Jump to content

Google Search Redirect Hijack in Firefox


Nat

Recommended Posts

Hi everyone,

I'm experiencing the Google Redirect Hijack in Firefox (search results in Google will occasionally be replaced with googleads.g.doubleclick.com links that aren't visible until you click on the search result link and then the redirect happens). I've done what I've could to kill this thing but it keeps coming back (oddly enough, it doesn't seem to have affected my Internet Explorer 8 installation - I've never had the hijack occur when using IE8. But I rarely use IE8, so it might just be a case where I'm just not using search enough in IE to run across instances of the hijack.).

Things I've done:

1.) I've uninstalled Firefox twice now and deleted my profile and all extensions (deleted the entire folder). The problem reoccurs once I install a new download of the latest version of Firefox.

2.) I've run Malwarebytes, but have come up with clean results

3.) I've run TDSSKiller, but have come up with clean results

I'm running Microsoft Security Essentials as my windows firewall/virus program.

So I'm posting my logs as per forum instructions. I would dearly love to avoid a Windows re-installation, but I'll do it if I have to as this hijacking is insanely annoying. Thanks in advance for your help!

Contents of Malwarebytes log file

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5203

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

11/27/2010 10:53:45 PM

mbam-log-2010-11-27 (22-53-45).txt

Scan type: Full scan (C:\|)

Objects scanned: 241323

Time elapsed: 9 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Contents of DDS.txt

DDS (Ver_10-11-27.01) - NTFS_AMD64

Run by Nat at 22:13:31.42 on Sat 11/27/2010

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22

Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.12279.10663 [GMT -5:00]

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\atieclxx.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files (x86)\Bonjour\mDNSResponder.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Users\Nat\AppData\Local\Plaxo\3.24.0.119\PlaxoHelper_en.exe

C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe

D:\Program Files (x86)\JRT Studio\iSyncr WiFi\iSyncr WiFi.exe

D:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\DllHost.exe

D:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

D:\Nat\Downloads\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.washingtonpost.com/

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~4\Office14\GROOVEEX.DLL

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - D:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~4\Office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - D:\Program Files (x86)\Java\bin\jp2ssv.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

uRun: [PlaxoUpdate] C:\Users\Nat\AppData\Local\Plaxo\3.24.0.119\PlaxoHelper_en.exe -a

uRun: [PlaxoSysTray] C:\Users\Nat\AppData\Local\Plaxo\3.24.0.119\PlaxoSysTray.exe

mRun: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe

mRun: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"

mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [iTunesHelper] "D:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [AmazonGSDownloaderTray] D:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ISYNCR~1.LNK - C:\Windows\Installer\{781A9D1F-1641-444D-AD3B-9856320BF942}\_10E424D0496CD6F91003BF.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - D:\PROGRA~2\MICROS~2\Office14\EXCEL.EXE/3000

IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html

IE: Se&nd to OneNote - D:\PROGRA~2\MICROS~2\Office14\ONBttnIE.dll/105

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - D:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - D:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~4\Office14\GROOVEEX.DLL

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"

BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll

BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg64.dll

BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - D:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL

BHO-X64: URLRedirectionBHO - No File

TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll

mRun-x64: [iAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe

mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s

mRun-x64: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey

mRun-x64: [bCSSync] "D:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices

SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - D:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL

================= FIREFOX ===================

FF - ProfilePath - C:\Users\Nat\AppData\Roaming\Mozilla\Firefox\Profiles\oj0wm6q5.default\

FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL

FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL

FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

FF - plugin: D:\Program Files (x86)\Google\Picasa3\npPicasa3.dll

FF - plugin: D:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll

FF - plugin: D:\Program Files (x86)\Java\bin\new_plugin\npdeployJava1.dll

FF - plugin: D:\Program Files (x86)\Java\bin\new_plugin\npjp2.dll

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - D:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: XULRunner: {84DED0AF-2439-43DA-865E-4BA28EBE5145} - C:\Users\Nat\AppData\Local\{84DED0AF-2439-43DA-865E-4BA28EBE5145}

FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - C:\Users\Nat\AppData\Roaming\Mozilla\Firefox\Profiles\oj0wm6q5.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Extension: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - C:\Users\Nat\AppData\Roaming\Mozilla\Firefox\Profiles\oj0wm6q5.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}

============= SERVICES / DRIVERS ===============

R0 mv91xx;mv91xx;C:\Windows\System32\drivers\mv91xx.sys [2009-12-25 297512]

R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2009-12-2 173984]

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2010-5-27 203264]

R3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atikmdag.sys [2010-5-27 6856192]

R3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2010-5-27 264192]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;C:\Windows\System32\drivers\e1y60x64.sys [2009-6-10 281088]

R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\System32\drivers\MpNWMon.sys [2009-12-2 40832]

R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2010-1-22 77824]

R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2010-1-22 180224]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-7-4 136176]

S3 Amazon Download Agent;Amazon Download Agent;D:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2010-11-20 401920]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;D:\Program Files\Microsoft Office\Office14\GROOVE.EXE [2010-3-25 51456888]

S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]

S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]

S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2010-4-19 50688]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-6-24 1255736]

=============== Created Last 30 ================

2010-11-28 00:51:56 8199504 ----a-w- C:\PROGRA~3\Microsoft\Microsoft Antimalware\Definition Updates\{401871D9-8598-4C41-A6E4-85FF6450F2B4}\mpengine.dll

2010-11-24 13:13:07 7680 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll

2010-11-24 13:13:07 7680 ----a-w- C:\Program Files (x86)\Internet Explorer\iecompat.dll

2010-11-21 20:49:21 -------- d-----w- C:\Program Files (x86)\MSXML 4.0

2010-11-20 22:26:19 -------- d-----w- C:\Users\Nat\AppData\Local\The Witcher

2010-11-20 17:42:20 -------- d-----w- C:\Users\Nat\AppData\Local\Plaxo

2010-11-20 16:27:07 -------- d-----w- C:\PROGRA~3\Amazon

2010-11-17 23:54:59 19528 ----a-w- C:\Windows\System32\drivers\hitmanpro35.sys

2010-11-17 23:54:00 -------- d-----w- C:\PROGRA~3\Hitman Pro

2010-11-17 05:57:41 438 ----a-w- C:\Windows\SysWow64\PARTLOGN.EXE

2010-11-17 05:55:52 37600 ----a-w- C:\Windows\System32\Partizan.exe

2010-11-17 05:54:48 2 --shatr- C:\Windows\winstart.bat

2010-11-17 01:32:45 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2010-11-16 08:00:45 453456 ----a-w- C:\Windows\SysWow64\d3dx10_42.dll

