Jump to content

Unable to clean recent infection


macks

Recommended Posts

Hello all,

A friend's computer (Windows 7 x64) was recently infected and I've been trying to help him remove it. AVG Free was installed with the resident shield off at the time of infection. I've since installed MB Pro, both found and cleaned some things out, but it wasn't clear what. Something called "White Smoke Toolbar" and "White Smoke Translator" were installed by the Malware, but were simple to remove with Revo Uninstaller.

For some reason Chrome/Chromium/Internet Explorer lock up when started now, and Firefox randomly opens tabs to spam and a site called "fresh-search.net". When logging in to Windows it now says it's loading a group policy, which didn't exist before. System restore was turned off and it looks like all the restore points were deleted. The group policy editor complains about being unable to run ActiveX controls, but making a new user I was able to use regedit to turn system restore back on. Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:59:53 AM, on 11/19/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16671)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Giganews Accelerator\GiganewsAccelerator.exe
C:\Program Files (x86)\DU Meter\DUMeter.exe
C:\Program Files (x86)\Workrave\lib\Workrave.exe
C:\Program Files (x86)\TwonkyMedia\twonkymediaserverconfig.exe
C:\Program Files (x86)\Trillian\trillian.exe
C:\Program Files (x86)\Google\Google Talk\googletalk.exe
C:\Program Files (x86)\gAlwaysIdle\gidle.exe
C:\Program Files (x86)\AVG\AVG9\avgtray.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
C:\Users\max\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [googletalk] C:\Program Files (x86)\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [gidle] "C:\Program Files (x86)\gAlwaysIdle\gidle.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~2\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [DU Meter] C:\Program Files (x86)\DU Meter\DUMeter.exe
O4 - HKCU\..\Run: [Workrave] C:\Program Files (x86)\Workrave\lib\workrave.exe
O4 - HKUS\S-1-5-18\..\Run: [uPc+kt0NrqPJsiv] rundll32.exe C:\Windows\system32\ojzbhhvx5.dll, SystemServer (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [uPc+kt0NrqPJsiv] rundll32.exe C:\Windows\system32\ojzbhhvx5.dll, SystemServer (User 'Default user')
O4 - Startup: Trillian.lnk = C:\Program Files (x86)\Trillian\trillian.exe
O4 - Global Startup: TwonkyMedia Tray Control.lnk = C:\Program Files (x86)\TwonkyMedia\twonkymediaserverconfig.exe
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (file missing)
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd. - C:\Program Files (x86)\DU Meter\DUMeterSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FLEXnet Licensing Service 64 - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Process Monitor (LVPrcS64) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: SigmaTel Audio Service (STacSV) - Unknown owner - C:\Windows\system32\STacSV64.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: TwonkyMedia - PacketVideo - C:\Program Files (x86)\TwonkyMedia\twonkymediaserverwatchdog.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - C:\Program Files (x86)\NVIDIA Corporation\System Update\UpdateCenterService.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 8762 bytes

O4 - HKUS\S-1-5-18\..\Run: [uPc+kt0NrqPJsiv] rundll32.exe C:\Windows\system32\ojzbhhvx5.dll, SystemServer (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [uPc+kt0NrqPJsiv] rundll32.exe C:\Windows\system32\ojzbhhvx5.dll, SystemServer (User 'Default user')

Stuck out to me, but it doesn't seem to exist. Here's the MBM log now:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5153

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

11/19/2010 11:56:44 AM
mbam-log-2010-11-19 (11-56-44).txt

Scan type: Quick scan
Objects scanned: 166333
Time elapsed: 3 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
--snip--

And DDS.txt:

DDS (Ver_10-11-10.01) - NTFS_AMD64  
Run by max at 11:33:31.20 on Fri 11/19/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_21
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.4093.2242 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files (x86)\AVG\AVG9\avgchsva.exe
C:\Program Files (x86)\AVG\AVG9\avgrsa.exe
C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\DU Meter\DUMeterSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe
C:\Windows\system32\STacSV64.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TwonkyMedia\twonkymediaserverwatchdog.exe
C:\Program Files (x86)\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\TwonkyMedia\TwonkyMediaServer.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\PrintIsolationHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\userinit.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Giganews Accelerator\GiganewsAccelerator.exe
C:\Program Files (x86)\DU Meter\DUMeter.exe
C:\Program Files (x86)\Workrave\lib\Workrave.exe
C:\Program Files (x86)\TwonkyMedia\twonkymediaserverconfig.exe
C:\Program Files (x86)\Trillian\trillian.exe
C:\Program Files (x86)\Google\Google Talk\googletalk.exe
C:\Program Files (x86)\gAlwaysIdle\gidle.exe
C:\Program Files (x86)\AVG\AVG9\avgtray.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\WMPSideShowGadget.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\max\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = Preserve
uInternet Settings,ProxyOverride = *.local
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [DU Meter] C:\Program Files (x86)\DU Meter\DUMeter.exe
uRun: [Workrave] C:\Program Files (x86)\Workrave\lib\workrave.exe
mRun: [googletalk] C:\Program Files (x86)\Google\Google Talk\googletalk.exe /autostart
mRun: [gidle] "C:\Program Files (x86)\gAlwaysIdle\gidle.exe"
mRun: [AVG9_TRAY] C:\PROGRA~2\AVG\AVG9\avgtray.exe
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
dRun: [uPc+kt0NrqPJsiv] rundll32.exe C:\Windows\system32\ojzbhhvx5.dll, SystemServer
StartupFolder: C:\Users\max\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Trillian.lnk - C:\Program Files (x86)\Trillian\trillian.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\TWONKY~1.LNK - C:\Program Files (x86)\TwonkyMedia\twonkymediaserverconfig.exe
uPolicies-explorer: AlwaysShowClassicMenu = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
Trusted Zone: intuit.com\ttlc
Trusted Zone: rga.com\rose
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - F:\PROGRA~2\Microsoft Office\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
mRun-x64: [Giganews] C:\Program Files (x86)\Giganews Accelerator\GiganewsAccelerator.exe
AppInit_DLLs-X64: avgrssta.dll

================= FIREFOX ===================

FF - ProfilePath - C:\Users\max\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.max\
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.mywebstart.net/?sid=10101070100&s=
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 8080
FF - component: C:\Users\max\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.max\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: C:\PROGRA~2\Microsoft Office\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\Microsoft Office\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: C:\Program Files (x86)\Opera\program\plugins\np_gp.dll
FF - plugin: C:\Program Files (x86)\Win7codecs\rm\browser\plugins\nppl3260.dll
FF - plugin: C:\Program Files (x86)\Win7codecs\rm\browser\plugins\nprpjplug.dll
FF - plugin: C:\Program Files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\Program Files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\Program Files\Microsoft Silverlight\3.0.40723.0\npctrl.dll
FF - plugin: c:\Program Files\Microsoft Silverlight\3.0.40818.0\npctrl.dll
FF - plugin: c:\Program Files\Microsoft Silverlight\npctrl.dll
FF - plugin: C:\Program Files\Opera\program\plugins\npdsplay.dll
FF - plugin: C:\Program Files\Opera\program\plugins\NPSWF32.dll
FF - plugin: C:\Program Files\Opera\program\plugins\npwmsdrm.dll
FF - plugin: C:\Users\max\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\WINDOWS\system32\Photosynth\nppsynth.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - HiddenExtension: XULRunner: {1D3E9598-68D1-4924-A742-1F1FED21C800} - C:\Windows\system32\config\systemprofile\AppData\Local\{1D3E9598-68D1-4924-A742-1F1FED21C800}\
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Search
FF - user.js: browser.search.order.1 - Search
FF - user.js: keyword.URL - hxxp://search.mywebstart.net/?sid=10101070100&s=C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
C:\Program Files (x86)\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.search-clsid", "{C0C0D62B-8628-45E0-86D7-CAD1C68E9007}");

