvsc.sys [?] S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files\Microsoft Office\Office14\GROOVE.EXE [2011-6-12 51740536] S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440] S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184] S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?] S3 Synth3dVsc;Synth3dVsc;C:\Windows\system32\drivers\synth3dvsc.sys --> C:\Windows\system32\drivers\synth3dvsc.sys [?] S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\system32\drivers\terminpt.sys --> C:\Windows\system32\drivers\terminpt.sys [?] S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?] S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?] S3 tsusbhub;tsusbhub;C:\Windows\system32\drivers\tsusbhub.sys --> C:\Windows\system32\drivers\tsusbhub.sys [?] S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?] S4 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928] S4 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-9 250056] S4 AppleOSSMgr;Apple OS Switch Manager;C:\Windows\system32\AppleOSSMgr.exe --> C:\Windows\system32\AppleOSSMgr.exe [?] S4 AppleTimeSrv;Apple Time Service;C:\Windows\system32\AppleTimeSrv.exe --> C:\Windows\system32\AppleTimeSrv.exe [?] S4 EBOOSTRSVC;eBoostr Service;C:\Program Files (x86)\eBoostr\EBstrSvc.exe [2009-5-20 639616] S4 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-7-16 136176] S4 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-7-16 136176] S4 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-30 113120] . =============== Created Last 30 ================ . 2012-07-22 04:11:44 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys 2012-07-22 03:59:06 -------- d-sh--w- C:\$RECYCLE.BIN 2012-07-22 03:50:57 98816 ----a-w- C:\Windows\sed.exe 2012-07-22 03:50:57 518144 ----a-w- C:\Windows\SWREG.exe 2012-07-22 03:50:57 256000 ----a-w- C:\Windows\PEV.exe 2012-07-22 03:50:57 208896 ----a-w- C:\Windows\MBR.exe 2012-07-21 18:22:13 -------- d-sh--w- C:\found.000 2012-07-21 16:59:04 -------- d-----w- C:\Users\Michael\AppData\Roaming\ESET 2012-07-21 16:59:04 -------- d-----w- C:\Users\Michael\AppData\Local\ESET 2012-07-21 16:53:56 -------- d-----w- C:\Program Files\ESET 2012-07-21 16:53:03 -------- d-----w- C:\ProgramData\Kaspersky Lab 2012-07-21 14:27:01 -------- d---a-w- C:\.fseventsd 2012-07-21 03:36:10 -------- d-----w- C:\Temp 2012-07-21 03:14:39 -------- d-----w- C:\Boot 2012-07-21 01:28:37 -------- d-----w- C:\Program Files\iTunes 2012-07-21 01:28:37 -------- d-----w- C:\Program Files\iPod 2012-07-21 01:28:37 -------- d-----w- C:\Program Files (x86)\iTunes 2012-07-21 01:24:45 -------- d-----w- C:\Program Files (x86)\AirPort 2012-07-21 00:57:42 -------- d-----w- C:\$WINDOWS.~BT 2012-07-20 23:48:37 5646848 ----a-w- C:\Windows\System32\idtcpl64.cpl 2012-07-20 23:48:37 548128 ----a-w- C:\Windows\System32\idt64mp1.exe 2012-07-20 23:48:37 251680 ----a-w- C:\Windows\System32\stacsv64.exe 2012-07-20 23:48:37 2477344 ----a-w- C:\Windows\System32\stlang64.dll 2012-07-20 23:47:47 653088 ----a-w- C:\Windows\System32\stapo64.dll 2012-07-20 23:47:47 372512 ----a-w- C:\Windows\System32\stcplx64.dll 2012-07-20 23:47:44 505120 ----a-w- C:\Windows\System32\stapi64.dll 2012-07-20 23:19:10 -------- d-----w- C:\Program Files (x86)\Common Files\Simple Adblock 2012-07-20 20:09:01 -------- d-----w- C:\$UPGRADE.~OS 2012-07-18 14:56:11 209920 ----a-w- C:\Windows\System32\profsvc.dll 2012-07-18 14:56:10 3216384 ----a-w- C:\Windows\System32\msi.dll 2012-07-18 14:56:10 2342400 ----a-w- C:\Windows\SysWow64\msi.dll 2012-07-18 14:50:30 -------- d-----w- C:\Windows\SysWow64\Wat 2012-07-18 14:50:30 -------- d-----w- C:\Windows\System32\Wat 2012-07-17 14:12:56 -------- d-----w- C:\Users\Michael\AppData\Local\NeoSmart_Technologies 2012-07-16 15:12:19 958400 ----a-w- C:\Windows\System32\drivers\aswSnx.sys 2012-07-16 15:12:19 71064 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys 2012-07-16 15:12:19 54072 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys 2012-07-16 15:12:07 41224 ----a-w- C:\Windows\avastSS.scr 2012-07-16 15:11:55 -------- d-----w- C:\ProgramData\AVAST Software 2012-07-16 15:11:55 -------- d-----w- C:\Program Files\AVAST Software 2012-07-11 15:26:23 3148800 ----a-w- C:\Windows\System32\win32k.sys 2012-07-04 21:36:52 770384 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr100.dll 2012-07-04 21:36:52 421200 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp100.dll 2012-06-24 16:26:55 -------- d-----w- C:\Users\Michael\AppData\Local\Macromedia 2012-06-22 14:13:46 2622464 ----a-w- C:\Windows\System32\wucltux.dll 2012-06-22 14:13:42 99840 ----a-w- C:\Windows\System32\wudriver.dll 2012-06-22 14:13:41 36864 ----a-w- C:\Windows\System32\wuapp.exe 2012-06-22 14:13:41 186752 ----a-w- C:\Windows\System32\wuwebv.dll . ==================== Find3M ==================== . 