Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Akkreditivsearch redirecting my search engine results...


  • This topic is locked This topic is locked
24 replies to this topic

#1 Kaljinyu

Kaljinyu

  • Members
  • 328 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 30 January 2013 - 05:36 PM

The gritty reboot to my accidentally underinformed thread here.

Anyway, earlier today I ran a search, and it led to a site I always visit with no problems.

But when I clicked it, I was redirected to a search redirect under http://www.akkreditivsearch.net. I left that link behind and continued my browsing, but later on my browser, Chrome, crashed and I got a message saying Whoa! Google Chrome has crashed! and I think it came with the option to relaunch.

These symptoms are so far recurring, and also as far as I know this is only in Chrome, I haven't tested it in Internet Explorer 8. I'm busy looking through my Internet browsing history to see where this might've come from, but I'm not finding out where I went wrong this time. My whole search history is full of sites that are usually 100% malware free.

Which is why I'm so reluctant to test this in Internet Explorer 8. Because all I did was search, and then this happened. If Internet Explorer 8 is otherwise free of this, I don't wanna risk infecting it by searching.

So to summarize the problem I'm experiencing so far...

1. When I search in Google, the links I click are redirected to Akkreditivsearch.net
2. I'm frequently getting Whoa! Google Chrome has crashed! messages.

Posting DDS.txt now, and attached is Attach.txt.

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.9.2
Run by Parent at 17:24:41 on 2013-01-30
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1789.949 [GMT -5:00]
.
AV: Total Protection Service *Disabled/Outdated* {8C354827-2F54-4E28-90DC-AD391E77808C}
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\WTouch\WTouchService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\WTouch\WTouchUser.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\Parent\Local Settings\Application Data\VisualizerPlugin\VisualizerPlugin.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.k12.com/
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: <No Name>: - LocalServer32 - <no file>
uURLSearchHooks: {472734EA-242A-422b-ADF8-83D1E48CC825} - <orphaned>
uURLSearchHooks: FCToolbarURLSearchHook Class: {4219427b-0228-4356-a78b-eb7668d37d07} -
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: InboxDollars BHO: {6FFB615D-E8CE-4ADD-8D9F-31C4BE9C26E4} -
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
BHO: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: advertzilla: {dc604963-79a8-78fa-9751-607d04851c50} -
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: InboxDollars: {47980628-3844-42AA-A0DD-E2D86BBA9600} -
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: InboxDollars: {47980628-3844-42AA-A0DD-E2D86BBA9600} -
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [AdobeBridge] <no file>
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenuEx] c:\program files\canon\solution menu ex\CNSEMAIN.EXE /logon
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [fvXurBUAjfb.exe] c:\documents and settings\all users\application data\fvXurBUAjfb.exe
mRun: [VisualizerPlugin] "c:\documents and settings\parent\local settings\application data\visualizerplugin\VisualizerPlugin.exe" /n
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [Microsoft] rundll32 "c:\documents and settings\parent\local settings\application data\roblox\microsoft\qnzrdjc.dll",NVCoInstallerW
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11e_ActiveX.exe -update activex
uExplorerRun: [fbebbbeabebadfbda] c:\documents and settings\parent\application data\2fbe0bb6-3b3e-4139-abeb-3ad1fbd99a4779\fbebbbeabebadfbda.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
LSP: mswsock.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1299365905203
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{13B55215-7C8A-493C-8B11-8A70113730C0} : DHCPNameServer = 192.168.2.1
Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = Error!
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\24.0.1312.56\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2010-6-18 184888]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2002-12-31 44800]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 EngineServer;EngineServer;"c:\program files\mcafee\managed virusscan\vscan\engineserver.exe" --> c:\program files\mcafee\managed virusscan\vscan\EngineServer.exe [?]
S2 myAgtSvc;McAfee Virus and Spyware Protection Service;"c:\program files\mcafee\managed virusscan\agent\myagtsvc.exe" /servicestart --> c:\program files\mcafee\managed virusscan\agent\myAgtSvc.Exe [?]
S2 pctoolsfirewallplus;OEM02Dev;c:\windows\system32\svchost.exe -k netsvcs [2002-12-31 14336]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-10-19 160944]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2011-12-26 15656]
S3 XDva392;XDva392;\??\c:\windows\system32\xdva392.sys --> c:\windows\system32\XDva392.sys [?]
S3 XDva393;XDva393;\??\c:\windows\system32\xdva393.sys --> c:\windows\system32\XDva393.sys [?]
S3 XDva394;XDva394;\??\c:\windows\system32\xdva394.sys --> c:\windows\system32\XDva394.sys [?]
S3 XDva401;XDva401;\??\c:\windows\system32\xdva401.sys --> c:\windows\system32\XDva401.sys [?]
.
=============== Created Last 30 ================
.
2013-01-30 01:29:34 -------- d-----w- c:\documents and settings\parent\application data\2fbe0bb6-3b3e-4139-abeb-3ad1fbd99a4779
2013-01-09 15:29:27 16369160 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2013-01-05 22:28:13 -------- d-----w- c:\documents and settings\parent\local settings\application data\WMTools Downloaded Files
2013-01-04 23:42:20 -------- d-----w- c:\program files\Audacity
2013-01-04 23:34:50 -------- d-----w- c:\documents and settings\parent\local settings\application data\Unity
.
==================== Find3M ====================
.
2013-01-09 15:29:29 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-09 15:29:29 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-17 17:41:40 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-11-17 17:41:38 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-11-17 17:41:38 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-11-17 17:41:38 143872 ----a-w- c:\windows\system32\javacpl.cpl
.
============= FINISH: 17:26:13.12 ===============

Attached Files


Edited by Noviciate, 30 January 2013 - 05:50 PM.
removed Quote tags from arround log.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 4,996 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:32 AM

Posted 30 January 2013 - 05:51 PM

Good evening. :)

Can you tell me what anti-virus program you are using.

Logs answered since Christmas Day: 42

Threads completed: 11

Threads closed after some work but not completed: 10

Threads closed following a total lack of response from poster: 15

 

 


#3 Kaljinyu

Kaljinyu
  • Topic Starter

  • Members
  • 328 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 30 January 2013 - 06:18 PM

Uhhhh... I'm not really using one on this computer... :unsure:

See, I only use this computer to visit a few trusted websites, really, I know I should have some kind of antimalware something on this computer, but I was kinda assuming... that if I only visited 2 or 3 sites on this computer that I knew were trustworthy, I'd be fine... :(



EDIT: Just tested it, yeah, as expected, it affects Internet Explorer 8.



EDIT 2: I tried visiting a page in Google Chrome where the page has an SSL certificate to read for stuff like sensitive data and stuff, and I got an SSL Error. Specifically a Special case exception found for received certificate error. I'll attach a screenshot of it.

It says the certificate I received in the transaction to log in to this site shows that I'm infected with Sirefef.gen!C, and that Microsoft Security Essentials can fix it here.

http://windows.microsoft.com/en-US/windows/security-essentials-download

But usually when someone tells me to get a fix from Microsoft, it does nothing. So I dunno, I thought I'd report this to you first.