2010-11-16 08:00:44 81768 ----a-w- C:\Windows\SysWow64\xinput1_3.dll

2010-11-16 08:00:44 1892184 ----a-w- C:\Windows\SysWow64\D3DX9_42.dll

2010-11-15 02:34:56 -------- d-----w- C:\Users\Nat\AppData\Roaming\Canneverbe Limited

2010-11-15 02:34:56 -------- d-----w- C:\PROGRA~3\Canneverbe Limited

2010-11-15 02:17:29 -------- d-----w- C:\Users\Nat\AppData\Local\MicroVision Applications

2010-11-15 02:15:51 -------- d-----w- C:\Program Files (x86)\Common Files\SureThing Shared

2010-11-15 02:15:50 344064 ----a-w- C:\Windows\SysWow64\msvcr70.dll

2010-11-15 02:15:50 289552 ----a-w- C:\Windows\SysWow64\temp.001

2010-11-15 02:15:50 28672 ----a-w- C:\Windows\SysWow64\temp.000

2010-11-15 02:15:50 -------- d-----w- C:\Windows\MVUNINST

2010-11-15 00:31:39 -------- d-----w- C:\Program Files\iPod

2010-11-15 00:31:37 -------- d-----w- C:\Program Files\iTunes

2010-11-06 16:37:34 103864 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\nppdf32.dll

==================== Find3M ====================

2010-10-19 20:51:33 270720 ------w- C:\Windows\System32\MpSigStub.exe

2010-10-14 23:44:02 4280320 ----a-w- C:\Windows\SysWow64\GPhotos.scr

2010-10-14 06:36:52 15451288 ----a-w- C:\Windows\SysWow64\xlive.dll

2010-10-14 06:36:50 13642904 ----a-w- C:\Windows\SysWow64\xlivefnt.dll

2010-09-30 02:13:32 834544 ----a-w- C:\Windows\System32\drivers\sptd.sys

2010-09-10 05:35:44 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll

2010-09-10 05:35:43 347648 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll

2010-09-08 15:17:46 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx

2010-09-08 15:17:46 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts

2010-09-08 05:36:17 1192960 ----a-w- C:\Windows\System32\wininet.dll

2010-09-08 05:34:34 57856 ----a-w- C:\Windows\System32\licmgr10.dll

2010-09-08 04:30:04 978432 ----a-w- C:\Windows\SysWow64\wininet.dll

2010-09-08 04:28:15 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll

2010-09-08 04:16:38 482816 ----a-w- C:\Windows\System32\html.iec

2010-09-08 03:35:30 1638912 ----a-w- C:\Windows\System32\mshtml.tlb

2010-09-08 03:22:31 386048 ----a-w- C:\Windows\SysWow64\html.iec

2010-09-08 02:48:16 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2010-09-01 05:12:09 12625920 ----a-w- C:\Windows\System32\wmploc.DLL

2010-09-01 04:23:49 12625408 ----a-w- C:\Windows\SysWow64\wmploc.DLL

2010-09-01 02:58:34 3123712 ----a-w- C:\Windows\System32\win32k.sys

2010-08-31 04:32:30 954752 ----a-w- C:\Windows\SysWow64\mfc40.dll

2010-08-31 04:32:30 954288 ----a-w- C:\Windows\SysWow64\mfc40u.dll

============= FINISH: 22:13:42.80 ===============

ark.zip

Attach.zip

Link to post
Share on other sites

Hello ,

And :) My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

Please read and follow all these instructions very carefully.

  1. Please download GooredFix and save it to your Desktop.
  2. Double-click GooredFix.exe to run it.
  3. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

Link to post
Share on other sites

Hi Elise, thank you so much for your help!

Below are the contents of my GooredLog

-------------------------------------------

GooredFix by jpshortstuff (03.07.10.1)

Log created at 12:35 on 28/11/2010 (Nat)

Firefox version 3.6.12 (en-US)

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files (x86)\Mozilla Firefox\extensions\

(none)

C:\Users\Nat\Application Data\Mozilla\Firefox\Profiles\oj0wm6q5.default\extensions\

nosquint@urandom.ca [04:14 28/11/2010]

{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [02:46 28/11/2010]

{d40f5e7b-d2cf-4856-b441-cc613eeffbe3} [02:48 28/11/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

(Key not found)

---------- Old Logs ----------

GooredFix[04.13.17_28-11-2010].txt

GooredFix[04.29.04_28-11-2010].txt

-=E.O.F=-

Link to post
Share on other sites

Okay, that did not pick it up, so lets remove the infection with a script.

OTL

-----

Please download OTL from one of the following mirrors:

[*]Save it to your desktop.

[*]Double click on the otlDesktopIcon.png icon on your desktop.

[*]Click the "Scan All Users" checkbox.

[*]Push the Quick Scan button.

[*]Two reports will open, copy and paste them in a reply here:

  • OTListIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

Link to post
Share on other sites

OTL.txt

OTL logfile created on: 11/28/2010 1:06:42 PM - Run 1

OTL by OldTimer - Version 3.2.17.3 Folder = D:\Nat\Downloads

64bit- An unknown product (Version = 6.1.7600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.7600.16385)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

12.00 Gb Total Physical Memory | 10.00 Gb Available Physical Memory | 83.00% Memory free

24.00 Gb Paging File | 22.00 Gb Available in Paging File | 91.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 37.17 Gb Total Space | 10.59 Gb Free Space | 28.48% Space Free | Partition Type: NTFS

Drive D: | 3725.90 Gb Total Space | 3440.07 Gb Free Space | 92.33% Space Free | Partition Type: NTFS

Computer Name: DESKTOP | User Name: Nat | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/27 23:21:05 | 000,575,488 | ---- | M] (OldTimer Tools) -- D:\Nat\Downloads\OTL.exe

PRC - [2010/10/27 01:10:00 | 000,912,344 | ---- | M] (Mozilla Corporation) -- D:\Program Files (x86)\Mozilla Firefox\firefox.exe

PRC - [2010/10/16 00:40:40 | 000,037,664 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

PRC - [2010/07/04 21:48:08 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

PRC - [2010/06/30 10:04:38 | 000,773,448 | ---- | M] (Plaxo, Inc.) -- C:\Users\Nat\AppData\Local\Plaxo\3.24.0.119\PlaxoHelper_en.exe

PRC - [2010/01/22 11:29:40 | 000,106,496 | ---- | M] (NEC Electronics Corporation) -- C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe

PRC - [2009/06/04 18:03:32 | 000,186,904 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe

PRC - [2009/06/04 18:03:06 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe

========== Modules (SafeList) ==========

MOD - [2010/11/27 23:21:05 | 000,575,488 | ---- | M] (OldTimer Tools) -- D:\Nat\Downloads\OTL.exe

MOD - [2010/08/21 00:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2010/05/27 11:59:40 | 000,203,264 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)

SRV:64bit: - [2010/03/25 22:48:42 | 000,017,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)

SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

SRV:64bit: - [2009/07/13 20:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)

SRV - [2010/11/20 11:14:20 | 000,403,240 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)

SRV - [2010/10/16 00:40:40 | 000,037,664 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2010/03/25 09:41:00 | 051,456,888 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- D:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)

SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)

SRV - [2009/10/23 12:31:44 | 000,401,920 | ---- | M] (Amazon.com) [On_Demand | Stopped] -- D:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe -- (Amazon Download Agent)

SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)

SRV - [2009/06/04 18:03:06 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®

========== Driver Services (SafeList) ==========

DRV:64bit: - [2010/09/29 21:13:32 | 000,834,544 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\sptd.sys -- (sptd)

DRV:64bit: - [2010/07/21 16:59:28 | 000,045,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\point64.sys -- (Point64)

DRV:64bit: - [2010/05/27 12:39:12 | 006,856,192 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)

DRV:64bit: - [2010/05/27 11:25:36 | 000,264,192 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)

DRV:64bit: - [2010/05/06 04:21:46 | 000,125,456 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtiHdmi.sys -- (AtiHdmiService)

DRV:64bit: - [2010/04/19 19:47:42 | 000,050,688 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)

DRV:64bit: - [2010/01/22 11:22:22 | 000,180,224 | ---- | M] (NEC Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nusb3xhc.sys -- (nusb3xhc)

DRV:64bit: - [2010/01/22 11:22:18 | 000,077,824 | ---- | M] (NEC Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nusb3hub.sys -- (nusb3hub)

DRV:64bit: - [2009/12/25 02:05:40 | 000,297,512 | ---- | M] (Marvell Semiconductor, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mv91xx.sys -- (mv91xx)

DRV:64bit: - [2009/10/29 03:14:38 | 000,115,824 | ---- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\jraid.sys -- (JRAID)

DRV:64bit: - [2009/09/24 16:55:00 | 000,212,072 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tosrfbd.sys -- (tosrfbd)

DRV:64bit: - [2009/09/14 13:30:26 | 000,058,744 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tosrfusb.sys -- (Tosrfusb)

DRV:64bit: - [2009/08/13 21:10:18 | 000,073,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\xusb21.sys -- (xusb21)

DRV:64bit: - [2009/08/05 11:56:04 | 000,063,856 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TosRfSnd.sys -- (TosRfSnd)

DRV:64bit: - [2009/07/28 19:02:10 | 000,081,768 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tosrfcom.sys -- (Tosrfcom)

DRV:64bit: - [2009/07/24 10:33:14 | 000,026,472 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tosrfnds.sys -- (tosrfnds)

DRV:64bit: - [2009/07/15 22:38:40 | 000,015,416 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ASACPI.sys -- (MTsensor)

DRV:64bit: - [2009/07/13 20:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)

DRV:64bit: - [2009/07/13 20:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)

DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)

DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)

DRV:64bit: - [2009/07/13 20:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)

DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)

DRV:64bit: - [2009/07/13 19:01:09 | 000,679,936 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\xnacc.sys -- (xnacc)

DRV:64bit: - [2009/06/19 09:00:26 | 000,094,336 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Tosrfhid.sys -- (Tosrfhid)

DRV:64bit: - [2009/06/19 08:59:32 | 000,050,664 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tosrfbnp.sys -- (tosrfbnp)

DRV:64bit: - [2009/06/17 11:01:04 | 000,054,664 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tosporte.sys -- (tosporte)

DRV:64bit: - [2009/06/10 15:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)

DRV:64bit: - [2009/06/10 15:35:02 | 000,281,088 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\e1y60x64.sys -- (e1yexpress) Intel®

DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)

DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)

DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)

DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)

DRV:64bit: - [2009/06/04 17:54:36 | 000,408,600 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)

DRV:64bit: - [2009/05/18 12:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)

DRV:64bit: - [2009/05/08 15:08:00 | 000,020,520 | ---- | M] (GARMIN Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\grmnusb.sys -- (grmnusb)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.washingtonpost.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 6B 34 80 71 C7 12 CB 01 [binary data]

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {84DED0AF-2439-43DA-865E-4BA28EBE5145}:1.9.1

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.1

FF - prefs.js..extensions.enabledItems: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}:1.48.3

FF - prefs.js..extensions.enabledItems: nosquint@urandom.ca:2.0.5

FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: D:\Program Files (x86)\Mozilla Firefox\components [2010/11/27 21:43:31 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: D:\Program Files (x86)\Mozilla Firefox\plugins [2010/11/27 21:43:25 | 000,000,000 | ---D | M]

[2010/11/27 21:43:34 | 000,000,000 | ---D | M] -- C:\Users\Nat\AppData\Roaming\Mozilla\Extensions

[2010/11/27 23:14:32 | 000,000,000 | ---D | M] -- C:\Users\Nat\AppData\Roaming\Mozilla\Firefox\Profiles\oj0wm6q5.default\extensions

[2010/11/27 21:46:49 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Nat\AppData\Roaming\Mozilla\Firefox\Profiles\oj0wm6q5.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

[2010/11/27 21:48:06 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Nat\AppData\Roaming\Mozilla\Firefox\Profiles\oj0wm6q5.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}

[2010/11/27 23:14:21 | 000,000,000 | ---D | M] -- C:\Users\Nat\AppData\Roaming\Mozilla\Firefox\Profiles\oj0wm6q5.default\extensions\nosquint@urandom.ca

Hosts file not found

O2:64bit: - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)

O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)

O2:64bit: - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg64.dll (Google Inc.)

O2:64bit: - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - D:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)

O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - D:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)

O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.

O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O3:64bit: - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)

O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O4:64bit: - HKLM..\Run: [bCSSync] D:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)

O4:64bit: - HKLM..\Run: [iAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)

O4:64bit: - HKLM..\Run: [intelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)

O4:64bit: - HKLM..\Run: [MSSE] C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)

O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)

O4 - HKLM..\Run: [AmazonGSDownloaderTray] D:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe (Amazon.com)

O4 - HKLM..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe ()

O4 - HKLM..\Run: [NUSB3MON] C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe (NEC Electronics Corporation)

O4 - HKLM..\Run: [startCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)

O4 - HKCU..\Run: [PlaxoSysTray] C:\Users\Nat\AppData\Local\Plaxo\3.24.0.119\plaxosystray.exe (Plaxo, Inc.)