============= SERVICES / DRIVERS ===============

R1 AvgLdx64;AVG Free AVI Loader Driver x64;C:\Windows\System32\drivers\avgldx64.sys [2010-7-20 269904]
R1 AvgMfx64;AVG Free On-access Scanner Minifilter Driver x64;C:\Windows\System32\drivers\avgmfx64.sys [2010-7-20 35536]
R2 acedrv11;acedrv11;C:\Windows\System32\drivers\acedrv11.sys [2010-2-24 191616]
R2 avg9wd;AVG Free WatchDog;C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe [2010-7-20 308136]
R2 DUMeterSvc;DU Meter Service;C:\Program Files (x86)\DU Meter\DUMeterSvc.exe [2009-12-22 504832]
R2 LVPrcS64;Process Monitor;C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe [2009-10-7 191000]
R2 TwonkyMedia;TwonkyMedia;C:\Program Files (x86)\TwonkyMedia\twonkymediaserverwatchdog.exe -serviceversion 0 --> C:\Program Files (x86)\TwonkyMedia\twonkymediaserverwatchdog.exe -serviceversion 0 [?]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;C:\Windows\System32\drivers\LGBusEnum.sys [2009-11-23 22408]
R3 LVPr2M64;Logitech LVPr2M64 Driver;C:\Windows\System32\drivers\LVPr2M64.sys [2009-10-7 30232]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\System32\drivers\nvhda64v.sys [2010-8-16 131688]
R3 nvoclk64;NVIDIA Enthusiasts Platform KDM;C:\Windows\System32\drivers\nvoclk64.sys [2009-9-15 42088]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-5-8 136176]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2009-12-22 304464]
S3 avast! Web Scanner;avast! Web Scanner;"C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service --> C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [?]
S3 FB3SE;FB3SE;C:\Windows\System32\drivers\fb3se_x64.sys [2010-6-25 56016]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2009-12-23 1038088]
S3 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe [2009-10-29 1767816]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;C:\Windows\System32\drivers\LGVirHid.sys [2009-11-23 16008]
S3 lvpopf64;Logitech POP Suppression Filter;C:\Windows\System32\drivers\lvpopf64.sys [2009-10-7 271640]
S3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\System32\drivers\lvrs64.sys [2009-10-7 327704]
S3 lvsels64;Logitech Selective Suspend Filter;C:\Windows\System32\drivers\lvsels64.sys [2009-10-7 67992]
S3 LVUVC64;QuickCam Orbit/Sphere MP(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2009-10-7 6379288]
S3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2009-12-22 24664]
S3 Netaapl;Apple Mobile Device Ethernet Service;C:\Windows\System32\drivers\netaapl64.sys [2010-4-19 22528]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 Revoflt;Revoflt;C:\Windows\System32\drivers\revoflt.sys [2010-5-31 31800]
S3 RivaTuner64;RivaTuner64;F:\Program Files (x86)\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner64.sys [2009-8-22 19952]
S3 RTCore64;RTCore64;C:\Program Files (x86)\MSI Afterburner\RTCore64.sys [2010-6-6 14648]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2010-4-19 50688]
S3 VMUVC;Vimicro Camera Service VMUVC;C:\Windows\System32\drivers\vmuvc.sys [2010-10-20 198400]
S3 vvftUVC;Vimicro Camera Filter Service VMUVC;C:\Windows\System32\drivers\vvftUVC.sys [2010-10-20 303616]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-8-28 1255736]
S4 BCSWAP;BCSWAP;C:\Windows\System32\drivers\bcswap.sys [2009-12-21 101352]

=============== Created Last 30 ================

2010-11-19 16:19:55 -------- d-----w- C:\Users\max\AppData\Roaming\GetRightToGo
2010-11-19 15:06:07 64674 ----a-w- C:\isettings.reg
2010-11-19 13:58:03 -------- d-----w- C:\Users\max\AppData\Local\VirtualStore
2010-11-19 05:29:34 490232 ----a-w- C:\HelpAsst_mebroot_fix.exe
2010-11-19 05:25:21 8006480 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{0F7A86FD-4AD1-4B7D-B448-7CF9EA440048}\mpengine.dll
2010-11-16 07:47:32 -------- d-----w- C:\Python27
2010-11-12 20:42:54 -------- d-----w- C:\Program Files (x86)\MCEdit
2010-11-12 18:37:47 -------- d-----w- C:\Users\max\AppData\Local\Activision
2010-11-12 14:51:35 -------- d-----w- C:\Users\max\AppData\Local\{07094E14-D233-43C1-B0AC-7AB92AA9C357}
2010-11-10 04:15:53 -------- d-----w- C:\Users\max\AppData\Roaming\BOXEE
2010-11-10 04:15:44 -------- d-----w- C:\Program Files (x86)\Boxee
2010-11-07 18:59:07 -------- d-----w- C:\Users\max\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2010-11-07 18:59:07 -------- d-----w- C:\Users\max\AppData\Roaming\Adobe Mini Bridge CS5
2010-11-07 04:17:11 -------- d-----w- C:\Users\max\Logitech
2010-11-07 04:16:32 -------- d-----w- C:\Program Files (x86)\Common Files\Remote Control Software Common
2010-11-07 04:16:23 -------- d-----w- C:\Program Files (x86)\Common Files\Remote Control USB Driver
2010-11-07 04:16:15 757760 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll
2010-11-07 04:16:15 69715 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll
2010-11-07 04:16:15 65024 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ISBEW64.exe
2010-11-07 04:16:15 5632 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.exe
2010-11-07 04:16:15 331908 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
2010-11-07 04:16:15 274432 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll
2010-11-07 04:16:15 204800 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll
2010-11-07 04:16:15 200836 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll
2010-10-28 07:42:32 -------- d-----w- C:\Windows\rescache
2010-10-27 04:01:09 961024 ----a-w- C:\Windows\System32\CPFilters.dll
2010-10-27 04:01:09 641536 ----a-w- C:\Windows\SysWow64\CPFilters.dll
2010-10-27 04:01:09 552960 ----a-w- C:\Windows\System32\msdri.dll
2010-10-27 04:01:08 288256 ----a-w- C:\Windows\System32\MSNP.ax
2010-10-27 04:01:08 258560 ----a-w- C:\Windows\System32\mpg2splt.ax
2010-10-27 04:01:08 204288 ----a-w- C:\Windows\SysWow64\MSNP.ax
2010-10-27 04:01:08 199680 ----a-w- C:\Windows\SysWow64\mpg2splt.ax
2010-10-27 04:01:05 27008 ----a-w- C:\Windows\System32\drivers\Diskdump.sys
2010-10-22 13:51:01 -------- d-----w- C:\Program Files\iPod
2010-10-22 13:51:00 -------- d-----w- C:\Program Files\iTunes
2010-10-22 13:51:00 -------- d-----w- C:\Program Files (x86)\iTunes
2010-10-22 13:43:58 -------- d-----w- C:\PROGRA~3\webex
2010-10-21 04:10:51 -------- d-----w- C:\Windows\VMUVC

==================== Find3M ====================

2010-10-19 15:41:44 270720 ------w- C:\Windows\System32\MpSigStub.exe
2010-10-15 17:27:22 828912 ----a-w- C:\Windows\System32\drivers\sptd.sys
2010-10-14 06:36:52 15451288 ----a-w- C:\Windows\SysWow64\xlive.dll
2010-10-14 06:36:50 13642904 ----a-w- C:\Windows\SysWow64\xlivefnt.dll
2010-09-10 05:35:44 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2010-09-10 05:35:43 347648 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2010-09-08 15:17:46 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2010-09-08 15:17:46 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
2010-09-08 05:36:17 1192960 ----a-w- C:\Windows\System32\wininet.dll
2010-09-08 05:34:34 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2010-09-08 04:30:04 978432 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-09-08 04:28:15 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2010-09-08 04:16:38 482816 ----a-w- C:\Windows\System32\html.iec
2010-09-08 03:35:30 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2010-09-08 03:22:31 386048 ----a-w- C:\Windows\SysWow64\html.iec
2010-09-08 02:48:16 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2010-09-06 19:23:25 43520 ----a-w- C:\Windows\SysWow64\CmdLineExt03.dll
2010-09-01 05:12:09 12625920 ----a-w- C:\Windows\System32\wmploc.DLL
2010-09-01 04:23:49 12625408 ----a-w- C:\Windows\SysWow64\wmploc.DLL
2010-09-01 02:58:34 3123712 ----a-w- C:\Windows\System32\win32k.sys
2010-08-31 04:32:30 954752 ----a-w- C:\Windows\SysWow64\mfc40.dll
2010-08-31 04:32:30 954288 ----a-w- C:\Windows\SysWow64\mfc40u.dll
2010-08-29 22:08:17 419840 ----a-w- C:\Windows\System32\systemcpl.dll
2010-08-29 22:08:17 14848 ----a-w- C:\Windows\System32\slwga.dll
2010-08-29 22:08:17 13824 ----a-w- C:\Windows\SysWow64\slwga.dll
2010-08-29 22:08:16 833024 ----a-w- C:\Windows\SysWow64\user32.dll
2010-08-29 22:08:16 1008640 ----a-w- C:\Windows\System32\user32.dll
2010-08-27 06:14:02 236032 ----a-w- C:\Windows\System32\srvsvc.dll
2010-08-27 05:46:48 9728 ----a-w- C:\Windows\SysWow64\sscore.dll
2010-08-27 03:38:04 463360 ----a-w- C:\Windows\System32\drivers\srv.sys
2010-08-27 03:37:48 402944 ----a-w- C:\Windows\System32\drivers\srv2.sys
2010-08-27 03:37:26 161792 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2010-08-26 05:27:28 148992 ----a-w- C:\Windows\System32\t2embed.dll
2010-08-26 04:39:58 109056 ----a-w- C:\Windows\SysWow64\t2embed.dll
2010-08-25 04:28:08 4014 ----a-w- C:\STF4D1D.tmp
2010-08-25 03:38:51 3942 ----a-w- C:\STF319F.tmp
2010-08-25 01:26:34 4230 ----a-w- C:\STF163F.tmp
2010-08-25 00:06:49 4230 ----a-w- C:\STFF3B.tmp
2010-08-24 23:33:52 4230 ----a-w- C:\STFE5F8.tmp
2010-08-24 20:16:18 488960 ----a-w- C:\Windows\System32\pythoncom26.dll
2010-08-24 20:16:18 137216 ----a-w- C:\Windows\System32\pywintypes26.dll
2010-08-24 20:15:30 2774016 ----a-w- C:\Windows\System32\python26.dll
2010-08-23 15:36:00 5052 ----a-w- C:\STF7ECF.tmp
2010-08-23 15:02:40 4084 ----a-w- C:\STFF87F.tmp

============= FINISH: 11:34:03.62 ===============

The infection occured on 2010-11-12, if that helps. Any information or guidance anyone can provide, please let me know. Thanks in advance!