EDIT 3: Another symptom I noticed, which usually happens with search redirects and stuff, sites like Startplaynow.com and stuff are appearing in my search history, they're being accessed in the background, I didn't go to these, these didn't pop up, I wasn't re-directed to them, this Sirefef.gen!C is browing to them in the background.

Fortunately, this Sirefef.gen!C thing doesn't seem to be a rootkit. Is it?

Attached Files


Edited by Kaljinyu, 31 January 2013 - 01:13 AM.


#4 Noviciate

Noviciate

  • Malware Response Team
  • 4,996 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:32 AM

Posted 31 January 2013 - 05:17 PM

Good evening. :)

I was kinda assuming... that if I only visited 2 or 3 sites on this computer that I knew were trustworthy, I'd be fine...

The lack of decent security is a large part of why your PC is now infected and given the length of time that your PC has been insecure, and the age of the Windows installation, the appropriate log entry states an install date of 9/29/2010, I suggest that you back-up any important data and reformat and reinstall your operating system to resolve the problem and give your system a spring clean. The risk of system files having been infected, patched or replaced, poses too great a threat to simply stick a plaster on.

Fortunately, this Sirefef.gen!C thing doesn't seem to be a rootkit. Is it?

Yup, it is - linky.

Logs answered since Christmas Day: 42

Threads completed: 11

Threads closed after some work but not completed: 10

Threads closed following a total lack of response from poster: 15

 

 


#5 Kaljinyu

Kaljinyu
  • Topic Starter

  • Members
  • 328 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 31 January 2013 - 05:40 PM

It IS a rootkit? Aw jeez... :(

So the only way to fix it is to reinstall Windows? I don't have a Windows XP disk.


EDIT: Okay, so this is a rootkit, is there any way to know how deep it's gone? Normally rootkits consume everything before you can do anything about it, but this rootkit doesn't seem as bad as Rootkit.ZeroAccess.

No chance of System Restore working if I go way WAY back, right?


EDIT 2: Scratch that, apparently Rootkit.ZeroAccess is an alias of this rootkit. Awwww...

But Elise, one of the Malware Study Hall Admins, she got rid of it for me on one of my computers. :)



EDIT 3: I should add, however, that as a Trojan, Rootkit.ZeroAccess had installed some malware that caused random popups whenever I was connected to the Internet, and it also highlighted text on pages and turned them into hyperlinks for ads.

This rootkit, whatever its real name is, so far hasn't brought me any of that. Just search re-directs. So maybe we're in early enough to handle it? Maybe it hasn't spread very far/downloaded enough stuff to survive?

Edited by Kaljinyu, 01 February 2013 - 02:23 PM.


#6 Noviciate

Noviciate

  • Malware Response Team
  • 4,996 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:32 AM

Posted 01 February 2013 - 03:17 PM

Good evening. :)

The main issue here is the lack of basic security and the potential consequences of connecting to the internet while unprotected - something which you are now seeing. I can see indications of previous, or perhaps even current, infections in the log you posted and DDS doesn't show everything that may be present on your system.
Having free reign over your system it is possible that legitimate system files could have had malicious code added to them or they could have been replaced by malicious ones, and identifying these files may be very difficult. The "possibles" and "mays" in the last sentence are because it is uncertain whether or not this has happened, but the potential for it to happen and the consequences of it having happened are such that the best way to resolve the issue is to start afresh.

Okay, so this is a rootkit, is there any way to know how deep it's gone?

While each infection has a set of behaviours that can be understood, and hopefully undone, the problem here is that there is no way to know what other infections your system has picked up and what they did to it.

But Elise, one of the Malware Study Hall Admins, she got rid of it for me on one of my computers.

If it was just one infection then that would be an option.

This rootkit, whatever its real name is, so far hasn't brought me any of that. Just search re-directs. So maybe we're in early enough to handle it? Maybe it hasn't spread very far/downloaded enough stuff to survive?

See above.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If this was my PC or it belonged to a family member or friend and they asked my advice, it would be to back-up data and then reformat and reinstall and this is what I recommend you to do. It may be that the infection that you definitely have is all that is on the system and it can be successfully removed but there is no way to guarantee this and that is the problem. The time taken to remove it will be wasted if the PC is not clean at the end of the process and it is going to be difficult to know whether this is the case or not.

Logs answered since Christmas Day: 42

Threads completed: 11

Threads closed after some work but not completed: 10

Threads closed following a total lack of response from poster: 15

 

 


#7 Kaljinyu

Kaljinyu
  • Topic Starter

  • Members
  • 328 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 01 February 2013 - 11:07 PM

Huh... so we don't know and it's almost impossible to know if this Sirefef thing is my only infection, or how deep it's gone. But there's still a chance that it's the only infection so far.

Can we give it a try as though it IS the only infection on this computer right now? Or can you not help me at all until I get a Windows XP installation disk?



EDIT: This is puzzling, suddenly I'm not experiencing any of the symptoms anymore. This concerns me, I fear this rootkit might've made itself more undetectable or something.

No computer lag, no Chrome crashing, no backdoor entries in my browsing history, and the SSL certificates on all the sites I visit that require them are 100% legit as far as Chrome is telling me. I fear this Sirefef rootkit is lying to me.

The only symptom I haven't tested yet is the Google redirects. But I'm afraid that if I test it, and find them there, the other symptoms will start up again. Have you ever heard of a rootkit behaving this way?





EDIT 2: Hold on, I'm experiencing symptoms again, except Chrome is no longer giving me SSL Errors. The rootkit is, like, sneaking by its detection, I guess. :(

Edited by Kaljinyu, 02 February 2013 - 10:18 AM.


#8 Noviciate

Noviciate

  • Malware Response Team
  • 4,996 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:32 AM

Posted 03 February 2013 - 03:08 PM

Good evening. :)

Against my better judgement i'll help to remove the Sirefef infection, but I make no promises about the cleanliness of your PC at the end. Your PC should be considered compromised and no online shopping or banking carried out with it to prevent any form of fraud or identity theft. If you have used it for these things then I suggest you monitor your cards/accounts to limit the potential damage.

Download RogueKiller by Tigzy from here and save it to your Desktop

  • Close all open programs.
  • Double click RogueKiller.exe to run it.
  • Once the tool has initialised, click Scan on the right.
  • Once complete, click Report button, also on the right.
  • The report will open in Notepad and also be saved as RKreport[number].txt on your Desktop.
  • Please post the contents in your next Reply.
  • If for some reason the tool won't run, rename the file to winlogon.exe and try again.

Logs answered since Christmas Day: 42

Threads completed: 11

Threads closed after some work but not completed: 10

Threads closed following a total lack of response from poster: 15

 

 


#9 Kaljinyu

Kaljinyu
  • Topic Starter

  • Members
  • 328 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 03 February 2013 - 05:31 PM

Whoo! Thanks, alright I'll get started on that immediately.



EDIT: Here ya go, when I double clicked it I got a message about the EULA for that program, I assumed that was normal. When it finished, I got a popup leading to a tigzy-RK Blogspot page about my results, I also assumed that was normal.

http://tigzyrk.blogspot.com/2011/09/rootkit-zeroaccess-max.html

It says I have Rootkit ZeroAccess, but it says that fortunately the most recent version of Rootkit.ZeroAccess, which hopefully I have, isn't a true rootkit, and only injects one of the running processes with a bogus .DLL stored in a random location.