O4 - HKCU..\Run: [PlaxoUpdate] C:\Users\Nat\AppData\Local\Plaxo\3.24.0.119\PlaxoHelper_en.exe (Plaxo, Inc.)

O4 - HKCU..\Run: [swg] C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

O4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not found

O4 - HKLM..\RunOnceEx: [Title] File not found

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3

O8:64bit: - Extra context menu item: E&xport to Microsoft Excel - D:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)

O8:64bit: - Extra context menu item: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll (Google Inc.)

O8:64bit: - Extra context menu item: Se&nd to OneNote - D:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)

O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\SysWow64\GPhotos.scr (Google Inc.)

O8 - Extra context menu item: E&xport to Microsoft Excel - D:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)

O8 - Extra context menu item: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll (Google Inc.)

O8 - Extra context menu item: Se&nd to OneNote - D:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)

O9:64bit: - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)

O9:64bit: - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)

O9:64bit: - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - D:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)

O9:64bit: - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - D:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)

O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - D:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - D:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)

O13 - gopher Prefix: missing

O13 - gopher Prefix: missing

O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} http://cdn.scan.onecare.live.com/resource/...s/wlscctrl2.cab (Windows Live OneCare safety scanner control)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.10.1

O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - Reg Error: Key error. File not found

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - D:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found

O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.

O28:64bit: - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - D:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O33 - MountPoints2\{b0b755c8-cc38-11df-ad65-003091400259}\Shell - "" = AutoRun

O33 - MountPoints2\{b0b755c8-cc38-11df-ad65-003091400259}\Shell\AutoRun\command - "" = K:\setup.exe -- File not found

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O34 - HKLM BootExecute: (MACHINE BootExecut) - File not found

O35:64bit: - HKLM\..comfile [open] -- "%1" %*

O35:64bit: - HKLM\..exefile [open] -- "%1" %*

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*

O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/28 12:23:16 | 000,000,000 | ---D | C] -- C:\Windows\LastGood

[2010/11/28 12:23:10 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft IntelliPoint

[2010/11/27 23:13:17 | 000,000,000 | ---D | C] -- C:\Users\Nat\Desktop\GooredFix Backups

[2010/11/27 21:43:30 | 000,000,000 | ---D | C] -- C:\Users\Nat\AppData\Roaming\Mozilla

[2010/11/21 15:49:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MSXML 4.0

[2010/11/20 17:26:19 | 000,000,000 | ---D | C] -- D:\Users\Nat\Documents\The Witcher

[2010/11/20 17:26:19 | 000,000,000 | ---D | C] -- C:\Users\Nat\AppData\Local\The Witcher

[2010/11/20 17:21:38 | 000,511,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\XAudio2_1.dll

[2010/11/20 17:21:38 | 000,507,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\XAudio2_1.dll

[2010/11/20 17:21:38 | 000,068,104 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\XAPOFX1_0.dll

[2010/11/20 17:21:38 | 000,065,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\XAPOFX1_0.dll

[2010/11/20 17:21:37 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\xactengine3_1.dll

[2010/11/20 17:21:37 | 000,177,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\xactengine3_1.dll

[2010/11/20 17:21:37 | 000,028,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\X3DAudio1_4.dll

[2010/11/20 17:21:37 | 000,025,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\X3DAudio1_4.dll

[2010/11/20 17:21:36 | 001,941,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\D3DCompiler_38.dll

[2010/11/20 17:21:36 | 001,491,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\D3DCompiler_38.dll

[2010/11/20 17:21:36 | 000,540,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dx10_38.dll

[2010/11/20 17:21:36 | 000,467,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3dx10_38.dll

[2010/11/20 17:21:35 | 004,991,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\D3DX9_38.dll

[2010/11/20 17:21:35 | 003,850,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\D3DX9_38.dll

[2010/11/20 17:21:35 | 000,489,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\XAudio2_0.dll

[2010/11/20 17:21:35 | 000,479,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\XAudio2_0.dll

[2010/11/20 17:21:34 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\xactengine3_0.dll

[2010/11/20 17:21:34 | 000,177,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\xactengine3_0.dll

[2010/11/20 17:21:34 | 000,028,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\X3DAudio1_3.dll

[2010/11/20 17:21:34 | 000,025,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\X3DAudio1_3.dll

[2010/11/20 17:21:33 | 001,860,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\D3DCompiler_37.dll

[2010/11/20 17:21:33 | 001,420,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\D3DCompiler_37.dll

[2010/11/20 17:21:33 | 000,529,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dx10_37.dll

[2010/11/20 17:21:33 | 000,462,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3dx10_37.dll

[2010/11/20 17:21:32 | 004,910,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\D3DX9_37.dll

[2010/11/20 17:21:32 | 003,786,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\D3DX9_37.dll

[2010/11/20 17:21:32 | 000,411,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\xactengine2_10.dll

[2010/11/20 17:21:32 | 000,267,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\xactengine2_10.dll

[2010/11/20 17:21:31 | 002,006,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\D3DCompiler_36.dll

[2010/11/20 17:21:31 | 001,374,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\D3DCompiler_36.dll

[2010/11/20 17:21:31 | 000,508,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dx10_36.dll

[2010/11/20 17:21:31 | 000,444,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3dx10_36.dll

[2010/11/20 17:21:29 | 005,081,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dx9_36.dll

[2010/11/20 17:21:29 | 003,734,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3dx9_36.dll

[2010/11/20 17:21:29 | 000,411,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\xactengine2_9.dll

[2010/11/20 17:21:29 | 000,267,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\xactengine2_9.dll

[2010/11/20 17:21:28 | 001,985,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\D3DCompiler_35.dll

[2010/11/20 17:21:28 | 001,358,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\D3DCompiler_35.dll

[2010/11/20 17:21:28 | 000,508,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dx10_35.dll

[2010/11/20 17:21:28 | 000,444,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3dx10_35.dll

[2010/11/20 17:21:27 | 005,073,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dx9_35.dll

[2010/11/20 17:21:27 | 003,727,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3dx9_35.dll

[2010/11/20 17:21:27 | 000,409,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\xactengine2_8.dll

[2010/11/20 17:21:27 | 000,266,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\xactengine2_8.dll