Also attached are ark.txt and Attach.txt.

Archive.zip

Link to post
Share on other sites

Hi,

Download OTL to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Check the box that says Scan All Users.
  • Under the Custom Scan box paste this in
    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic

Link to post
Share on other sites

Adding these as attachments as they seem too large to paste.

After seeing:

 FF - user.js..browser.search.selectedEngine: "Search"
FF - user.js..browser.search.order.1: "Search"
FF - user.js..keyword.URL: "http://search.mywebstart.net/?sid=10101070100&s="

I went to about:config and reset that setting, but chrome and IE still seem to lock up when run, and the permissions on this account seem to be altered in an odd way. Lots of permissions seem to be turned off for this user despite being an administrator. Is there an easy way to reset these?

OTL.txt

Extras.txt

Link to post
Share on other sites

Hi,

It's easier for me to read logs when they're posted, so:

OTL logfile created on: 11/21/2010 3:42:40 PM - Run 1

OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\max\Downloads

64bit- Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.7600.16385)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 34.00% Memory free

8.00 Gb Paging File | 5.00 Gb Available in Paging File | 64.00% Paging File free

Paging file location(s): m:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 74.53 Gb Total Space | 3.09 Gb Free Space | 4.15% Space Free | Partition Type: NTFS

Drive F: | 931.52 Gb Total Space | 293.05 Gb Free Space | 31.46% Space Free | Partition Type: NTFS

Drive G: | 7.85 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS

Drive M: | 1564.99 Gb Total Space | 675.10 Gb Free Space | 43.14% Space Free | Partition Type: NTFS

Drive Z: | 294.97 Gb Total Space | 94.82 Gb Free Space | 32.14% Space Free | Partition Type: NTFS

Computer Name: ZOMG | User Name: max | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/21 15:40:52 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\max\Downloads\OTL.exe

PRC - [2010/11/20 12:45:10 | 004,997,392 | ---- | M] () -- C:\Program Files (x86)\NewsLeecher\newsLeecher.exe

PRC - [2010/11/09 09:19:46 | 002,069,856 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG9\avgtray.exe

PRC - [2010/10/28 09:10:33 | 012,487,856 | ---- | M] (Mozilla Messaging) -- C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe

PRC - [2010/09/19 23:00:00 | 002,246,496 | ---- | M] (Cerulean Studios) -- C:\Program Files (x86)\Trillian\trillian.exe

PRC - [2010/09/18 09:16:16 | 000,493,144 | ---- | M] (PacketVideo) -- C:\Program Files (x86)\TwonkyMedia\twonkymediaserverwatchdog.exe

PRC - [2010/09/18 09:16:14 | 000,595,544 | ---- | M] (PacketVideo) -- C:\Program Files (x86)\TwonkyMedia\twonkymediaserverconfig.exe

PRC - [2010/09/18 09:16:12 | 001,431,128 | ---- | M] () -- C:\Program Files (x86)\TwonkyMedia\twonkymediaserver.exe

PRC - [2010/08/31 23:26:04 | 000,164,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Windows Media Player\wmplayer.exe

PRC - [2010/08/13 11:58:56 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

PRC - [2010/07/20 00:48:01 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe

PRC - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

PRC - [2010/04/29 15:39:32 | 001,090,952 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

PRC - [2010/04/29 15:39:32 | 000,437,584 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

PRC - [2010/04/26 17:21:53 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe

PRC - [2010/04/15 03:17:14 | 000,427,328 | ---- | M] (DT Soft Ltd) -- C:\Program Files (x86)\DAEMON Tools Pro\DTAgent.exe

PRC - [2010/04/15 03:16:48 | 000,288,064 | ---- | M] (DT Soft Ltd) -- C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe

PRC - [2009/10/25 11:49:28 | 003,661,312 | ---- | M] () -- C:\Program Files (x86)\Workrave\lib\Workrave.exe

PRC - [2009/10/07 00:47:22 | 000,125,464 | ---- | M] (Logitech Inc.) -- C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe

PRC - [2009/09/29 08:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe

PRC - [2009/03/13 13:13:13 | 001,058,816 | ---- | M] (Hagel Technologies Ltd.) -- C:\Program Files (x86)\DU Meter\DUMeter.exe

PRC - [2009/03/13 13:13:13 | 000,504,832 | ---- | M] (Hagel Technologies Ltd.) -- C:\Program Files (x86)\DU Meter\DUMeterSvc.exe

PRC - [2008/01/07 15:35:08 | 000,049,152 | ---- | M] () -- C:\Program Files (x86)\gAlwaysIdle\gidle.exe

PRC - [2007/12/18 07:49:40 | 000,757,760 | ---- | M] (Giganews, Inc.) -- C:\Program Files (x86)\Giganews Accelerator\GiganewsAccelerator.exe

PRC - [2007/01/01 16:22:02 | 003,739,648 | ---- | M] (Google) -- C:\Program Files (x86)\Google\Google Talk\googletalk.exe

========== Modules (SafeList) ==========

MOD - [2010/11/21 15:40:52 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\max\Downloads\OTL.exe

MOD - [2010/08/21 00:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll

MOD - [2009/07/13 20:15:31 | 000,154,624 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\imagehlp.dll

MOD - [2009/07/13 20:09:00 | 000,002,048 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\normaliz.dll

========== Win32 Services (SafeList) ==========

SRV:64bit: - File not found [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)

SRV:64bit: - [2009/12/23 11:37:28 | 001,038,088 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe -- (FLEXnet Licensing Service 64)

SRV:64bit: - [2009/10/07 00:47:10 | 000,191,000 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcS64)

SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

SRV:64bit: - [2009/07/13 20:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)

SRV:64bit: - [2007/05/06 17:11:38 | 000,112,128 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\Windows\SysNative\stacsv64.exe -- (STacSV)

SRV - [2010/09/18 09:16:16 | 000,493,144 | ---- | M] (PacketVideo) [Auto | Running] -- C:\Program Files (x86)\TwonkyMedia\twonkymediaserverwatchdog.exe -- (TwonkyMedia)

SRV - [2010/08/13 11:58:56 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2010/07/20 00:48:01 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe -- (avg9wd)

SRV - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)

SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)

SRV - [2010/03/10 17:19:52 | 001,045,256 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)

SRV - [2010/02/19 12:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)

SRV - [2009/11/06 12:24:54 | 000,282,728 | ---- | M] (NVIDIA) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\System Update\UpdateCenterService.exe -- (UpdateCenterService)

SRV - [2009/11/06 12:13:20 | 000,276,584 | ---- | M] (NVIDIA) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe -- (nTuneService)

SRV - [2009/10/29 12:27:56 | 001,767,816 | ---- | M] (LogMeIn Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe -- (Hamachi2Svc)

SRV - [2009/09/29 08:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)

SRV - [2009/07/16 17:04:16 | 000,316,664 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)

SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)

SRV - [2009/03/13 13:13:13 | 000,504,832 | ---- | M] (Hagel Technologies Ltd.) [Auto | Running] -- C:\Program Files (x86)\DU Meter\DUMeterSvc.exe -- (DUMeterSvc)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2010/10/15 12:27:22 | 000,828,912 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\sptd.sys -- (sptd)

DRV:64bit: - [2010/07/20 00:48:34 | 000,269,904 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgldx64.sys -- (AvgLdx64)

DRV:64bit: - [2010/07/20 00:48:34 | 000,035,536 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\avgmfx64.sys -- (AvgMfx64)

DRV:64bit: - [2010/06/21 17:07:36 | 000,131,688 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA)

DRV:64bit: - [2010/04/29 15:39:28 | 000,024,664 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)

DRV:64bit: - [2010/04/19 19:47:42 | 000,050,688 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)

DRV:64bit: - [2010/04/19 19:29:18 | 000,022,528 | ---- | M] (Apple Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\netaapl64.sys -- (Netaapl)

DRV:64bit: - [2010/02/24 05:20:40 | 000,191,616 | ---- | M] (Protect Software GmbH) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\acedrv11.sys -- (acedrv11)

DRV:64bit: - [2009/12/30 11:21:24 | 000,031,800 | ---- | M] (VS Revo Group) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\revoflt.sys -- (Revoflt)

DRV:64bit: - [2009/11/23 17:38:00 | 000,016,008 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\LGVirHid.sys -- (LGVirHid)

DRV:64bit: - [2009/11/23 17:37:50 | 000,022,408 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LGBusEnum.sys -- (LGBusEnum)

DRV:64bit: - [2009/10/07 07:49:28 | 006,379,288 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lvuvc64.sys -- (LVUVC64) QuickCam Orbit/Sphere MP(UVC)