2012-07-11 21:44:26 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe 2012-07-11 21:44:25 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl 2012-06-06 06:06:16 2004480 ----a-w- C:\Windows\System32\msxml6.dll 2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll 2012-06-06 06:02:54 1133568 ----a-w- C:\Windows\System32\cdosys.dll 2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll 2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll 2012-06-06 05:03:06 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll 2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys 2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys 2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys 2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll 2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll 2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll 2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll 2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll 2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll 2012-05-04 11:06:22 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe 2012-05-04 10:03:53 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe 2012-05-04 10:03:50 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe 2012-04-28 05:32:05 1112064 ----a-w- C:\Windows\System32\rdpcorets.dll 2012-04-28 03:55:21 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys 2012-04-26 05:41:56 77312 ----a-w- C:\Windows\System32\rdpwsx.dll 2012-04-26 05:41:55 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll 2012-04-26 05:34:27 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe 2012-04-24 05:37:37 184320 ----a-w- C:\Windows\System32\cryptsvc.dll 2012-04-24 05:37:37 140288 ----a-w- C:\Windows\System32\cryptnet.dll 2012-04-24 05:37:36 1462272 ----a-w- C:\Windows\System32\crypt32.dll 2012-04-24 04:36:42 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll 2012-04-24 04:36:42 1158656 ----a-w- C:\Windows\SysWow64\crypt32.dll 2012-04-24 04:36:42 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll . ============= FINISH: 18:45:31.27 =============== Attach: . UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_2011-08-26.01) . Microsoft Windows 7 Ultimate Boot Device: \Device\HarddiskVolume3 Install Date: 3/7/2012 2:44:54 AM System Uptime: 7/21/2012 6:31:47 PM (0 hours ago) . Motherboard: Apple Inc. | | Mac-F4208EC8 Processor: Intel® Core™2 CPU T7600 @ 2.33GHz | U2E1 | 2333/166mhz . ==== Disk Partitions ========================= . C: is FIXED (NTFS) - 28 GiB total, 5.411 GiB free. D: is FIXED (NTFS) - 233 GiB total, 100.695 GiB free. E: is FIXED (HFS) - 232 GiB total, 186.314 GiB free. F: is FIXED (HFS) - 27 GiB total, 9.496 GiB free. H: is CDROM () . ==== Disabled Device Manager Items ============= . ==== System Restore Points =================== . No restore point in system. . ==== Installed Programs ====================== . Adobe Flash Player 11 ActiveX Adobe Flash Player 11 Plugin Adobe Reader X (10.1.3) AirPort Apple Application Support Apple Software Update avast! Free Antivirus Driver Robot Dropbox EasyBCD 2.1.2 eBoostr 3 Eusing Free Registry Cleaner Evernote v. 4.5.6 Freeze.com NetAssistant Google Chrome Google Update Helper HostsMan 4.0.82 Beta3 IDT Audio Java™ 6 Update 31 Malwarebytes Anti-Malware version 1.62.0.1300 Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 Mozilla Firefox 14.0.1 (x86 en-US) Mozilla Maintenance Service NetAssistant PowerISO QuickTime Realtek High Definition Audio Driver Safari Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078) Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121) Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405) Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827) Simple Adblock Spybot - Search & Destroy SSD Tweaker version 2.0.1 SSDlife Free Transmission-Qt Update for Microsoft .NET Framework 4 Client Profile (KB2468871) Update for Microsoft .NET Framework 4 Client Profile (KB2533523) Update for Microsoft .NET Framework 4 Client Profile (KB2600217) Windows 7 Upgrade Advisor Windows 7 USB/DVD Download Tool . ==== Event Viewer Messages From Past Week ======== . 