[2010/11/20 17:21:27 | 000,021,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\X3DAudio1_2.dll

[2010/11/20 17:21:27 | 000,017,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\X3DAudio1_2.dll

[2010/11/20 17:21:26 | 001,401,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\D3DCompiler_34.dll

[2010/11/20 17:21:26 | 001,124,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\D3DCompiler_34.dll

[2010/11/20 17:21:26 | 000,506,728 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dx10_34.dll

[2010/11/20 17:21:26 | 000,443,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3dx10_34.dll

[2010/11/20 17:21:25 | 004,496,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dx9_34.dll

[2010/11/20 17:21:25 | 003,497,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3dx9_34.dll

[2010/11/20 17:21:24 | 000,403,304 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\xactengine2_7.dll

[2010/11/20 17:21:24 | 000,261,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\xactengine2_7.dll

[2010/11/20 17:21:24 | 000,107,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\xinput1_3.dll

[2010/11/20 17:21:23 | 001,400,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\D3DCompiler_33.dll

[2010/11/20 17:21:23 | 001,123,696 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\D3DCompiler_33.dll

[2010/11/20 17:21:23 | 000,506,728 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dx10_33.dll

[2010/11/20 17:21:23 | 000,443,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3dx10_33.dll

[2010/11/20 17:21:22 | 004,494,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dx9_33.dll

[2010/11/20 17:21:22 | 003,495,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3dx9_33.dll

[2010/11/20 17:21:21 | 000,469,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dx10.dll

[2010/11/20 17:21:21 | 000,440,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3dx10.dll

[2010/11/20 17:21:21 | 000,393,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\xactengine2_6.dll

[2010/11/20 17:21:21 | 000,390,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\xactengine2_5.dll

[2010/11/20 17:21:21 | 000,255,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\xactengine2_6.dll

[2010/11/20 17:21:21 | 000,251,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\xactengine2_5.dll

[2010/11/20 17:21:20 | 004,398,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dx9_32.dll

[2010/11/20 17:21:20 | 003,426,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3dx9_32.dll

[2010/11/20 17:21:19 | 000,364,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\xactengine2_4.dll

[2010/11/20 17:21:19 | 000,237,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\xactengine2_4.dll

[2010/11/20 17:21:19 | 000,017,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\x3daudio1_1.dll

[2010/11/20 17:21:19 | 000,015,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\x3daudio1_1.dll

[2010/11/20 17:21:18 | 003,977,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dx9_31.dll

[2010/11/20 17:21:18 | 002,414,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3dx9_31.dll

[2010/11/20 17:21:18 | 000,363,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\xactengine2_3.dll

[2010/11/20 17:21:18 | 000,236,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\xactengine2_3.dll

[2010/11/20 17:21:17 | 000,354,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\xactengine2_2.dll

[2010/11/20 17:21:17 | 000,352,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\xactengine2_1.dll

[2010/11/20 17:21:17 | 000,230,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\xactengine2_2.dll

[2010/11/20 17:21:17 | 000,229,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\xactengine2_1.dll

[2010/11/20 17:21:17 | 000,083,736 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\xinput1_2.dll

[2010/11/20 17:21:17 | 000,083,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\xinput1_1.dll

[2010/11/20 17:21:17 | 000,062,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\xinput1_2.dll

[2010/11/20 17:21:17 | 000,062,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\xinput1_1.dll

[2010/11/20 17:21:12 | 003,927,248 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dx9_30.dll

[2010/11/20 17:21:12 | 002,388,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3dx9_30.dll

[2010/11/20 17:21:12 | 000,355,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\xactengine2_0.dll

[2010/11/20 17:21:12 | 000,230,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\xactengine2_0.dll

[2010/11/20 17:21:12 | 000,016,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\x3daudio1_0.dll

[2010/11/20 17:21:12 | 000,014,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\x3daudio1_0.dll

[2010/11/20 17:21:11 | 003,830,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dx9_29.dll

[2010/11/20 17:21:11 | 002,332,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3dx9_29.dll

[2010/11/20 17:21:10 | 003,815,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dx9_28.dll

[2010/11/20 17:21:10 | 002,323,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3dx9_28.dll

[2010/11/20 17:21:09 | 003,807,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dx9_27.dll

[2010/11/20 17:21:09 | 002,319,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3dx9_27.dll

[2010/11/20 17:21:08 | 003,767,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dx9_26.dll

[2010/11/20 17:21:08 | 002,297,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3dx9_26.dll

[2010/11/20 17:21:07 | 003,823,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dx9_25.dll

[2010/11/20 17:21:07 | 002,337,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3dx9_25.dll

[2010/11/20 17:21:06 | 003,544,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dx9_24.dll

[2010/11/20 17:21:06 | 002,222,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3dx9_24.dll

[2010/11/20 17:16:08 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\The Witcher

[2010/11/20 12:42:20 | 000,000,000 | ---D | C] -- C:\Users\Nat\AppData\Local\Plaxo

[2010/11/20 11:27:07 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Amazon Games & Software

[2010/11/20 11:27:07 | 000,000,000 | ---D | C] -- D:\Users\Nat\Documents\Amazon Downloads

[2010/11/20 11:27:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Amazon

[2010/11/17 18:54:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Hitman Pro

[2010/11/17 00:55:52 | 000,037,600 | ---- | C] (Greatis Software) -- C:\Windows\SysNative\Partizan.exe

[2010/11/17 00:54:46 | 000,000,000 | ---D | C] -- D:\Users\Nat\Documents\RegRun2

[2010/11/16 20:32:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun

[2010/11/16 20:32:45 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\deployJava1.dll

[2010/11/16 03:00:45 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3dx10_42.dll

[2010/11/16 03:00:44 | 001,892,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\D3DX9_42.dll

[2010/11/16 03:00:44 | 000,081,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\xinput1_3.dll

[2010/11/14 21:34:56 | 000,000,000 | ---D | C] -- C:\Users\Nat\AppData\Roaming\Canneverbe Limited

[2010/11/14 21:34:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Canneverbe Limited

[2010/11/14 21:17:29 | 000,000,000 | ---D | C] -- C:\Users\Nat\AppData\Local\MicroVision Applications

[2010/11/14 21:15:51 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\SureThing Shared

[2010/11/14 21:15:50 | 000,344,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msvcr70.dll

[2010/11/14 21:15:50 | 000,289,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\temp.001

[2010/11/14 21:15:50 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\temp.000

[2010/11/14 21:15:50 | 000,000,000 | ---D | C] -- C:\Windows\MVUNINST

[2010/11/14 21:08:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\LightScribe