DRV:64bit: - [2009/10/07 07:48:08 | 000,067,992 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lvsels64.sys -- (lvsels64)

DRV:64bit: - [2009/10/07 07:47:46 | 000,327,704 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lvrs64.sys -- (LVRS64)

DRV:64bit: - [2009/10/07 07:45:38 | 000,271,640 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lvpopf64.sys -- (lvpopf64)

DRV:64bit: - [2009/10/07 00:45:50 | 000,030,232 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\LVPr2M64.sys -- (LVPr2Mon)

DRV:64bit: - [2009/10/07 00:45:50 | 000,030,232 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LVPr2M64.sys -- (LVPr2M64)

DRV:64bit: - [2009/09/23 09:42:58 | 000,033,856 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\hamachi.sys -- (hamachi)

DRV:64bit: - [2009/09/15 12:59:30 | 000,042,088 | ---- | M] (NVIDIA Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvoclk64.sys -- (nvoclk64)

DRV:64bit: - [2009/08/20 18:20:18 | 000,356,096 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\vpcvmm.sys -- (vpcvmm)

DRV:64bit: - [2009/08/20 18:20:18 | 000,187,904 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\vpchbus.sys -- (vpcbus)

DRV:64bit: - [2009/08/20 18:20:18 | 000,092,160 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\vpcusb.sys -- (vpcusb)

DRV:64bit: - [2009/08/20 18:20:18 | 000,063,488 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\vpcnfltr.sys -- (vpcnfltr)

DRV:64bit: - [2009/08/13 22:10:18 | 000,073,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\xusb21.sys -- (xusb21)

DRV:64bit: - [2009/07/13 20:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)

DRV:64bit: - [2009/07/13 20:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)

DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)

DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)

DRV:64bit: - [2009/07/13 20:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)

DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)

DRV:64bit: - [2009/07/13 19:35:32 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\serscan.sys -- (StillCam)

DRV:64bit: - [2009/06/10 15:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)

DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)

DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)

DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)

DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)

DRV:64bit: - [2009/05/18 14:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)

DRV:64bit: - [2009/03/11 13:13:18 | 000,198,400 | ---- | M] (Vimicro Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vmuvc.sys -- (VMUVC)

DRV:64bit: - [2008/07/01 10:14:42 | 000,303,616 | ---- | M] (Vimicro Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vvftUVC.sys -- (vvftUVC)

DRV:64bit: - [2008/02/02 23:42:12 | 000,056,016 | ---- | M] (Pangolin Laser Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\fb3se_x64.sys -- (FB3SE)

DRV:64bit: - [2007/05/06 17:12:02 | 000,388,096 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\stwrt64.sys -- (STHDA) SigmaTel High Definition Audio CODEC (for 64-bit Windows)

DRV - [2010/07/03 16:59:57 | 000,019,952 | ---- | M] () [Kernel | On_Demand | Stopped] -- f:\Program Files (x86)\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner64.sys -- (RivaTuner64)

DRV - [2010/06/06 22:56:10 | 000,014,648 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\MSI Afterburner\RTCore64.sys -- (RTCore64)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z007&form=ZGAPHP

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore =

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z007&form=ZGAPHP

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore =

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-456137812-39962766-3807279241-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/

IE - HKU\S-1-5-21-456137812-39962766-3807279241-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us

IE - HKU\S-1-5-21-456137812-39962766-3807279241-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = E0 C4 6A D0 A4 85 CB 01 [binary data]

IE - HKU\S-1-5-21-456137812-39962766-3807279241-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-456137812-39962766-3807279241-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.5

FF - prefs.js..extensions.enabledItems: {4BBDD651-70CF-4821-84F8-2B918CF89CA3}:6.3.2

FF - user.js..browser.search.selectedEngine: "Search"

FF - user.js..browser.search.order.1: "Search"

FF - user.js..keyword.URL: "http://search.mywebstart.net/?sid=10101070100&s="

FF - HKLM\software\mozilla\Firefox\Extensions\\{1D3E9598-68D1-4924-A742-1F1FED21C800}: C:\Windows\system32\config\systemprofile\AppData\Local\{1D3E9598-68D1-4924-A742-1F1FED21C800}\ [2010/11/12 06:35:28 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/10/22 08:19:52 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010/10/22 08:43:58 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.6\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2010/10/28 09:10:33 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.6\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins

[2009/12/22 10:58:30 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Mozilla\Extensions

[2009/12/22 10:58:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\max\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}

[2010/06/20 13:53:22 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Mozilla\Firefox\Profiles\bnha51iy.default\extensions

[2010/06/20 13:53:22 | 000,000,000 | ---D | M] (Winamp Toolbar) -- C:\Users\max\AppData\Roaming\Mozilla\Firefox\Profiles\bnha51iy.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}

[2010/02/17 15:33:01 | 000,000,000 | ---D | M] (Charles Autoconfiguration) -- C:\Users\max\AppData\Roaming\Mozilla\Firefox\Profiles\bnha51iy.default\extensions\{3e9a3920-1b27-11da-8cd6-0800200c9a66}

[2009/12/21 22:14:55 | 000,000,000 | ---D | M] (FEBE) -- C:\Users\max\AppData\Roaming\Mozilla\Firefox\Profiles\bnha51iy.default\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}

[2010/11/15 23:14:07 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.max\extensions

[2010/11/12 10:25:26 | 000,000,000 | ---D | M] (Session Manager) -- C:\Users\max\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.max\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}

[2010/05/29 04:49:33 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\max\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.max\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2010/09/02 21:20:30 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Users\max\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.max\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

[2010/11/12 10:25:26 | 000,000,000 | ---D | M] (Charles Autoconfiguration) -- C:\Users\max\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.max\extensions\{3e9a3920-1b27-11da-8cd6-0800200c9a66}

[2010/05/30 00:01:14 | 000,000,000 | ---D | M] (FEBE) -- C:\Users\max\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.max\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}

[2010/11/12 10:25:26 | 000,000,000 | ---D | M] (View Source Chart) -- C:\Users\max\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.max\extensions\{68836a21-fc7d-4ea1-a065-7efabd99d414}

[2010/11/12 10:25:27 | 000,000,000 | ---D | M] (MeasureIt) -- C:\Users\max\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.max\extensions\{75CEEE46-9B64-46f8-94BF-54012DE155F0}

[2010/03/14 20:12:08 | 000,000,000 | ---D | M] (Live HTTP Headers) -- C:\Users\max\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.max\extensions\{8f8fe09b-0bd3-4470-bc1b-8cad42b8203a}

[2010/11/12 10:25:26 | 000,000,000 | ---D | M] (Pearl Crescent Page Saver Basic) -- C:\Users\max\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.max\extensions\{c151d79e-e61b-4a90-a887-5a46d38fba99}

[2009/12/21 22:19:22 | 000,000,000 | ---D | M] (Web Developer) -- C:\Users\max\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.max\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}

[2010/11/12 10:25:26 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\max\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.max\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

[2010/11/12 10:25:26 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Users\max\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.max\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}

[2010/03/31 00:37:50 | 000,000,000 | ---D | M] (APNG Edit) -- C:\Users\max\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.max\extensions\{d95e614b-c28e-43af-a326-ca590e18abd6}

[2010/03/24 16:18:02 | 000,000,000 | ---D | M] (Memory Fox) -- C:\Users\max\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.max\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}

[2010/05/29 04:49:33 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Users\max\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.max\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}

[2009/12/21 22:19:02 | 000,000,000 | ---D | M] (User Agent Switcher) -- C:\Users\max\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.max\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}

[2010/11/12 10:25:26 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.max\extensions\en-US@dictionaries.addons.mozilla.org

[2010/05/29 04:49:30 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.max\extensions\firebug@software.joehewitt.com

[2010/11/12 10:25:26 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.max\extensions\firecookie@janodvarko.cz

[2010/11/12 10:25:27 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.max\extensions\jsonview@brh.numbera.com

[2009/12/21 22:18:56 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.max\extensions\ramback@pavlov.net

[2010/11/15 23:14:07 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions

[2010/05/27 07:53:34 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

[2010/08/31 01:16:09 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

[2010/09/08 18:48:24 | 000,064,392 | ---- | M] (Cisco WebEx LLC) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npatgpc.dll

[2010/07/17 04:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

[2010/07/12 11:33:56 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npwachk.dll

[2010/04/26 17:21:54 | 000,001,538 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\amazon-en-GB.xml

[2010/04/26 17:21:54 | 000,000,947 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\chambers-en-GB.xml

[2010/04/26 17:21:54 | 000,000,769 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\eBay-en-GB.xml

[2010/11/08 06:17:56 | 000,002,212 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\websearch.xml

[2010/04/26 17:21:54 | 000,001,135 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/11/19 09:12:48 | 000,001,717 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 activate.adobe.com

O1 - Hosts: 127.0.0.1 practivate.adobe.com

O1 - Hosts: 127.0.0.1 ereg.adobe.com

O1 - Hosts: 127.0.0.1 activate.wip3.adobe.com

O1 - Hosts: 127.0.0.1 wip3.adobe.com

O1 - Hosts: 127.0.0.1 3dns-3.adobe.com

O1 - Hosts: 127.0.0.1 3dns-2.adobe.com

O1 - Hosts: 127.0.0.1 adobe-dns.adobe.com

O1 - Hosts: 127.0.0.1 adobe-dns-2.adobe.com

O1 - Hosts: 127.0.0.1 adobe-dns-3.adobe.com

O1 - Hosts: 127.0.0.1 ereg.wip3.adobe.com

O1 - Hosts: 127.0.0.1 activate-sea.adobe.com

O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com

O1 - Hosts: 127.0.0.1 activate-sjc0.adobe.com

O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com

O1 - Hosts: 127.0.0.1 genuine.microsoft.com

O1 - Hosts: 127.0.0.1 mpa.one.microsoft.com

O1 - Hosts: 127.0.0.1 sls.microsoft.com

O1 - Hosts: 127.0.0.1 static3.cdn.ubi.com

O1 - Hosts: 127.0.0.1 ubisoft-orbit.s3.amazonaws.com

O1 - Hosts: 127.0.0.1 onlineconfigservice.ubi.com

O1 - Hosts: 127.0.0.1 orbitservice.ubi.com

O1 - Hosts: 127.0.0.1 ubisoft-orbit-savegames.s3.amazonaws.com

O2:64bit: - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - F:\program files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)

O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.