There's also a video on the page detailing how to get rid of it. If this is my only infection, do you think that video will do it for us?

Also, I notice that this is a lot weaker than the last time I had Rootkit.ZeroAccess. I could run, like, no anti-malware programs at all, and popups would occur whether I was browsing or not. I think this is the most recent version, a much lesser beast. Anyway, the Rogue Killer report...







RogueKiller V8.4.4 [Feb 4 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Parent [Admin rights]
Mode : Scan -- Date : 02/04/2013 09:20:39
| ARK || MBR |

¤¤¤ Bad processes : 4 ¤¤¤
[DLL] explorer.exe -- C:\WINDOWS\explorer.exe : C:\Documents and Settings\Parent\Application Data\7-Zip\7-zip.dll -> UNLOADED
[SUSP PATH] VisualizerPlugin.exe -- C:\Documents and Settings\Parent\Local Settings\Application Data\VisualizerPlugin\VisualizerPlugin.exe -> KILLED [TermProc]
[DLL] rundll32.exe -- C:\WINDOWS\system32\rundll32.exe : C:\Documents and Settings\Parent\Local Settings\Application Data\Roblox\Microsoft\qnzrdjc.dll -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\WINDOWS\system32\svchost.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 17 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Microsoft (rundll32 "C:\Documents and Settings\Parent\Local Settings\Application Data\Roblox\Microsoft\qnzrdjc.dll",NVCoInstallerW) -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Run : fvXurBUAjfb.exe (C:\Documents and Settings\All Users\Application Data\fvXurBUAjfb.exe) -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Run : VisualizerPlugin ("C:\Documents and Settings\Parent\Local Settings\Application Data\VisualizerPlugin\VisualizerPlugin.exe" /n) -> FOUND
[RUN][SUSP PATH] HKUS\.DEFAULT[...]\Run : Microsoft (rundll32 "C:\Documents and Settings\Parent\Local Settings\Application Data\Roblox\Microsoft\qnzrdjc.dll",NVCoInstallerW) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-808743801-1300003180-414440772-1003[...]\Run : Microsoft (rundll32 "C:\Documents and Settings\Parent\Local Settings\Application Data\Roblox\Microsoft\qnzrdjc.dll",NVCoInstallerW) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-18[...]\Run : Microsoft (rundll32 "C:\Documents and Settings\Parent\Local Settings\Application Data\Roblox\Microsoft\qnzrdjc.dll",NVCoInstallerW) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Policies\Explorer\\Run : fbebbbeabebadfbda (C:\Documents and Settings\Parent\Application Data\2fbe0bb6-3b3e-4139-abeb-3ad1fbd99a4779\fbebbbeabebadfbda.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-808743801-1300003180-414440772-1003[...]\Policies\Explorer\\Run : fbebbbeabebadfbda (C:\Documents and Settings\Parent\Application Data\2fbe0bb6-3b3e-4139-abeb-3ad1fbd99a4779\fbebbbeabebadfbda.exe) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-21-808743801-1300003180-414440772-1003\$fe65e04e2037b6a35ac672405ab04c23\n) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-18\$fe65e04e2037b6a35ac672405ab04c23\n) -> FOUND
[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-18\$fe65e04e2037b6a35ac672405ab04c23\n) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-18\$fe65e04e2037b6a35ac672405ab04c23\n --> FOUND
[ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-21-808743801-1300003180-414440772-1003\$fe65e04e2037b6a35ac672405ab04c23\n --> FOUND
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-18\$fe65e04e2037b6a35ac672405ab04c23\@ --> FOUND
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-21-808743801-1300003180-414440772-1003\$fe65e04e2037b6a35ac672405ab04c23\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-18\$fe65e04e2037b6a35ac672405ab04c23\U --> FOUND
[ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-21-808743801-1300003180-414440772-1003\$fe65e04e2037b6a35ac672405ab04c23\U --> FOUND
[ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-18\$fe65e04e2037b6a35ac672405ab04c23\L --> FOUND
[ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-21-808743801-1300003180-414440772-1003\$fe65e04e2037b6a35ac672405ab04c23\L --> FOUND
[ZeroAccess][FILE] Desktop.ini : C:\WINDOWS\Assembly\GAC\Desktop.ini --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Seagate ST3160318AS SCSI Disk Device +++++
--- User ---
[MBR] 4051a1828b266e34d675a4033e5f3d54
[BSP] e2c36e9d62ede9bc8a9c0a66f37dd081 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152625 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_02042013_02d0920.txt >>
RKreport[1]_S_02042013_02d0920.txt

Edited by Kaljinyu, 04 February 2013 - 09:25 AM.


#10 Noviciate

Noviciate

  • Malware Response Team
  • 4,996 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:32 AM

Posted 04 February 2013 - 02:30 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

Logs answered since Christmas Day: 42

Threads completed: 11

Threads closed after some work but not completed: 10

Threads closed following a total lack of response from poster: 15

 

 


#11 Kaljinyu

Kaljinyu
  • Topic Starter

  • Members
  • 328 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 04 February 2013 - 06:27 PM

Alright, I downloaded, renamed, and ran ComboFix. And it ran pretty much without a hitch, but when it got to the part where it detected an infected version of MsgSvc.dll and deleted/restored it, PEV.exe had to close. I know that to be a process of ComboFix so I'm wondering what this means for my situation.

I didn't do anything, ComboFix was still able to finish and restart my computer and produce a log. However, when it said not to run any programs because it was producing a log, unfortunately the programs that run at start up... started to run. I did what I could to close them, should I have done that?

So far some pages are loading kinda slowly, I'm getting a lot of hanging at "Sending request". I'm assuming this is temporary. Also, Google search results are taking a while to load. But so far no search redirects. Should I keep trying, seeing if I eventually get re-directed?

Also, here's the log.

EDIT: Update, still no redirects or hidden history logs, and the slow loading times are gone now. This seems pretty much handled, symptoms-wise. :clapping:

But here's the log anyway. :)