[2010/11/14 19:31:39 | 000,000,000 | ---D | C] -- C:\Program Files\iPod

[2010/11/14 19:31:37 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes

[2010/10/30 08:09:48 | 000,000,000 | ---D | C] -- C:\Users\Nat\AppData\Roaming\skypePM

[2010/10/30 08:05:53 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Skype

[2010/10/30 08:05:50 | 000,000,000 | ---D | C] -- C:\Users\Nat\AppData\Roaming\Skype

[2010/10/30 08:05:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Skype

========== Files - Modified Within 30 Days ==========

[2010/11/28 12:58:00 | 000,000,920 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2010/11/28 12:23:16 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_Kernel_point64_01009.Wdf

[2010/11/28 12:22:39 | 000,778,150 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI

[2010/11/28 12:22:39 | 000,659,580 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat

[2010/11/28 12:22:39 | 000,120,508 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat

[2010/11/28 12:20:29 | 000,014,848 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

[2010/11/28 12:20:29 | 000,014,848 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

[2010/11/28 12:19:20 | 000,000,916 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2010/11/28 12:15:16 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2010/11/28 12:15:10 | 1066,749,950 | -HS- | M] () -- C:\hiberfil.sys

[2010/11/27 23:39:22 | 000,001,636 | ---- | M] () -- D:\Users\Nat\Documents\cc_20101127_233913.reg

[2010/11/27 22:39:10 | 000,000,615 | ---- | M] () -- D:\Users\Nat\Documents\ark.zip

[2010/11/27 22:39:05 | 000,002,229 | ---- | M] () -- D:\Users\Nat\Documents\Attach.zip

[2010/11/27 22:09:58 | 000,000,188 | ---- | M] () -- C:\Users\Nat\defogger_reenable

[2010/11/27 21:43:26 | 000,000,883 | ---- | M] () -- C:\Users\Nat\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk

[2010/11/27 21:35:43 | 000,005,264 | ---- | M] () -- D:\Users\Nat\Documents\cc_20101127_213539.reg

[2010/11/27 21:29:17 | 000,001,412 | ---- | M] () -- D:\Users\Nat\Documents\cc_20101127_212904.reg

[2010/11/27 21:28:38 | 000,000,384 | ---- | M] () -- D:\Users\Nat\Documents\cc_20101127_212829.reg

[2010/11/27 21:28:17 | 000,027,742 | ---- | M] () -- D:\Users\Nat\Documents\cc_20101127_212805.reg

[2010/11/27 21:27:43 | 000,000,674 | ---- | M] () -- D:\Users\Nat\Documents\cc_20101127_212732.reg

[2010/11/27 21:27:09 | 000,004,046 | ---- | M] () -- D:\Users\Nat\Documents\cc_20101127_212701.reg

[2010/11/27 21:26:44 | 000,027,688 | ---- | M] () -- D:\Users\Nat\Documents\cc_20101127_212615.reg

[2010/11/27 21:25:55 | 000,004,320 | ---- | M] () -- D:\Users\Nat\Documents\cc_20101127_212538.reg

[2010/11/27 20:37:43 | 000,000,438 | ---- | M] () -- C:\Windows\SysWow64\PARTLOGN.EXE

[2010/11/17 18:54:59 | 000,019,528 | ---- | M] () -- C:\Windows\SysNative\drivers\hitmanpro35.sys

[2010/11/17 00:57:57 | 000,416,808 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT

[2010/11/17 00:55:52 | 000,037,600 | ---- | M] (Greatis Software) -- C:\Windows\SysNative\Partizan.exe

[2010/11/17 00:54:48 | 000,000,002 | RHS- | M] () -- C:\Windows\winstart.bat

[2010/11/17 00:54:48 | 000,000,002 | RHS- | M] () -- C:\Windows\SysWow64\CONFIG.NT

[2010/11/17 00:54:48 | 000,000,002 | RHS- | M] () -- C:\Windows\SysWow64\AUTOEXEC.NT

[2010/11/16 20:32:40 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\deployJava1.dll

[2010/11/14 21:08:19 | 000,002,044 | ---- | M] () -- C:\Users\Public\Desktop\LightScribe.lnk

[2010/11/14 19:31:48 | 000,001,607 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk

[2010/10/30 08:09:50 | 000,000,048 | -H-- | M] () -- C:\ProgramData\ezsidmv.dat

========== Files Created - No Company Name ==========

[2010/11/28 12:23:16 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_Kernel_point64_01009.Wdf

[2010/11/27 23:39:15 | 000,001,636 | ---- | C] () -- D:\Users\Nat\Documents\cc_20101127_233913.reg

[2010/11/27 22:39:10 | 000,000,615 | ---- | C] () -- D:\Users\Nat\Documents\ark.zip

[2010/11/27 22:39:05 | 000,002,229 | ---- | C] () -- D:\Users\Nat\Documents\Attach.zip

[2010/11/27 22:09:58 | 000,000,188 | ---- | C] () -- C:\Users\Nat\defogger_reenable

[2010/11/27 21:43:26 | 000,000,883 | ---- | C] () -- C:\Users\Nat\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk

[2010/11/27 21:35:40 | 000,005,264 | ---- | C] () -- D:\Users\Nat\Documents\cc_20101127_213539.reg

[2010/11/27 21:29:06 | 000,001,412 | ---- | C] () -- D:\Users\Nat\Documents\cc_20101127_212904.reg

[2010/11/27 21:28:30 | 000,000,384 | ---- | C] () -- D:\Users\Nat\Documents\cc_20101127_212829.reg

[2010/11/27 21:28:06 | 000,027,742 | ---- | C] () -- D:\Users\Nat\Documents\cc_20101127_212805.reg

[2010/11/27 21:27:34 | 000,000,674 | ---- | C] () -- D:\Users\Nat\Documents\cc_20101127_212732.reg

[2010/11/27 21:27:03 | 000,004,046 | ---- | C] () -- D:\Users\Nat\Documents\cc_20101127_212701.reg

[2010/11/27 21:26:16 | 000,027,688 | ---- | C] () -- D:\Users\Nat\Documents\cc_20101127_212615.reg

[2010/11/27 21:25:41 | 000,004,320 | ---- | C] () -- D:\Users\Nat\Documents\cc_20101127_212538.reg

[2010/11/17 18:54:59 | 000,019,528 | ---- | C] () -- C:\Windows\SysNative\drivers\hitmanpro35.sys

[2010/11/17 00:57:41 | 000,000,438 | ---- | C] () -- C:\Windows\SysWow64\PARTLOGN.EXE