O3 - HKU\S-1-5-21-456137812-39962766-3807279241-1000\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.

O4:64bit: - HKLM..\Run: [Giganews] C:\Program Files (x86)\Giganews Accelerator\GiganewsAccelerator.exe (Giganews, Inc.)

O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files (x86)\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)

O4 - HKLM..\Run: [gidle] C:\Program Files (x86)\gAlwaysIdle\gidle.exe ()

O4 - HKLM..\Run: [googletalk] C:\Program Files (x86)\Google\Google Talk\googletalk.exe (Google)

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

O4 - HKU\.DEFAULT..\Run: [uPc+kt0NrqPJsiv] C:\Windows\SysWow64\ojzbhhvx5.DLL File not found

O4 - HKU\S-1-5-18..\Run: [uPc+kt0NrqPJsiv] C:\Windows\SysWow64\ojzbhhvx5.DLL File not found

O4 - HKU\S-1-5-19..\Run: [sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)

O4 - HKU\S-1-5-20..\Run: [sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)

O4 - HKU\S-1-5-21-456137812-39962766-3807279241-1000..\Run: [DAEMON Tools Pro Agent] C:\Program Files (x86)\DAEMON Tools Pro\DTAgent.exe (DT Soft Ltd)

O4 - HKU\S-1-5-21-456137812-39962766-3807279241-1000..\Run: [DU Meter] C:\Program Files (x86)\DU Meter\DUMeter.exe (Hagel Technologies Ltd.)

O4 - HKU\S-1-5-21-456137812-39962766-3807279241-1000..\Run: [Workrave] C:\Program Files (x86)\Workrave\lib\Workrave.exe ()

O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\SysWow64\mctadmin.exe File not found

O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\SysWow64\mctadmin.exe File not found

O4 - Startup: C:\Users\max\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trillian.lnk = C:\Program Files (x86)\Trillian\trillian.exe (Cerulean Studios)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1

O7 - HKU\S-1-5-21-456137812-39962766-3807279241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-456137812-39962766-3807279241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AlwaysShowClassicMenu = 1

O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)

O13 - gopher Prefix: missing

O13 - gopher Prefix: missing

O15 - HKU\S-1-5-21-456137812-39962766-3807279241-1000\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)

O15 - HKU\S-1-5-21-456137812-39962766-3807279241-1000\..Trusted Domains: rga.com ([rose] https in Trusted sites)

O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)

O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found

O20:64bit: - AppInit_DLLs: (avgrssta.dll) - C:\Windows\SysNative\avgrssta.dll (AVG Technologies CZ, s.r.o.)

O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found

O20 - HKU\.DEFAULT Winlogon: Shell - (C:\Windows\System32\config\systemprofile\AppData\Roaming\hotfix.exe) - C:\Windows\SysWow64\config\systemprofile\AppData\Roaming\hotfix.exe File not found

O20 - HKU\S-1-5-18 Winlogon: Shell - (C:\Windows\System32\config\systemprofile\AppData\Roaming\hotfix.exe) - C:\Windows\SysWow64\config\systemprofile\AppData\Roaming\hotfix.exe File not found

O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2010/08/05 00:12:23 | 000,000,000 | ---D | M] - C:\Autodesk -- [ NTFS ]

O32 - AutoRun File - [2010/10/28 10:08:55 | 000,444,176 | R--- | M] (Electronic Arts) - G:\AutoRun.exe -- [ CDFS ]

O32 - AutoRun File - [2010/10/28 10:08:55 | 000,000,000 | ---D | M] - G:\Autorun -- [ CDFS ]

O32 - AutoRun File - [2010/10/28 10:08:55 | 015,447,040 | R--- | M] () - G:\autorun.dat -- [ CDFS ]

O32 - AutoRun File - [2010/10/28 10:08:55 | 000,000,161 | R--- | M] () - G:\autorun.inf -- [ CDFS ]

O33 - MountPoints2\{2979fe61-dbfa-11df-b89d-806e6f6e6963}\Shell - "" = AutoRun

O33 - MountPoints2\{2979fe61-dbfa-11df-b89d-806e6f6e6963}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- [2010/10/28 10:08:55 | 000,444,176 | R--- | M] (Electronic Arts)

O33 - MountPoints2\{31809fd8-ef2f-11de-b370-0019b915b8c3}\Shell - "" = AutoRun

O33 - MountPoints2\{31809fd8-ef2f-11de-b370-0019b915b8c3}\Shell\AutoRun\command - "" = G:\MafiaLauncher.EXE -- File not found

O33 - MountPoints2\{b0770aa4-76a6-11df-8a4f-0019b915b8c3}\Shell - "" = AutoRun

O33 - MountPoints2\{b0770aa4-76a6-11df-8a4f-0019b915b8c3}\Shell\AutoRun\command - "" = G:\setup.exe -- File not found

O33 - MountPoints2\{b0770aab-76a6-11df-8a4f-0019b915b8c3}\Shell - "" = AutoRun

O33 - MountPoints2\{b0770aab-76a6-11df-8a4f-0019b915b8c3}\Shell\AutoRun\command - "" = E:\install.exe -- File not found

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35:64bit: - HKLM\..comfile [open] -- "%1" %*

O35:64bit: - HKLM\..exefile [open] -- "%1" %*

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*

O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs:64bit: AppMgmt - C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)

Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)

Drivers32:64bit: VIDC.FPS1 - frapsv64.dll (Beepa P/L)

Drivers32:64bit: vidc.i420 - lvcod64.dll (Logitech Inc.)

Drivers32:64bit: vidc.x264 - x264vfw64.dll ()

Drivers32: msacm.ac3filter - C:\Windows\SysWow64\ac3filter.acm ()

Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)

Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)

Drivers32: VIDC.FFDS - C:\Windows\SysWow64\ff_vfw.dll ()

Drivers32: VIDC.FPS1 - C:\Windows\SysWow64\frapsvid.dll (Beepa P/L)

Drivers32: vidc.i420 - C:\Windows\SysWow64\lvcodec2.dll (Logitech Inc.)

Drivers32: vidc.x264 - C:\Windows\SysWow64\x264vfw.dll ()

Drivers32: vidc.XVID - C:\Windows\SysWow64\xvidvfw.dll ()

CREATERESTOREPOINT

Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2010/11/21 13:15:37 | 000,000,000 | ---D | C] -- C:\Users\max\Documents\Criterion Games

[2010/11/21 13:15:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Electronic Arts

[2010/11/21 13:15:36 | 000,000,000 | ---D | C] -- C:\ProgramData\EA Core

[2010/11/21 13:04:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Solidshield

[2010/11/19 11:55:06 | 000,000,000 | R--D | C] -- C:\32788R22FWJFW

[2010/11/19 11:19:55 | 000,000,000 | ---D | C] -- C:\Users\max\AppData\Roaming\GetRightToGo

[2010/11/19 08:58:03 | 000,000,000 | ---D | C] -- C:\Users\max\AppData\Local\VirtualStore

[2010/11/16 02:47:32 | 000,000,000 | ---D | C] -- C:\Python27

[2010/11/12 15:43:14 | 000,000,000 | ---D | C] -- C:\Users\max\Documents\MCEdit-schematics

[2010/11/12 15:42:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MCEdit

[2010/11/12 13:37:47 | 000,000,000 | ---D | C] -- C:\Users\max\AppData\Local\Activision

[2010/11/12 09:51:35 | 000,000,000 | ---D | C] -- C:\Users\max\AppData\Local\{07094E14-D233-43C1-B0AC-7AB92AA9C357}

[2010/11/09 23:15:53 | 000,000,000 | ---D | C] -- C:\Users\max\AppData\Roaming\BOXEE

[2010/11/09 23:15:44 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Boxee

[2010/11/07 13:59:07 | 000,000,000 | ---D | C] -- C:\Users\max\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1