ComboFix 13-02-03.03 - Parent 02/04/2013 17:36:19.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1789.1237 [GMT -5:00]
Running from: c:\documents and settings\Parent\Desktop\Twelve-Inch-sUBs.exe
AV: Total Protection Service *Disabled/Outdated* {8C354827-2F54-4E28-90DC-AD391E77808C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\NetworkService\Application Data\2fbe0bb6-3b3e-4139-abeb-3ad1fbd99a4779
c:\documents and settings\NetworkService\Application Data\2fbe0bb6-3b3e-4139-abeb-3ad1fbd99a4779\fbebbbeabebadfbda.exe
c:\documents and settings\Parent\Application Data\2fbe0bb6-3b3e-4139-abeb-3ad1fbd99a4779
c:\documents and settings\Parent\Application Data\2fbe0bb6-3b3e-4139-abeb-3ad1fbd99a4779\fbebbbeabebadfbda.exe
c:\documents and settings\Parent\Application Data\WTouch
c:\documents and settings\Parent\Application Data\WTouch\WTouch.xml
c:\documents and settings\Parent\Local Settings\Application Data\Roblox\Microsoft\qnzrdjc.dll
c:\documents and settings\Parent\Recent\Thumbs.db
c:\program files\Internet Explorer\SET2.tmp
c:\program files\Internet Explorer\SET2E2A.tmp
c:\program files\Internet Explorer\SET2E2B.tmp
c:\program files\Internet Explorer\SET2E2C.tmp
c:\program files\Internet Explorer\SET3.tmp
c:\program files\Internet Explorer\SET4.tmp
C:\Thumbs.db
c:\windows\assembly\GAC\Desktop.ini
c:\windows\system32\SET10.tmp
c:\windows\system32\SET11.tmp
c:\windows\system32\SET12.tmp
c:\windows\system32\SET13.tmp
c:\windows\system32\SET14.tmp
c:\windows\system32\SET15.tmp
c:\windows\system32\SET16.tmp
c:\windows\system32\SET17.tmp
c:\windows\system32\SET18.tmp
c:\windows\system32\SET1A.tmp
c:\windows\system32\SET1B.tmp
c:\windows\system32\SET1C.tmp
c:\windows\system32\SET1D.tmp
c:\windows\system32\SET1E.tmp
c:\windows\system32\SET1F.tmp
c:\windows\system32\SET20.tmp
c:\windows\system32\SET21.tmp
c:\windows\system32\SET22.tmp
c:\windows\system32\SET23.tmp
c:\windows\system32\SET24.tmp
c:\windows\system32\SET25.tmp
c:\windows\system32\SET26.tmp
c:\windows\system32\SET27.tmp
c:\windows\system32\SET28.tmp
c:\windows\system32\SET29.tmp
c:\windows\system32\SET2A.tmp
c:\windows\system32\SET2B.tmp
c:\windows\system32\SET2C.tmp
c:\windows\system32\SET2D.tmp
c:\windows\system32\SET2E.tmp
c:\windows\system32\SET2E2F.tmp
c:\windows\system32\SET2E30.tmp
c:\windows\system32\SET2E31.tmp
c:\windows\system32\SET2E32.tmp
c:\windows\system32\SET2E33.tmp
c:\windows\system32\SET2E34.tmp
c:\windows\system32\SET2E35.tmp
c:\windows\system32\SET2E36.tmp
c:\windows\system32\SET2E37.tmp
c:\windows\system32\SET2E38.tmp
c:\windows\system32\SET2E39.tmp
c:\windows\system32\SET2E3A.tmp
c:\windows\system32\SET2E3B.tmp
c:\windows\system32\SET2E3C.tmp
c:\windows\system32\SET2E3D.tmp
c:\windows\system32\SET2E3E.tmp
c:\windows\system32\SET2E3F.tmp
c:\windows\system32\SET2E40.tmp
c:\windows\system32\SET2E42.tmp
c:\windows\system32\SET2E43.tmp
c:\windows\system32\SET2E44.tmp
c:\windows\system32\SET2E45.tmp
c:\windows\system32\SET2E46.tmp
c:\windows\system32\SET2E47.tmp
c:\windows\system32\SET2E48.tmp
c:\windows\system32\SET2E49.tmp
c:\windows\system32\SET2E4A.tmp
c:\windows\system32\SET2E4B.tmp
c:\windows\system32\SET2E4C.tmp
c:\windows\system32\SET2E4D.tmp
c:\windows\system32\SET2E4E.tmp
c:\windows\system32\SET2E4F.tmp
c:\windows\system32\SET2E50.tmp
c:\windows\system32\SET2E51.tmp
c:\windows\system32\SET2E52.tmp
c:\windows\system32\SET2E53.tmp
c:\windows\system32\SET2E54.tmp
c:\windows\system32\SET2E55.tmp
c:\windows\system32\SET2E56.tmp
c:\windows\system32\SET2E57.tmp
c:\windows\system32\SET2E58.tmp
c:\windows\system32\SET2E59.tmp
c:\windows\system32\SET2E5A.tmp
c:\windows\system32\SET2E5B.tmp
c:\windows\system32\SET2F.tmp
c:\windows\system32\SET30.tmp
c:\windows\system32\SET31.tmp
c:\windows\system32\SET32.tmp
c:\windows\system32\SET33.tmp
c:\windows\system32\SET7.tmp
c:\windows\system32\SET8.tmp
c:\windows\system32\SET9.tmp
c:\windows\system32\SETA.tmp
c:\windows\system32\SETB.tmp
c:\windows\system32\SETC.tmp
c:\windows\system32\SETD.tmp
c:\windows\system32\SETE.tmp
c:\windows\system32\SETF.tmp
.
Infected copy of c:\windows\system32\msgsvc.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\msgsvc.dll
.
.
((((((((((((((((((((((((( Files Created from 2013-01-04 to 2013-02-04 )))))))))))))))))))))))))))))))
.
.
2013-02-04 23:03 . 2013-02-04 23:03 -------- d-----w- c:\documents and settings\Parent\Application Data\WTouch
2013-02-01 10:12 . 2013-02-01 10:12 1324 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp
2013-01-09 15:29 . 2013-01-09 15:29 16369160 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-09 15:29 . 2012-10-24 19:20 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-09 15:29 . 2011-06-25 14:45 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-17 17:41 . 2012-11-17 17:41 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-11-17 17:41 . 2012-11-17 17:41 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-11-17 17:41 . 2011-04-04 20:37 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-11-17 17:41 . 2010-06-18 22:46 143872 ----a-w- c:\windows\system32\javacpl.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
"{4219427b-0228-4356-a78b-eb7668d37d07}"= "c:\documents and settings\Parent\My Documents\InboxDollars\Helper.dll" [BU]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_CLASSES_ROOT\clsid\{4219427b-0228-4356-a78b-eb7668d37d07}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{8EF4D7EF-810E-4629-A9C9-F92FD201FE1A}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{6FFB615D-E8CE-4ADD-8D9F-31C4BE9C26E4}]
c:\documents and settings\Parent\My Documents\InboxDollars\Toolbar.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{dc604963-79a8-78fa-9751-607d04851c50}]
c:\windows\system32\4d96feab.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{47980628-3844-42AA-A0DD-E2D86BBA9600}"= "c:\documents and settings\Parent\My Documents\InboxDollars\Toolbar.dll" [BU]
.
[HKEY_CLASSES_ROOT\clsid\{47980628-3844-42aa-a0dd-e2d86bba9600}]
[HKEY_CLASSES_ROOT\FCTB000062133.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{5DB5671F-D35B-419E-A124-0653A57FBCA1}]
[HKEY_CLASSES_ROOT\FCTB000062133.IEToolbar]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{47980628-3844-42AA-A0DD-E2D86BBA9600}"= "c:\documents and settings\Parent\My Documents\InboxDollars\Toolbar.dll" [BU]
.
[HKEY_CLASSES_ROOT\clsid\{47980628-3844-42aa-a0dd-e2d86bba9600}]
[HKEY_CLASSES_ROOT\FCTB000062133.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{5DB5671F-D35B-419E-A124-0653A57FBCA1}]
[HKEY_CLASSES_ROOT\FCTB000062133.IEToolbar]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeBridge"="" [BU]
"Steam"="c:\program files\Steam\steam.exe" [2012-12-03 1354736]
"Raptr"="c:\progra~1\Raptr\raptrstub.exe" [2013-01-29 55360]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2012-10-25 3093624]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2010-04-10 19523616]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-03-25 2516296]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-05-17 395144]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"fvXurBUAjfb.exe"="c:\documents and settings\All Users\Application Data\fvXurBUAjfb.exe" [BU]
"VisualizerPlugin"="c:\documents and settings\Parent\Local Settings\Application Data\VisualizerPlugin\VisualizerPlugin.exe" [2012-05-07 41440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Raptr\\raptr.exe"=
"c:\\Program Files\\Raptr\\raptr_im.exe"=
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [6/18/2010 2:10 PM 184888]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [12/26/2011 6:57 PM 4408616]
R2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [12/26/2011 6:57 PM 112936]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/31/2002 7:00 AM 44800]
S2 EngineServer;EngineServer;"c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe" --> c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [?]
S2 myAgtSvc;McAfee Virus and Spyware Protection Service;"c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe" /ServiceStart --> c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe [?]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [10/19/2012 4:14 PM 160944]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [12/26/2011 6:57 PM 15656]
S3 XDva392;XDva392;\??\c:\windows\system32\XDva392.sys --> c:\windows\system32\XDva392.sys [?]
S3 XDva393;XDva393;\??\c:\windows\system32\XDva393.sys --> c:\windows\system32\XDva393.sys [?]
S3 XDva394;XDva394;\??\c:\windows\system32\XDva394.sys --> c:\windows\system32\XDva394.sys [?]
S3 XDva401;XDva401;\??\c:\windows\system32\XDva401.sys --> c:\windows\system32\XDva401.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - BITS
*NewlyCreated* - WUAUSERV
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
bcm43xx
pctoolsfirewallplus
houdinilicenseserver
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-01-31 23:40 1607120 ----a-w- c:\program files\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-24 15:29]
.
2013-02-04 c:\windows\Tasks\AdobeAAMUpdater-1.0-K12-29575462567-Parent.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-04-14 07:44]
.
2013-01-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-06 21:12]
.
2013-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-06 21:12]
.
2013-02-04 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-05-17 18:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.k12.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
TCP: DhcpNameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
HKU-Default-Run-Microsoft - c:\documents and settings\Parent\Local Settings\Application Data\Roblox\Microsoft\qnzrdjc.dll
HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe
AddRemove-Mabinogi - c:\nexon\Mabinogi\Mabinogi.exe
AddRemove-Superfighters Deluxe_is1 - c:\documents and settings\Parent\Desktop\Superfighters Deluxe\unins000.exe
AddRemove-PlanetSide 2 - c:\program files\Sony Online Entertainment\Installed Games\PlanetSide 2\Uninstaller.exe
AddRemove-PlanetSide 2 Beta - c:\program files\Sony Online Entertainment\Installed Games\PlanetSide 2 Beta\Uninstaller.exe
AddRemove-SOE-PlanetSide 2 Beta - c:\program files\Sony Online Entertainment\Installed Games\PlanetSide 2 Beta\Uninstaller.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-02-04 18:06
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(1508)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\WMASF.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\progra~1\Raptr\ltc_help32-68721.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\WTouch\WTouchUser.exe
c:\windows\RTHDCPL.EXE
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\taskmgr.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
c:\progra~1\Raptr\raptr.exe
c:\progra~1\Raptr\raptr_im.exe
.
**************************************************************************
.
Completion time: 2013-02-04 18:10:45 - machine was rebooted
ComboFix-quarantined-files.txt 2013-02-04 23:10
ComboFix2.txt 2012-10-21 22:33
ComboFix3.txt 2012-10-21 17:45
ComboFix4.txt 2012-10-20 02:36
ComboFix5.txt 2013-02-04 22:33
.
Pre-Run: 33,810,247,680 bytes free
Post-Run: 37,160,693,760 bytes free
.
- - End Of File - - 9FEFFF6F63C0404776228858A442A65C