[2010/11/17 00:54:48 | 000,000,002 | RHS- | C] () -- C:\Windows\winstart.bat

[2010/11/17 00:54:48 | 000,000,002 | RHS- | C] () -- C:\Windows\SysWow64\CONFIG.NT

[2010/11/17 00:54:48 | 000,000,002 | RHS- | C] () -- C:\Windows\SysWow64\AUTOEXEC.NT

[2010/11/14 21:08:19 | 000,002,044 | ---- | C] () -- C:\Users\Public\Desktop\LightScribe.lnk

[2010/11/14 19:31:48 | 000,001,607 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk

[2010/10/30 08:09:50 | 000,000,048 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat

[2010/10/14 21:35:32 | 000,000,120 | ---- | C] () -- C:\Users\Nat\AppData\Local\Arewu.dat

[2010/10/14 21:35:32 | 000,000,000 | ---- | C] () -- C:\Users\Nat\AppData\Local\Ykizalo.bin

[2010/10/14 01:36:44 | 000,179,263 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat

[2010/09/30 06:58:24 | 000,000,036 | ---- | C] () -- C:\Users\Nat\AppData\Local\housecall.guid.cache

[2010/07/14 21:49:02 | 000,771,962 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI

[2010/07/13 17:47:08 | 000,003,584 | ---- | C] () -- C:\Users\Nat\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/06/30 22:56:30 | 000,000,066 | ---- | C] () -- C:\Windows\wininit.ini

[2010/06/30 22:46:49 | 000,000,499 | ---- | C] () -- C:\Windows\SIERRA.INI

[2010/06/25 20:24:06 | 000,000,362 | RHS- | C] () -- C:\ProgramData\ntuser.pol

[2010/06/23 05:53:56 | 000,001,769 | ---- | C] () -- C:\Windows\Language_trs.ini

[2010/06/23 05:53:49 | 000,033,967 | ---- | C] () -- C:\Windows\Ascd_tmp.ini

[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll

[2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll

[2009/04/02 07:30:14 | 000,010,296 | ---- | C] () -- C:\Windows\SysWow64\drivers\ASUSHWIO.SYS

[2008/10/07 08:13:30 | 000,197,912 | ---- | C] () -- C:\Windows\SysWow64\physxcudart_20.dll

[2008/10/07 08:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelTraditionalChinese.dll

[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSwedish.dll

[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSpanish.dll

[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSimplifiedChinese.dll

[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelPortugese.dll

[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelKorean.dll

[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelJapanese.dll

[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelGerman.dll

[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelFrench.dll

========== LOP Check ==========

[2010/09/27 06:38:07 | 000,000,000 | ---D | M] -- C:\Users\Nat\AppData\Roaming\Amazon

[2010/11/22 02:49:04 | 000,000,000 | ---D | M] -- C:\Users\Nat\AppData\Roaming\calibre

[2010/11/14 21:34:56 | 000,000,000 | ---D | M] -- C:\Users\Nat\AppData\Roaming\Canneverbe Limited

[2010/07/14 21:51:28 | 000,000,000 | ---D | M] -- C:\Users\Nat\AppData\Roaming\cYo

[2010/09/29 21:20:30 | 000,000,000 | ---D | M] -- C:\Users\Nat\AppData\Roaming\DAEMON Tools Lite

[2010/10/26 07:30:19 | 000,000,000 | ---D | M] -- C:\Users\Nat\AppData\Roaming\JRT Studio

[2010/11/23 00:30:24 | 000,000,000 | ---D | M] -- C:\Users\Nat\AppData\Roaming\TeraCopy

[2010/09/12 11:32:15 | 000,000,000 | ---D | M] -- C:\Users\Nat\AppData\Roaming\uTorrent

[2009/07/14 00:08:49 | 000,018,912 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

< End of report >

Extras.txt

OTL Extras logfile created on: 11/28/2010 1:06:42 PM - Run 1

OTL by OldTimer - Version 3.2.17.3 Folder = D:\Nat\Downloads

64bit- An unknown product (Version = 6.1.7600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.7600.16385)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

12.00 Gb Total Physical Memory | 10.00 Gb Available Physical Memory | 83.00% Memory free

24.00 Gb Paging File | 22.00 Gb Available in Paging File | 91.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 37.17 Gb Total Space | 10.59 Gb Free Space | 28.48% Space Free | Partition Type: NTFS

Drive D: | 3725.90 Gb Total Space | 3440.07 Gb Free Space | 92.33% Space Free | Partition Type: NTFS

Computer Name: DESKTOP | User Name: Nat | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.url[@ = InternetShortcut] -- C:\Windows\System32\ieframe.DLL (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

.url [@ = InternetShortcut] -- C:\Windows\System32\ieframe.DLL (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- D:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %* File not found

cmdfile [open] -- "%1" %* File not found

comfile [open] -- "%1" %* File not found

exefile [open] -- "%1" %* File not found

helpfile [open] -- Reg Error: Key error.

htmlfile [edit] -- "D:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "D:\Program Files\Microsoft Office\Office14\msohtmed.exe" /p %1 (Microsoft Corporation)

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)

InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)

piffile [open] -- "%1" %* File not found

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1" File not found

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S File not found

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [explore] -- Reg Error: Value error.

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

htmlfile [edit] -- "D:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "D:\Program Files\Microsoft Office\Office14\msohtmed.exe" /p %1 (Microsoft Corporation)

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)

InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [explore] -- Reg Error: Value error.

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

========== Authorized Applications List ==========

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{21185083-5C3F-45E1-A52F-1279E0724967}" = iTunes

"{23170F69-40C1-2702-0465-000001000000}" = 7-Zip 4.65 (x64 edition)

"{41BF0DE4-5BAE-4B88-AFD3-86A30B222186}" = Bonjour

"{4B55F339-396E-29A9-B6D0-24B6D251C90A}" = AMD Drag and Drop Transcoding

"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148

"{4FBB2E98-1A3B-396A-A662-73E17009C076}" = ATI Catalyst Install Manager

"{563F041C-DFDB-437B-A1E8-E141E0906076}" = Microsoft IntelliPoint 8.0

"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP

"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended

"{90140000-0015-0409-1000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010

"{90140000-0016-0409-1000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010

"{90140000-0018-0409-1000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010

"{90140000-0019-0409-1000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010

"{90140000-001A-0409-1000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010

"{90140000-001B-0409-1000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010

"{90140000-001F-0409-1000-0000000FF1CE}" = Microsoft Office Proof (English) 2010

"{90140000-001F-040C-1000-0000000FF1CE}" = Microsoft Office Proof (French) 2010

"{90140000-001F-0C0A-1000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010

"{90140000-002C-0409-1000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010

"{90140000-0043-0000-1000-0000000FF1CE}" = Microsoft Office Office 32-bit Components 2010

"{90140000-0043-0409-1000-0000000FF1CE}" = Microsoft Office Shared 32-bit MUI (English) 2010

"{90140000-0044-0409-1000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010

"{90140000-006E-0409-1000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010

"{90140000-00A1-0409-1000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010

"{90140000-00BA-0409-1000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010

"{90140000-0115-0409-1000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010

"{90140000-0117-0409-1000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010

"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel

Link to post
Share on other sites

Please let me know how things are after the following fix.