[2010/11/07 13:59:07 | 000,000,000 | ---D | C] -- C:\Users\max\AppData\Roaming\Adobe Mini Bridge CS5

[2010/11/06 23:17:11 | 000,000,000 | ---D | C] -- C:\Users\max\Logitech

[2010/11/06 23:16:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Remote Control Software Common

[2010/11/06 23:16:23 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Remote Control USB Driver

[2010/10/28 02:42:32 | 000,000,000 | ---D | C] -- C:\Windows\rescache

[2010/10/26 00:36:43 | 000,000,000 | ---D | C] -- C:\Users\max\Documents\Australia

[9 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

[7 C:\*.tmp files -> C:\*.tmp -> ]

[4 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/21 15:26:01 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2010/11/21 15:05:00 | 000,000,900 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-456137812-39962766-3807279241-1000UA.job

[2010/11/21 13:57:24 | 001,056,768 | ---- | M] () -- C:\Windows\SysNative\defltbase.sdb

[2010/11/21 13:48:33 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2010/11/21 12:54:49 | 000,739,918 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI

[2010/11/21 12:54:49 | 000,638,922 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat

[2010/11/21 12:54:49 | 000,115,354 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat

[2010/11/21 12:50:14 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2010/11/21 08:38:34 | 067,915,334 | ---- | M] () -- C:\Windows\SysNative\drivers\Avg\incavi.avm

[2010/11/20 22:58:23 | 000,000,955 | ---- | M] () -- C:\Users\max\Application Data\Microsoft\Internet Explorer\Quick Launch\NewsLeecher.lnk

[2010/11/20 22:58:23 | 000,000,931 | ---- | M] () -- C:\Users\max\Desktop\NewsLeecher.lnk

[2010/11/20 21:05:00 | 000,000,848 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-456137812-39962766-3807279241-1000Core.job

[2010/11/19 11:31:43 | 000,013,120 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

[2010/11/19 11:31:43 | 000,013,120 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

[2010/11/19 11:03:57 | 000,000,999 | ---- | M] () -- C:\Users\max\Application Data\Microsoft\Internet Explorer\Quick Launch\Revo Uninstaller Pro.lnk

[2010/11/19 11:03:56 | 000,000,975 | ---- | M] () -- C:\Users\Public\Desktop\Revo Uninstaller Pro.lnk

[2010/11/19 10:06:07 | 000,064,674 | ---- | M] () -- C:\isettings.reg

[2010/11/19 09:12:48 | 000,001,717 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts

[2010/11/19 00:29:36 | 000,490,232 | ---- | M] () -- C:\HelpAsst_mebroot_fix.exe

[2010/11/19 00:28:36 | 000,002,345 | ---- | M] () -- C:\Users\max\Desktop\Google Chrome.lnk

[2010/11/19 00:27:45 | 000,002,258 | ---- | M] () -- C:\Users\max\Desktop\Chromium.lnk

[2010/11/18 23:07:13 | 000,002,000 | -H-- | M] () -- C:\Users\max\Documents\Default.rdp

[2010/11/12 16:11:41 | 000,001,106 | ---- | M] () -- C:\Users\max\Documents\mcedit.ini

[2010/11/12 15:42:55 | 000,002,022 | ---- | M] () -- C:\Users\Public\Desktop\MCEdit.lnk

[2010/11/12 07:04:51 | 001,228,854 | ---- | M] () -- C:\0.000000sqwr.bmp

[2010/11/06 23:17:10 | 000,002,343 | ---- | M] () -- C:\Users\Public\Desktop\Logitech Harmony Remote Software 7.lnk

[2010/11/05 00:10:28 | 000,001,456 | ---- | M] () -- C:\Users\max\AppData\Local\Adobe Save for Web 12.0 Prefs

[2010/11/05 00:02:34 | 000,101,200 | ---- | M] () -- C:\Users\max\Desktop\2194956917_3057c2463a_z.jpg

[2010/11/01 22:14:44 | 000,716,089 | ---- | M] () -- C:\Users\max\Desktop\152nmee.jpg

[2010/10/28 15:28:43 | 000,000,426 | ---- | M] () -- C:\Windows\BRWMARK.INI

[2010/10/28 15:28:43 | 000,000,034 | ---- | M] () -- C:\Windows\SysWow64\BD7820N.DAT

[2010/10/25 21:03:36 | 000,000,600 | ---- | M] () -- C:\Users\max\AppData\Roaming\winscp.rnd

[2010/10/25 17:34:28 | 000,001,316 | ---- | M] () -- C:\Users\max\Documents\cwh_0

[2010/10/24 14:00:09 | 000,000,920 | ---- | M] () -- C:\Users\Public\Desktop\calibre - E-book management.lnk

[9 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

[7 C:\*.tmp files -> C:\*.tmp -> ]

[4 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/21 13:56:14 | 001,056,768 | ---- | C] () -- C:\Windows\SysNative\defltbase.sdb

[2010/11/19 10:06:07 | 000,064,674 | ---- | C] () -- C:\isettings.reg

[2010/11/19 00:29:34 | 000,490,232 | ---- | C] () -- C:\HelpAsst_mebroot_fix.exe

[2010/11/12 07:04:51 | 001,228,854 | ---- | C] () -- C:\0.000000sqwr.bmp

[2010/11/07 01:47:43 | 007,562,120 | ---- | C] () -- C:\Users\max\Documents\license.psd

[2010/11/07 01:24:31 | 000,000,000 | ---- | C] () -- C:\Users\max\Sti_Trace.log

[2010/11/06 23:17:10 | 000,002,343 | ---- | C] () -- C:\Users\Public\Desktop\Logitech Harmony Remote Software 7.lnk

[2010/11/05 00:10:27 | 000,389,868 | ---- | C] () -- C:\Users\max\Desktop\sheila_chicken.jpg

[2010/11/05 00:02:34 | 000,101,200 | ---- | C] () -- C:\Users\max\Desktop\2194956917_3057c2463a_z.jpg

[2010/11/01 22:14:25 | 000,716,089 | ---- | C] () -- C:\Users\max\Desktop\152nmee.jpg

[2010/10/25 20:35:06 | 000,001,316 | ---- | C] () -- C:\Users\max\Documents\cwh_0

[2010/10/14 01:36:44 | 000,179,263 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat

[2010/09/06 14:22:57 | 000,043,520 | ---- | C] () -- C:\Windows\SysWow64\CmdLineExt03.dll

[2010/08/27 10:13:11 | 000,000,193 | ---- | C] () -- C:\Windows\WORDPAD.INI

[2010/08/11 09:17:17 | 000,000,091 | ---- | C] () -- C:\Users\max\AppData\Local\fusioncache.dat

[2010/08/08 13:37:26 | 000,001,456 | ---- | C] () -- C:\Users\max\AppData\Local\Adobe Save for Web 12.0 Prefs

[2010/07/18 02:09:21 | 000,000,083 | ---- | C] () -- C:\Users\max\AppData\Local\X-Plane Installer.prf

[2010/07/18 02:06:11 | 000,000,035 | ---- | C] () -- C:\Users\max\AppData\Local\x-plane_install.txt

[2010/07/03 19:37:21 | 000,000,662 | ---- | C] () -- C:\Program Files (x86)\STEAM.lnk

[2010/06/18 14:44:27 | 000,003,584 | ---- | C] () -- C:\Users\max\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/06/11 18:46:16 | 001,970,176 | ---- | C] () -- C:\Windows\SysWow64\d3dx9.dll

[2010/05/26 13:37:56 | 000,000,612 | RHS- | C] () -- C:\ProgramData\ntuser.pol

[2010/05/16 02:19:24 | 000,000,704 | ---- | C] () -- C:\Users\max\AppData\Roaming\myMPQ.ini

[2010/03/16 13:49:18 | 000,000,218 | ---- | C] () -- C:\Windows\iepreview.ini

[2010/01/02 18:03:58 | 000,000,043 | ---- | C] () -- C:\Windows\Aurora Media Workshop.INI

[2009/12/31 16:24:05 | 000,000,254 | ---- | C] () -- C:\Windows\Brpfx04a.ini

[2009/12/31 16:24:05 | 000,000,093 | ---- | C] () -- C:\Windows\brpcfx.ini

[2009/12/31 16:23:53 | 000,000,426 | ---- | C] () -- C:\Windows\BRWMARK.INI

[2009/12/29 11:07:45 | 000,735,986 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI

[2009/12/24 00:20:43 | 000,000,011 | ---- | C] () -- C:\ProgramData\.tv5

[2009/12/22 14:25:39 | 000,007,665 | ---- | C] () -- C:\Users\max\AppData\Local\resmon.resmoncfg

[2009/12/22 12:58:49 | 000,000,262 | ---- | C] () -- C:\Windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini

[2009/12/22 10:38:48 | 000,000,600 | ---- | C] () -- C:\Users\max\AppData\Roaming\winscp.rnd

[2009/12/21 22:04:13 | 000,000,990 | ---- | C] () -- C:\Users\max\AppData\Local\7F68A003.il

[2009/12/21 22:04:13 | 000,000,832 | ---- | C] () -- C:\Users\max\AppData\Local\IndexIE_7F68A003.il