Edited by Kaljinyu, 05 February 2013 - 01:38 AM.


#12 Noviciate

Noviciate

  • Malware Response Team
  • 4,996 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:32 AM

Posted 05 February 2013 - 02:55 PM

Good evening. :)

Take the PC for a spin, throwing in at least one reboot and then do the following:

Download OTL by OldTimer from here and save it to your Desktop.

  • Double click the tool to run it.
  • Click the Quick Scan button and allow it to do it's thing.
  • Once complete, it should open two Notepad Windows - OTL.Txt and Extras.Txt
  • It should also save copies in the same location as OTL.
  • I want you to copy and paste the contents of OTL.txt that should appear into one reply and Extras.Txt into another.
  • The length of the two logs sometimes results in the end being chopped off if you post both in one reply.
Will you also tell me how the PC is now behaving.

Logs answered since Christmas Day: 42

Threads completed: 11

Threads closed after some work but not completed: 10

Threads closed following a total lack of response from poster: 15

 

 


#13 Kaljinyu

Kaljinyu
  • Topic Starter

  • Members
  • 328 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 05 February 2013 - 11:33 PM

Alright alright, everything still seems to be in working order. Restarted and everything, none of the symptoms from before. Here's the logs you asked for.

First OTL.txt...





OTL logfile created on: 2/5/2013 11:23:41 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Parent\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.75 Gb Total Physical Memory | 1.19 Gb Available Physical Memory | 68.16% Memory free
3.35 Gb Paging File | 2.96 Gb Available in Paging File | 88.57% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 34.45 Gb Free Space | 23.11% Space Free | Partition Type: NTFS

Computer Name: K12-29575462567 | User Name: Parent | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/02/05 23:23:08 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Parent\Desktop\OTL.scr
PRC - [2012/11/17 12:41:39 | 000,161,768 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2012/10/24 19:05:03 | 003,093,624 | ---- | M] () -- C:\Program Files\Pando Networks\Media Booster\PMB.exe
PRC - [2012/07/03 09:04:58 | 000,507,312 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2012/05/07 10:49:23 | 000,041,440 | ---- | M] () -- C:\Documents and Settings\Parent\Local Settings\Application Data\VisualizerPlugin\VisualizerPlugin.exe
PRC - [2011/07/28 18:08:12 | 001,259,376 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2011/05/17 13:29:46 | 000,395,144 | ---- | M] (Ask) -- C:\Program Files\Ask.com\Updater\Updater.exe
PRC - [2010/04/05 14:55:01 | 000,116,104 | ---- | M] () -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe
PRC - [2010/03/24 21:50:00 | 002,516,296 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2010/01/15 07:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
PRC - [2009/07/15 11:13:06 | 003,662,632 | ---- | M] (Wacom Technology, Corp.) -- C:\Program Files\WTouch\WTouchUser.exe
PRC - [2009/07/15 11:13:04 | 000,393,512 | ---- | M] (Wacom Technology, Corp.) -- C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
PRC - [2009/07/15 11:13:04 | 000,112,936 | ---- | M] (Wacom Technology, Corp.) -- C:\Program Files\WTouch\WTouchService.exe
PRC - [2009/07/15 11:13:02 | 004,408,616 | ---- | M] (Wacom Technology, Corp.) -- C:\WINDOWS\system32\Pen_Tablet.exe
PRC - [2002/12/31 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2002/12/31 07:00:00 | 000,014,336 | ---- | M] (LSI Corporation) -- C:\Program Files\LSI SoftModem\agrsmsvc.exe