7/21/2012 6:32:41 PM, Error: Service Control Manager [7023] - The Superfetch service terminated with the following error: The system cannot find the file specified. 7/21/2012 6:32:07 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdrom 7/21/2012 6:28:45 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start. 7/21/2012 6:28:44 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89} 7/21/2012 6:28:44 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E} 7/21/2012 6:28:43 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 7/21/2012 6:28:37 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC} 7/21/2012 6:28:35 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD aswRdr aswSnx aswSP aswTdi cdrom CSC DfsC discache eamonm ehdrv EpfwLWF NetBIOS NetBT nsiproxy prl_boot Psched rdbss SCDEmu spldr tdx vwififlt Wanarpv6 WfpLwf ws2ifsl 7/21/2012 6:28:35 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start. 7/21/2012 6:28:35 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning. 7/21/2012 6:28:35 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning. 7/21/2012 6:28:35 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start. 7/21/2012 6:28:35 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start. 7/21/2012 6:28:35 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning. 7/21/2012 6:28:35 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start. 7/21/2012 6:28:35 PM, Error: Service Control Manager [7001] - The Network Connections service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start. 7/21/2012 6:28:35 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start. 7/21/2012 6:28:35 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning. 7/21/2012 6:28:35 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning. 7/21/2012 2:23:10 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:. 7/21/2012 2:23:10 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume BOOTCAMP. 7/21/2012 12:54:01 PM, Error: Service Control Manager [7030] - The ESET Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly. 7/21/2012 11:55:31 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly. 7/21/2012 11:16:13 PM, Error: Service Control Manager [7038] - The WerSvc service was unable to log on as NT AUTHORITY\SYSTEM with the currently configured password due to the following error: The RPC server is unavailable. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC). 7/21/2012 11:15:53 PM, Error: Service Control Manager [7038] - The WerSvc service was unable to log on as NT AUTHORITY\SYSTEM with the currently configured password due to the following error: The remote procedure call failed. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC). 7/21/2012 11:15:53 PM, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. 7/21/2012 10:35:48 PM, Error: Application Popup [1060] - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver. 7/21/2012 1:47:04 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit. 7/20/2012 8:46:38 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start. 7/20/2012 8:46:30 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start. 7/20/2012 8:46:21 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: aswSnx aswSP aswTdi cdrom discache SCDEmu spldr Wanarpv6 7/20/2012 8:32:38 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD aswRdr aswSnx aswSP aswTdi cdrom CSC DfsC discache NetBIOS NetBT nsiproxy prl_boot Psched rdbss SCDEmu spldr tdx vwififlt Wanarpv6 WfpLwf ws2ifsl 7/20/2012 7:50:06 PM, Error: BTHUSB [17] - The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded. 7/20/2012 3:58:24 PM, Error: Service Control Manager [7023] - The Windows Update service terminated with the following error: %%-2147467243 7/18/2012 10:03:24 AM, Error: Microsoft-Windows-DistributedCOM [10001] - Unable to start a DCOM Server: {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83} as /. The error: "5" Happened while starting this command: C:\Windows\System32\slui.exe -Embedding 7/15/2012 9:14:10 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000007a (0xfffff8a0000b8490, 0xffffffffc0000185, 0x000000001c1a5860, 0xfffff960002f90f4). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 071512-12308-01. . ==== End Of File =========================== Attach.txt DDS.txt
- July 21, 2012
- 8 replies

Events

Profiles

Forums

Everything posted by arnolfini

Important Information