[2009/09/09 21:48:52 | 000,085,504 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll

[2009/07/29 01:35:54 | 002,378,752 | ---- | C] () -- C:\Windows\SysWow64\x264vfw.dll

[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll

[2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll

[2009/05/29 16:52:26 | 000,204,800 | ---- | C] () -- C:\Windows\SysWow64\xvidvfw.dll

[2009/05/29 16:47:06 | 000,881,664 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll

[2007/09/04 12:56:10 | 000,164,352 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll

[2007/02/05 20:05:26 | 000,000,038 | ---- | C] () -- C:\Windows\AviSplitter.INI

[2004/02/20 15:36:34 | 000,416,256 | ---- | C] () -- C:\Windows\exchndl.dll

[2002/08/07 18:11:30 | 000,319,488 | R--- | C] () -- C:\Users\max\AppData\Roaming\MafiaSetup.exe

========== LOP Check ==========

[2010/11/10 13:19:23 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\.minecraft

[2010/10/19 23:49:02 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\acccore

[2010/09/14 23:26:40 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Amazon

[2010/06/26 11:42:06 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Ascaron Entertainment

[2010/08/05 00:15:49 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Autodesk

[2010/07/19 21:16:03 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Avanquest

[2010/08/21 19:56:04 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Bioshock2

[2010/11/09 23:15:53 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\BOXEE

[2010/09/15 08:55:58 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\calibre

[2010/02/17 15:46:22 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Charles

[2010/06/03 20:13:54 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Command and Conquer 4

[2009/12/22 14:23:10 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\DAEMON Tools Pro

[2010/06/20 15:38:00 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\DisplayFusion

[2010/09/14 23:12:03 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\EurekaLog

[2009/12/23 11:51:02 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Extensis

[2010/11/19 11:20:17 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\GetRightToGo

[2010/06/18 16:04:02 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Golly

[2009/12/22 11:33:49 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Helios

[2010/06/21 08:32:01 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\ImgBurn

[2010/05/12 15:56:56 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Juniper Networks

[2010/09/15 23:42:18 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Kalypso Media

[2010/06/20 15:20:54 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\KeePass

[2010/08/21 12:25:42 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Launchy

[2010/04/28 23:21:55 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Leadertech

[2010/09/06 19:21:01 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\LucasArts

[2009/12/24 13:11:08 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\MainType

[2009/12/26 20:17:05 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\MusicBrainz

[2010/09/13 08:58:23 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Need for Speed World

[2010/11/20 23:39:15 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\NewsLeecher

[2009/12/22 10:26:15 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\NewsLeecher_orig

[2009/12/22 11:05:10 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\OpenOffice.org

[2010/02/07 17:14:00 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Opera

[2010/08/04 22:54:42 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Propellerhead Software

[2010/06/20 15:10:24 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Rainmeter

[2010/01/03 12:20:28 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\River Past G5

[2010/02/14 19:42:37 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Scooter Software

[2010/11/07 13:59:07 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1

[2010/06/12 13:41:04 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Subversion

[2009/12/23 21:10:10 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\TeraCopy

[2009/12/22 10:58:30 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Thunderbird

[2010/09/28 18:19:23 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\treasurechest

[2009/12/21 22:47:40 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Trillian

[2010/10/08 15:00:39 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Tropico 3

[2010/05/15 21:59:02 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Tropico3

[2010/04/11 20:32:18 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Ubisoft

[2010/11/02 08:55:44 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\uTorrent

[2009/12/21 22:37:42 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\VanDyke

[2010/04/03 22:41:15 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\vimeo.Duplo.3E2F2984357E7A95AE95C69EF2C5C14640284048.1

[2010/05/31 13:18:03 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\VS Revo Group

[2009/12/22 12:29:45 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\Workrave

[2009/12/22 10:59:58 | 000,000,000 | ---D | M] -- C:\Users\max\AppData\Roaming\XnView

[2010/11/12 03:46:25 | 000,032,612 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >

[2010/11/12 07:04:51 | 001,228,854 | ---- | M] () -- C:\0.000000sqwr.bmp

[2010/08/30 22:12:01 | 000,169,504 | ---- | M] () -- C:\15594700900-0830-224453-297.wav

[2009/08/29 17:54:08 | 000,000,986 | ---- | M] () -- C:\7F68A003.il

[2010/04/24 20:10:13 | 000,489,586 | ---- | M] () -- C:\a7fa9ceb26a3f5ffcaebbed9c0e5a2c0.m4r

[2010/11/19 11:52:46 | 000,004,329 | ---- | M] () -- C:\ark.txt

[2010/11/19 11:37:57 | 000,017,933 | ---- | M] () -- C:\Attach.txt

[2009/08/20 18:20:11 | 000,383,592 | RHS- | M] () -- C:\bootmgr

[2009/12/22 00:49:53 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK

[2010/10/19 22:22:19 | 000,089,458 | ---- | M] () -- C:\com.kairosoft.gm08E.plist

[2010/11/19 11:37:49 | 000,020,268 | ---- | M] () -- C:\DDS.txt

[2010/05/02 20:13:50 | 005,322,254 | ---- | M] () -- C:\gemini.rle

[2009/08/05 07:07:38 | 000,171,136 | RHS- | M] () -- C:\grldr

[2009/08/29 17:54:08 | 000,000,832 | ---- | M] () -- C:\IndexIE_7F68A003.il

[2010/10/15 00:22:23 | 000,000,360 | -H-- | M] () -- C:\IPH.PH

[2010/11/19 10:06:07 | 000,064,674 | ---- | M] () -- C:\isettings.reg

[2010/07/03 21:50:30 | 000,000,000 | R--- | M] () -- C:\logwmemory.bin

[2010/08/31 17:40:08 | 000,000,993 | ---- | M] () -- C:\myrsacert.pem

[2010/09/13 08:35:28 | 000,000,887 | ---- | M] () -- C:\myrsakey.pem

[2010/11/12 03:39:03 | 1967,931,392 | -HS- | M] () -- C:\pagefile.sys

[2009/12/21 22:03:07 | 000,012,093 | ---- | M] () -- C:\Win7_Software_Setup_Log_2009.12.21_22.00.08.txt

[7 C:\*.tmp files -> C:\*.tmp -> ]

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >

< End of report >

Link to post
Share on other sites

Hi,

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    FF - user.js..browser.search.selectedEngine: "Search"
    FF - user.js..browser.search.order.1: "Search"
    FF - user.js..keyword.URL: "http://search.mywebstart.net/?sid=10101070100&s="
    FF - HKLM\software\mozilla\Firefox\Extensions\\{1D3E9598-68D1-4924-A742-1F1FED21C800}: C:\Windows\system32\config\systemprofile\AppData\Local\{1D3E9598-68D1-4924-A742-1F1FED21C800}\ [2010/11/12 06:35:28 | 000,000,000 | ---D | M]
    [2010/11/08 06:17:56 | 000,002,212 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\websearch.xml
    O4 - HKU\.DEFAULT..\Run: [uPc+kt0NrqPJsiv] C:\Windows\SysWow64\ojzbhhvx5.DLL File not found
    O4 - HKU\S-1-5-18..\Run: [uPc+kt0NrqPJsiv] C:\Windows\SysWow64\ojzbhhvx5.DLL File not found
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
    O20 - HKU\.DEFAULT Winlogon: Shell - (C:\Windows\System32\config\systemprofile\AppData\Roaming\hotfix.exe) - C:\Windows\SysWow64\config\systemprofile\AppData\Roaming\hotfix.exe File not found
    O20 - HKU\S-1-5-18 Winlogon: Shell - (C:\Windows\System32\config\systemprofile\AppData\Roaming\hotfix.exe) - C:\Windows\SysWow64\config\systemprofile\AppData\Roaming\hotfix.exe File not found
    O33 - MountPoints2\{2979fe61-dbfa-11df-b89d-806e6f6e6963}\Shell - "" = AutoRun
    O33 - MountPoints2\{2979fe61-dbfa-11df-b89d-806e6f6e6963}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- [2010/10/28 10:08:55 | 000,444,176 | R--- | M] (Electronic Arts)
    O33 - MountPoints2\{31809fd8-ef2f-11de-b370-0019b915b8c3}\Shell - "" = AutoRun
    O33 - MountPoints2\{31809fd8-ef2f-11de-b370-0019b915b8c3}\Shell\AutoRun\command - "" = G:\MafiaLauncher.EXE -- File not found
    O33 - MountPoints2\{b0770aa4-76a6-11df-8a4f-0019b915b8c3}\Shell - "" = AutoRun
    O33 - MountPoints2\{b0770aa4-76a6-11df-8a4f-0019b915b8c3}\Shell\AutoRun\command - "" = G:\setup.exe -- File not found
    O33 - MountPoints2\{b0770aab-76a6-11df-8a4f-0019b915b8c3}\Shell - "" = AutoRun
    O33 - MountPoints2\{b0770aab-76a6-11df-8a4f-0019b915b8c3}\Shell\AutoRun\command - "" = E:\install.exe -- File not found
    [2010/11/12 09:51:35 | 000,000,000 | ---D | C] -- C:\Users\max\AppData\Local\{07094E14-D233-43C1-B0AC-7AB92AA9C357}
    [9 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
    [7 C:\*.tmp files -> C:\*.tmp -> ]
    [4 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]