========== Modules (No Company Name) ==========

MOD - [2012/10/24 19:05:03 | 003,093,624 | ---- | M] () -- C:\Program Files\Pando Networks\Media Booster\PMB.exe
MOD - [2012/05/07 10:49:23 | 000,041,440 | ---- | M] () -- C:\Documents and Settings\Parent\Local Settings\Application Data\VisualizerPlugin\VisualizerPlugin.exe
MOD - [2011/07/28 18:09:42 | 000,096,112 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll
MOD - [2011/07/28 18:08:12 | 001,259,376 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
MOD - [2011/06/24 21:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/06/24 21:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2010/04/05 14:55:01 | 000,116,104 | ---- | M] () -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe


========== Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\ino_fltr.dll -- (pctoolsfirewallplus)
SRV - File not found [Auto | Stopped] -- C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe /ServiceStart -- (myAgtSvc)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\btaudio.dll -- (houdinilicenseserver)
SRV - File not found [Auto | Stopped] -- C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe -- (EngineServer)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\usnsvc.dll -- (bcm43xx)
SRV - [2013/01/17 20:02:04 | 000,541,608 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2013/01/09 10:29:29 | 000,251,400 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/11/17 12:41:39 | 000,161,768 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2012/10/19 16:14:08 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2011/06/06 11:36:00 | 004,005,936 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\WINDOWS\system32\GameMon.des -- (npggsvc)
SRV - [2010/04/05 14:55:01 | 000,116,104 | ---- | M] () [Auto | Running] -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe -- (IJPLMSVC)
SRV - [2010/02/19 12:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2010/01/15 07:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2009/07/15 11:13:04 | 000,112,936 | ---- | M] (Wacom Technology, Corp.) [Auto | Running] -- C:\Program Files\WTouch\WTouchService.exe -- (WTouchService)
SRV - [2009/07/15 11:13:02 | 004,408,616 | ---- | M] (Wacom Technology, Corp.) [Auto | Running] -- C:\WINDOWS\system32\Pen_Tablet.exe -- (TabletServicePen)
SRV - [2002/12/31 07:00:00 | 000,014,336 | ---- | M] (LSI Corporation) [Auto | Running] -- C:\Program Files\LSI SoftModem\agrsmsvc.exe -- (AgereModemAudio)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\XDva401.sys -- (XDva401)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\XDva394.sys -- (XDva394)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\XDva393.sys -- (XDva393)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\XDva392.sys -- (XDva392)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EagleXNt.sys -- (EagleXNt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Twelve-Inch-sUBs\catchme.sys -- (catchme)
DRV - [2010/06/18 14:10:15 | 000,184,888 | ---- | M] (Advanced Micro Devices, Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\ahcix86.sys -- (ahcix86)
DRV - [2010/04/09 19:26:12 | 005,913,632 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)
DRV - [2010/02/09 07:56:14 | 000,222,248 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2010/01/28 01:11:40 | 004,588,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009/12/15 13:29:52 | 000,055,304 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2009/05/20 14:54:06 | 000,013,736 | ---- | M] (Wacom Technology) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wacomvhid.sys -- (wacomvhid)
DRV - [2009/03/18 17:35:40 | 000,026,176 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2009/02/24 18:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2009/01/30 16:29:50 | 000,015,656 | ---- | M] (Wacom Technology) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wacmoumonitor.sys -- (wacmoumonitor)
DRV - [2007/04/16 18:46:34 | 000,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM)
DRV - [2007/02/16 14:12:36 | 000,011,312 | ---- | M] (Wacom Technology) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wacommousefilter.sys -- (wacommousefilter)
DRV - [2007/02/15 19:11:28 | 000,011,440 | ---- | M] (Wacom Technology) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WacomVKHid.sys -- (WacomVKHid)
DRV - [2002/12/31 07:00:00 | 001,161,696 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2002/12/31 07:00:00 | 000,044,800 | ---- | M] (Infineon Technologies AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ifxtpm.sys -- (IFXTPM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = Reg Error: Value error.
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.k12.com/
IE - HKCU\..\URLSearchHook: - No CLSID value found
IE - HKCU\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
IE - HKCU\..\URLSearchHook: {4219427b-0228-4356-a78b-eb7668d37d07} - SOFTWARE\Classes\CLSID\{4219427b-0228-4356-a78b-eb7668d37d07}\InprocServer32 File not found
IE - HKCU\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
IE - HKCU\..\SearchScopes,DefaultScope = {64CFD071-4784-4841-B0B1-C7EB2FF81AA2}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKCU\..\SearchScopes\{0D7562AE-8EF6-416d-A838-AB665251703A}: "URL" = http://start.facemoods.com/?a=ppcb3&s={searchTerms}&f=4
IE - HKCU\..\SearchScopes\{64CFD071-4784-4841-B0B1-C7EB2FF81AA2}: "URL" = http://ws.infospace.com/playsushi_tbar/ws/redir?_iceUrl=true& user_id=%userid&tool_id=60231&qkw={searchTerms}
IE - HKCU\..\SearchScopes\{759D3600-1ED0-403C-A236-B8FB8AE92528}: "URL" = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}
IE - HKCU\..\SearchScopes\{BBEC539D-A89C-4CA8-84ED-D8EFF16FE25C}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ATU&o=14674&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=T9&apn_dtid=YYYYYYYYUS&apn_uid=13d66f80-e811-43fd-95f0-eb7a00b393ef&apn_sauid=857A3E29-D2AB-4DF1-8329-F3C4CFFCA015
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledAddons: [email protected]:1.0
FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?ei=utf-8&fr=greentree_ff1&type=937811&ilc=12&p="
FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=937811&ilc=12"
FF - prefs.js..browser.startup.homepage: "http://www.mystart.com/index.php?pr=vmn&amp;rlz=1V1SAYD&amp;id=dealbrowsingtb&amp;v=1_1"
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_146.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw_1168638.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.9.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.9.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nexon.net/NxGame: C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll (Nexon)
FF - HKLM\Software\MozillaPlugins\@ogplanet.com/npOGPPlugin: C:\WINDOWS\system32\npOGPPlugin.dll (OGPlanet)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@virtools.com/3DviaPlayer: C:\Program Files\Virtools\3D Life Player\npvirtools.dll (Dassault Systèmes)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@nsroblox.roblox.com/launcher: C:\Documents and Settings\Parent\Local Settings\Application Data\RobloxVersions\version-5acc042b77fe4879\\NPRobloxProxy.dll ()
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Documents and Settings\Parent\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF - HKCU\Software\MozillaPlugins\amazon.com/AmazonMP3DownloaderPlugin: C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin.dll (Amazon.com, Inc.)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)