OTL FIX

------------

We need to run an OTL Fix

  1. Please reopen otlDesktopIcon.png on your desktop.
  2. Copy and Paste the following code into the customFix.png textbox.
    :otl
    FF - prefs.js..extensions.enabledItems: {84DED0AF-2439-43DA-865E-4BA28EBE5145}:1.9.1

    :commands
    [emptytemp]


  3. Push runFixbutton.png
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click btnOK.png.
  6. A report will open. Copy and Paste that report in your next reply.

Link to post
Share on other sites

I'm running some searches in Firefox right now to see if the redirect is still occurring. Nothing so far! :)

OTL Report

All processes killed

========== OTL ==========

Prefs.js: {84DED0AF-2439-43DA-865E-4BA28EBE5145}:1.9.1 removed from extensions.enabledItems

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Flash cache emptied: 0 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Mcx1-DESKTOP

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Mcx2-DESKTOP

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 40903 bytes

->Flash cache emptied: 0 bytes

User: Nat

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 25256125 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 97981722 bytes

->Flash cache emptied: 3173 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 3250 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50199 bytes

RecycleBin emptied: 42318396 bytes

Total Files Cleaned = 158.00 mb

OTL by OldTimer - Version 3.2.17.3 log created on 11282010_145221

Files\Folders moved on Reboot...

C:\Users\Nat\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

Link to post
Share on other sites

Okay, please keep me posted on that.

P2P WARNING

-------------------

Going over your logs I noticed that you have uTorrent installed.

[*] Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.

[*]They are a security risk which can make your computer susceptible to a sm

Link to post
Share on other sites

Still haven't experienced any redirected Google searches. :)

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5203

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

11/28/2010 3:29:50 PM

mbam-log-2010-11-28 (15-29-50).txt

Scan type: Full scan (C:\|)

Objects scanned: 240797

Time elapsed: 12 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

That is good news. :) Lets also do a last scan for leftovers.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      Note - when ESET doesn't find any threats, no report will be created.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

Link to post
Share on other sites

ESET found no threats and I have yet to re-encounter the Firefox Google Hijack.

So for future reference, do you think the problem was related to the XUL Runner extension (which I can't recall ever installing, btw - not sure how it ended up in my Firefox install :) )? I was googling around and I found this on the Mozilla support forum.

xul runner 1.9.1 added mysteriously-redirects google-how remove

http://support.mozilla.com/en-US/questions/749007

It describes my problem exactly. Do you think I need to do any searches of the registry for it?

Link to post
Share on other sites

Hi, yes this was the problem. It is an add-on that installs/enables itself without your consent. The line we removed with OTL was the only one present in your logs.

The following script will search for remnants in both folders and registry.

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    {84DED0AF-2439-43DA-865E-4BA28EBE5145}

    :regfind
    {84DED0AF-2439-43DA-865E-4BA28EBE5145}


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

SystemLook 04.09.10 by jpshortstuff

Log created at 07:12 on 29/11/2010 by Nat

Administrator - Elevation successful

========== filefind ==========

Searching for "{84DED0AF-2439-43DA-865E-4BA28EBE5145}"

No files found.

========== regfind ==========

Searching for "{84DED0AF-2439-43DA-865E-4BA28EBE5145}"

[HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions]

"{84DED0AF-2439-43DA-865E-4BA28EBE5145}"="C:\Users\Nat\AppData\Local\{84DED0AF-2439-43DA-865E-4BA28EBE5145}"

[HKEY_USERS\S-1-5-21-4151107310-4145024404-434461228-1001\Software\Mozilla\Firefox\Extensions]

"{84DED0AF-2439-43DA-865E-4BA28EBE5145}"="C:\Users\Nat\AppData\Local\{84DED0AF-2439-43DA-865E-4BA28EBE5145}"

-= EOF =-

Link to post
Share on other sites

Lets remove these with a script.

OTL FIX

------------

We need to run an OTL Fix

  1. Please reopen otlDesktopIcon.png on your desktop.
  2. Copy and Paste the following code into the customFix.png textbox.
    :files
    C:\Users\Nat\AppData\Local\{84DED0AF-2439-43DA-865E-4BA28EBE5145}

    :reg
    [HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions]
    "{84DED0AF-2439-43DA-865E-4BA28EBE5145}"=-
    [HKEY_USERS\S-1-5-21-4151107310-4145024404-434461228-1001\Software\Mozilla\Firefox\Extensions]
    "{84DED0AF-2439-43DA-865E-4BA28EBE5145}"=-


  3. Push runFixbutton.png
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click btnOK.png.
  6. A report will open. Copy and Paste that report in your next reply.

Link to post
Share on other sites

Apologies for the delay in responding; was away all day at work.

OTL report after applying the fix you posted

Error: Unable to interpret <CODE> in the current context!

========== FILES ==========

File\Folder C:\Users\Nat\AppData\Local\{84DED0AF-2439-43DA-865E-4BA28EBE5145} not found.

========== REGISTRY ==========

Registry value HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\\{84DED0AF-2439-43DA-865E-4BA28EBE5145} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{84DED0AF-2439-43DA-865E-4BA28EBE5145}\ not found.

Registry value HKEY_USERS\S-1-5-21-4151107310-4145024404-434461228-1001\Software\Mozilla\Firefox\Extensions\\{84DED0AF-2439-43DA-865E-4BA28EBE5145} not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{84DED0AF-2439-43DA-865E-4BA28EBE5145}\ not found.

OTL by OldTimer - Version 3.2.17.3 log created on 11292010_234608

Still no redirects. :)

Link to post
Share on other sites

The things we fixed with the last script were just some leftovers. With the first script we already disabled the add-on which stopped the redirects.

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Rerun OTL and click the Cleanup button. This will remove all logs and tools. Allow a reboot.

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.