    :Services

    :Reg

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [emptyflash]
    [createrestorepoint]
    [reboot]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Start Malwarebytes' Anti-Malware

  • Once the program has loaded, click the "Update" tab and click the "Check For updates" button.
  • Once the updates were downloaded, click the "Scanner" tab, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

Link to post
Share on other sites

Result:

All processes killed
========== OTL ==========
C:\Users\max\AppData\Roaming\Mozilla\FireFox\Profiles\bnha51iy.default\user.js moved successfully.
Registry value HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1D3E9598-68D1-4924-A742-1F1FED21C800} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1D3E9598-68D1-4924-A742-1F1FED21C800}\ not found.
C:\Windows\system32\config\systemprofile\AppData\Local\{1D3E9598-68D1-4924-A742-1F1FED21C800}\chrome\content folder moved successfully.
C:\Windows\system32\config\systemprofile\AppData\Local\{1D3E9598-68D1-4924-A742-1F1FED21C800}\chrome folder moved successfully.
C:\Windows\system32\config\systemprofile\AppData\Local\{1D3E9598-68D1-4924-A742-1F1FED21C800} folder moved successfully.
C:\Program Files (x86)\Mozilla Firefox\searchplugins\websearch.xml moved successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\uPc+kt0NrqPJsiv deleted successfully.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\uPc+kt0NrqPJsiv not found.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoFolderOptions deleted successfully.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools deleted successfully.
Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoFolderOptions not found.
Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools not found.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:C:\Windows\System32\config\systemprofile\AppData\Roaming\hotfix.exe deleted successfully.
Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:C:\Windows\System32\config\systemprofile\AppData\Roaming\hotfix.exe deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2979fe61-dbfa-11df-b89d-806e6f6e6963}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2979fe61-dbfa-11df-b89d-806e6f6e6963}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2979fe61-dbfa-11df-b89d-806e6f6e6963}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2979fe61-dbfa-11df-b89d-806e6f6e6963}\ not found.
File G:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{31809fd8-ef2f-11de-b370-0019b915b8c3}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31809fd8-ef2f-11de-b370-0019b915b8c3}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{31809fd8-ef2f-11de-b370-0019b915b8c3}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31809fd8-ef2f-11de-b370-0019b915b8c3}\ not found.
File G:\MafiaLauncher.EXE not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b0770aa4-76a6-11df-8a4f-0019b915b8c3}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b0770aa4-76a6-11df-8a4f-0019b915b8c3}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b0770aa4-76a6-11df-8a4f-0019b915b8c3}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b0770aa4-76a6-11df-8a4f-0019b915b8c3}\ not found.
File G:\setup.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b0770aab-76a6-11df-8a4f-0019b915b8c3}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b0770aab-76a6-11df-8a4f-0019b915b8c3}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b0770aab-76a6-11df-8a4f-0019b915b8c3}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b0770aab-76a6-11df-8a4f-0019b915b8c3}\ not found.
File E:\install.exe not found.
C:\Users\max\AppData\Local\{07094E14-D233-43C1-B0AC-7AB92AA9C357}\chrome\content folder moved successfully.
C:\Users\max\AppData\Local\{07094E14-D233-43C1-B0AC-7AB92AA9C357}\chrome folder moved successfully.
C:\Users\max\AppData\Local\{07094E14-D233-43C1-B0AC-7AB92AA9C357} folder moved successfully.
C:\Windows\1C4551A64743409391E41477CD655043.TMP\WiseCustomCalla.dll deleted successfully.
C:\Windows\1C4551A64743409391E41477CD655043.TMP folder deleted successfully.
C:\Windows\45235788142C44BE8A4DDDE9A84492E5.TMP\WiseCustomCalla.dll deleted successfully.
C:\Windows\45235788142C44BE8A4DDDE9A84492E5.TMP folder deleted successfully.
C:\Windows\6833245EDD86479A882A8360D62C8194.TMP\WiseCustomCalla.dll deleted successfully.
C:\Windows\6833245EDD86479A882A8360D62C8194.TMP folder deleted successfully.
C:\Windows\8A809006C25A4A3A9DAB94659BCDB107.TMP\WiseCustomCalla.dll deleted successfully.
C:\Windows\8A809006C25A4A3A9DAB94659BCDB107.TMP folder deleted successfully.
C:\Windows\C5C1C0F0D62F4DBF81D4D7EF397C228B.TMP\WiseCustomCalla.dll deleted successfully.
C:\Windows\C5C1C0F0D62F4DBF81D4D7EF397C228B.TMP folder deleted successfully.
C:\Windows\D56B0E274A3E46C9B5C1D93D580C099C.TMP\WiseCustomCalla.dll deleted successfully.
C:\Windows\D56B0E274A3E46C9B5C1D93D580C099C.TMP folder deleted successfully.
C:\Windows\DEA314C409294250BC9298E4C105F28D.TMP\WiseCustomCalla.dll deleted successfully.
C:\Windows\DEA314C409294250BC9298E4C105F28D.TMP folder deleted successfully.
C:\Windows\E10DB5DAE57640EAA7FC1CB2A7B283A6.TMP\WiseCustomCalla.dll deleted successfully.
C:\Windows\E10DB5DAE57640EAA7FC1CB2A7B283A6.TMP folder deleted successfully.
C:\Windows\F9835182794B4F24902AE2CA9D43380F.TMP\WiseCustomCalla.dll deleted successfully.
C:\Windows\F9835182794B4F24902AE2CA9D43380F.TMP folder deleted successfully.
C:\STF163F.tmp deleted successfully.
C:\STF319F.tmp deleted successfully.
C:\STF4D1D.tmp deleted successfully.
C:\STF7ECF.tmp deleted successfully.
C:\STFE5F8.tmp deleted successfully.
C:\STFF3B.tmp deleted successfully.
C:\STFF87F.tmp deleted successfully.
C:\Windows\SysWow64\tmp414B.tmp deleted successfully.
C:\Windows\SysWow64\tmp416C.tmp deleted successfully.
C:\Windows\SysWow64\tmp70DE.tmp deleted successfully.
C:\Windows\SysWow64\tmp70DF.tmp deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
[color=#A23BEC]< ipconfig /flushdns /c >[/color]
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\max\Downloads\cmd.bat deleted successfully.
C:\Users\max\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: hate
->Temp folder emptied: 438554 bytes
->Temporary Internet Files folder emptied: 73589 bytes
->FireFox cache emptied: 4131160 bytes
->Flash cache emptied: 42210 bytes

User: max
->Temp folder emptied: 2698868962 bytes
->Temporary Internet Files folder emptied: 20673866 bytes
->Java cache emptied: 61532148 bytes
->FireFox cache emptied: 2048814936 bytes
->Google Chrome cache emptied: 205929100 bytes
->Apple Safari cache emptied: 11800576 bytes
->Opera cache emptied: 304 bytes
->Flash cache emptied: 136040 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 432568 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 286636 bytes
RecycleBin emptied: 100720 bytes

Total Files Cleaned = 4,819.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: hate
->Flash cache emptied: 0 bytes

User: max
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.17.3 log created on 11232010_183111

Files\Folders moved on Reboot...
File\Folder C:\Users\max\AppData\Local\Temp\AFX2FB7.tmp not found!
C:\Users\max\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\Windows\temp\logishrd\LVPrcInj02.dll scheduled to be moved on reboot.
File\Folder C:\Windows\temp\logishrd\LVPrcInj03.dll not found!

Registry entries deleted on Reboot...

This appears to have worked. Thank you very much for your help. I'll update the thread if anything else occurs.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5207

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

11/28/2010 2:00:01 PM
mbam-log-2010-11-28 (14-00-01).txt

Scan type: Quick scan
Objects scanned: 157317
Time elapsed: 4 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

EST:

C:\Program Files (x86)\Win7codecs\Tools\renderer32.exe	Win32/Packed.Autoit.E.Gen application
C:\Program Files (x86)\Win7codecs\Tools\Settings32.exe Win32/Packed.Autoit.C.Gen application
C:\Users\max\Downloads\nl_setup_beta(2).exe probably a variant of Win32/Packed.Themida application
C:\Users\max\Downloads\nl_setup_beta(3).exe probably a variant of Win32/Packed.Themida application
C:\Users\max\Downloads\nl_setup_beta.exe probably a variant of Win32/Packed.Themida application

These all seem to be false positives.

Still get a random browser tab open every once in a while and chrome/IE still seem to stall when started.

Any ideas?

Link to post
Share on other sites

Hi,

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases

    [*]Click on My Computer under the green Scan bar to the left to start the scan.

    [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

    [*]Click View report... at the bottom.

    [*] Click the Save report... button.

    KasReport.png

    [*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download Dr.Web CureIt to the desktop.

  • Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, chose the Complete Scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow drweb_green_arrow.jpg at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look and see if you can click the following icon next to the files found:
    drweb_check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    drweb_move.gif
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new OTL log.

NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Link to post
Share on other sites

  • 2 months later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.