[2012/04/02 19:41:21 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Parent\Application Data\Mozilla\Extensions
[2013/01/24 16:42:54 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Parent\Application Data\Mozilla\Firefox\Profiles\3g6jwxcb.default\extensions
[2012/01/10 13:14:17 | 000,000,000 | ---D | M] (ShopToWin9) -- C:\Documents and Settings\Parent\Application Data\Mozilla\Firefox\Profiles\3g6jwxcb.default\extensions\{46d606b0-a645-11df-981c-0800200c9a66}
[2012/01/10 13:14:59 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Parent\Application Data\Mozilla\Firefox\Profiles\3g6jwxcb.default\extensions\{a0c1b151-6d21-4257-bd05-45dad6182353}
[2012/04/02 19:41:21 | 000,000,000 | ---D | M] (RivalGaming) -- C:\Documents and Settings\Parent\Application Data\Mozilla\Firefox\Profiles\3g6jwxcb.default\extensions\[email protected]
[2011/12/14 22:04:40 | 000,000,000 | ---D | M] (Ask Toolbar) -- C:\Documents and Settings\Parent\Application Data\Mozilla\Firefox\Profiles\3g6jwxcb.default\extensions\[email protected]
[2012/01/10 04:49:07 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Parent\Application Data\Mozilla\Firefox\Profiles\3g6jwxcb.default\extensions\{46d606b0-a645-11df-981c-0800200c9a66}\chrome\content\dca\core\extensionManager
[2002/12/31 07:00:00 | 000,004,815 | ---- | M] () (No name found) -- C:\Documents and Settings\Parent\Application Data\Mozilla\Firefox\Profiles\3g6jwxcb.default\extensions\[email protected]
[2011/11/03 07:20:44 | 000,000,598 | ---- | M] () (No name found) -- C:\Documents and Settings\Parent\Application Data\Mozilla\Firefox\Profiles\3g6jwxcb.default\extensions\{46d606b0-a645-11df-981c-0800200c9a66}\chrome\content\dca\core\voicebox\validators\VBExpiredValidator.js
[2011/02/01 18:05:08 | 000,002,333 | ---- | M] () -- C:\Documents and Settings\Parent\Application Data\Mozilla\Firefox\Profiles\3g6jwxcb.default\searchplugins\askcom.xml
[2011/04/16 17:37:07 | 000,002,048 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\fcmdSrch.xml

========== Chrome ==========

CHR - homepage: http://www.google.com
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter},
CHR - homepage: http://www.google.com
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\24.0.1312.57\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\24.0.1312.57\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\24.0.1312.57\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.260.3 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U26 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Nexon Game Controller (Enabled) = C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
CHR - plugin: AmazonMP3DownloaderPlugin (Enabled) = C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin.dll
CHR - plugin: CANON iMAGE GATEWAY Album Plugin Utility (Enabled) = C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
CHR - plugin: DivX VOD Helper Plug-in (Enabled) = C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Pando Web Plugin (Enabled) = C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll
CHR - plugin: 3DVIA player (Enabled) = C:\Program Files\Virtools\3D Life Player\npvirtools.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll
CHR - Extension: YouTube = C:\Documents and Settings\Parent\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_1\
CHR - Extension: Adblock Plus = C:\Documents and Settings\Parent\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb\1.3.4_0\
CHR - Extension: Google Search = C:\Documents and Settings\Parent\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_1\
CHR - Extension: Gmail = C:\Documents and Settings\Parent\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\

O1 HOSTS File: ([2013/02/04 18:03:57 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (InboxDollars BHO) - {6FFB615D-E8CE-4ADD-8D9F-31C4BE9C26E4} - C:\Documents and Settings\Parent\My Documents\InboxDollars\Toolbar.dll File not found
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (advertzilla) - {dc604963-79a8-78fa-9751-607d04851c50} - C:\WINDOWS\system32\4d96feab.dll File not found
O3 - HKLM\..\Toolbar: (InboxDollars) - {47980628-3844-42AA-A0DD-E2D86BBA9600} - C:\Documents and Settings\Parent\My Documents\InboxDollars\Toolbar.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (InboxDollars) - {47980628-3844-42AA-A0DD-E2D86BBA9600} - C:\Documents and Settings\Parent\My Documents\InboxDollars\Toolbar.dll File not found
O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS5ServiceManager] C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe (Ask)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenuEx] C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE (CANON INC.)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [fvXurBUAjfb.exe] C:\Documents and Settings\All Users\Application Data\fvXurBUAjfb.exe File not found
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [VisualizerPlugin] C:\Documents and Settings\Parent\Local Settings\Application Data\VisualizerPlugin\VisualizerPlugin.exe ()
O4 - HKCU..\Run: [AdobeBridge] File not found
O4 - HKCU..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe ()
O4 - HKCU..\Run: [Raptr] C:\Program Files\Raptr\raptrstub.exe (Raptr, Inc)
O4 - HKCU..\Run: [Steam] C:\Program Files\Steam\steam.exe (Valve Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: //about.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Exclude.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //LanguageSelection.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Message.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyAgttryCmd.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyAgttryNag.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyNotification.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //NOCLessUpdate.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //quarantine.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //ScanNow.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //strings.vbs/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Template.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Update.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //VirFound.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafee.com ([*] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafee.com ([*] https in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([betavscan] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([betavscan] https in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([vs] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([vs] https in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([www] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([www] https in Trusted sites)
O15 - HKCU\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: sony.com ([]* in Trusted sites)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (Reg Error: Key error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1299365905203 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} http://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe (Virtools WebPlayer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{13B55215-7C8A-493C-8B11-8A70113730C0}: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\myrm {4D034FC3-013F-4b95-B544-44D49ABE3E76} - C:\Program Files\McAfee\Managed VirusScan\Agent\MyRmProt5.0.0.811.dll File not found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\K12Wallpaper4.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\K12Wallpaper4.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/06/18 17:45:38 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/02/05 23:23:07 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Parent\Desktop\OTL.scr
[2013/02/04 18:03:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Parent\Application Data\WTouch
[2013/02/04 09:19:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Parent\Desktop\RK_Quarantine
[2013/01/30 17:23:24 | 000,688,992 | R--- | C] (Swearware) -- C:\Documents and Settings\Parent\Desktop\dds.com
[2013/01/29 23:25:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2013/01/13 20:58:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Parent\Desktop\MC 1.4.7 - Player API universal 1.1
[2013/01/13 20:58:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Parent\Desktop\MC 1.4.7 - Smart Moving 12.0
[76 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\NetworkService\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/02/05 23:23:08 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Parent\Desktop\OTL.scr
[2013/02/05 23:05:13 | 000,498,070 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/02/05 23:05:13 | 000,085,386 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/02/05 23:01:02 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/02/05 23:01:00 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2013/02/05 23:00:58 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/02/05 23:00:57 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/02/05 22:40:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/02/05 22:29:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/02/05 02:00:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\AdobeAAMUpdater-1.0-K12-29575462567-Parent.job
[2013/02/04 18:03:57 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2013/02/04 17:28:37 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/01/31 20:25:43 | 000,000,204 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\MapleStory.url
[2013/01/31 20:03:52 | 4265,379,000 | ---- | M] () -- C:\Documents and Settings\Parent\Desktop\MSSetupv125.exe
[2013/01/31 18:43:00 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2013/01/31 11:21:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2013/01/30 17:23:25 | 000,688,992 | R--- | M] (Swearware) -- C:\Documents and Settings\Parent\Desktop\dds.com
[2013/01/27 15:29:51 | 000,000,134 | ---- | M] () -- C:\Documents and Settings\Parent\Desktop\Internet Explorer Troubleshooting.url
[2013/01/27 08:23:54 | 000,003,436 | ---- | M] () -- C:\Documents and Settings\Parent\Desktop\weirdgun.PNG
[2013/01/26 02:02:29 | 000,000,216 | ---- | M] () -- C:\Documents and Settings\Parent\Desktop\Chivalry Medieval Warfare.url
[2013/01/25 04:34:39 | 000,001,831 | ---- | M] () -- C:\Documents and Settings\Parent\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2013/01/25 00:09:12 | 000,002,219 | ---- | M] () -- C:\Documents and Settings\Parent\Desktop\sfdthing.PNG
[2013/01/21 20:16:59 | 000,397,640 | ---- | M] () -- C:\Documents and Settings\Parent\Desktop\warzownimg.PNG
[2013/01/20 21:27:50 | 000,000,588 | ---- | M] () -- C:\Documents and Settings\Parent\Desktop\UziNew.PNG
[2013/01/19 16:46:51 | 000,537,620 | ---- | M] () -- C:\Documents and Settings\Parent\Desktop\Target Tower.PNG
[2013/01/16 03:05:17 | 000,812,603 | ---- | M] () -- C:\Documents and Settings\Parent\Desktop\Kenterall.PNG
[2013/01/13 20:56:58 | 000,867,180 | ---- | M] () -- C:\Documents and Settings\Parent\Desktop\MC 1.4.7 - Smart Moving 12.0.zip
[2013/01/13 20:55:33 | 000,196,524 | ---- | M] () -- C:\Documents and Settings\Parent\Desktop\MC 1.4.7 - Player API universal 1.1.zip
[2013/01/13 15:53:45 | 000,002,179 | ---- | M] () -- C:\Documents and Settings\Parent\Desktop\Red Armada uniform.png
[76 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/01/31 20:25:43 | 000,000,204 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\MapleStory.url
[2013/01/31 19:21:01 | 4265,379,000 | ---- | C] () -- C:\Documents and Settings\Parent\Desktop\MSSetupv125.exe
[2013/01/27 15:29:51 | 000,000,134 | ---- | C] () -- C:\Documents and Settings\Parent\Desktop\Internet Explorer Troubleshooting.url
[2013/01/26 23:23:36 | 000,003,436 | ---- | C] () -- C:\Documents and Settings\Parent\Desktop\weirdgun.PNG
[2013/01/26 02:02:29 | 000,000,216 | ---- | C] () -- C:\Documents and Settings\Parent\Desktop\Chivalry Medieval Warfare.url
[2013/01/24 23:44:58 | 000,002,219 | ---- | C] () -- C:\Documents and Settings\Parent\Desktop\sfdthing.PNG
[2013/01/21 20:16:56 | 000,397,640 | ---- | C] () -- C:\Documents and Settings\Parent\Desktop\warzownimg.PNG
[2013/01/20 21:27:50 | 000,000,588 | ---- | C] () -- C:\Documents and Settings\Parent\Desktop\UziNew.PNG
[2013/01/19 16:46:51 | 000,537,620 | ---- | C] () -- C:\Documents and Settings\Parent\Desktop\Target Tower.PNG
[2013/01/16 03:05:17 | 000,812,603 | ---- | C] () -- C:\Documents and Settings\Parent\Desktop\Kenterall.PNG
[2013/01/13 20:56:54 | 000,867,180 | ---- | C] () -- C:\Documents and Settings\Parent\Desktop\MC 1.4.7 - Smart Moving 12.0.zip
[2013/01/13 20:55:33 | 000,196,524 | ---- | C] () -- C:\Documents and Settings\Parent\Desktop\MC 1.4.7 - Player API universal 1.1.zip
[2013/01/13 15:53:45 | 000,002,179 | ---- | C] () -- C:\Documents and Settings\Parent\Desktop\Red Armada uniform.png
[2012/12/17 22:16:56 | 000,000,100 | ---- | C] () -- C:\Documents and Settings\Parent\Local Settings\Application Data\rbxcsettings.rbx
[2012/11/14 21:49:23 | 004,589,284 | ---- | C] () -- C:\Documents and Settings\Parent\minecraft.patch
[2012/04/27 08:17:19 | 000,013,312 | ---- | C] () -- C:\Documents and Settings\Parent\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/03/31 04:24:17 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Parent\defogger_reenable
[2012/03/29 02:20:54 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/03/29 02:20:54 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/03/29 02:20:54 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/03/29 02:20:54 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/03/29 02:20:54 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/01/05 02:26:08 | 000,000,064 | ---- | C] () -- C:\WINDOWS\GPlrLanc.dat
[2011/12/19 01:18:57 | 000,056,288 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/11/15 20:26:53 | 000,000,096 | ---- | C] () -- C:\WINDOWS\System32\HsInfo.dat
[2011/06/16 18:06:45 | 000,000,032 | R--- | C] () -- C:\Documents and Settings\All Users\hash.dat
[2011/04/23 06:40:09 | 000,650,752 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2011/04/23 06:40:09 | 000,240,640 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2011/03/31 13:03:05 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/02/08 14:54:57 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/10/01 09:02:18 | 000,617,122 | ---- | C] () -- C:\Documents and Settings\Parent\persuasive_essay_checklist.pdf
[2010/10/01 09:02:01 | 000,636,035 | ---- | C] () -- C:\Documents and Settings\Parent\persuasive_sample.pdf--ova5thgrade

========== ZeroAccess Check ==========

[2011/06/20 09:11:35 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2002/12/31 07:00:00 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2002/12/31 07:00:00 | 000,472,064 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2002/12/31 07:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2011/03/23 17:50:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Blueberry
[2010/09/29 11:52:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2010/09/29 12:06:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonEPP
[2010/09/29 13:11:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJ
[2010/09/29 13:33:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJEGV
[2010/12/03 19:31:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJEPPEX
[2010/09/29 12:06:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJEPPEX2
[2010/09/29 11:55:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJMSetup
[2010/09/29 12:06:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJMyPrinter
[2013/01/25 04:33:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJPLM
[2010/09/29 13:08:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJScan
[2010/09/29 12:06:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJSolutionMenuEX
[2010/09/29 11:54:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJWSpt
[2011/02/19 12:50:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\cInGdIh06504
[2011/02/07 14:48:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2011/06/13 00:32:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EasyMP3Downloader
[2011/11/29 23:48:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\id Software
[2011/03/23 17:47:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogSys
[2011/07/27 15:47:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nexon
[2012/12/12 22:20:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NexonUS
[2013/01/31 19:20:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2011/04/14 19:49:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\regid.1986-12.com.adobe
[2011/12/26 18:33:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SYSTEMAX Software Development
[2012/01/10 08:58:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tarma Installer
[2011/12/12 09:32:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YouTube Downloader
[2011/12/06 21:57:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2013/01/13 15:39:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\.minecraft
[2011/12/10 21:28:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\1.0 Backup
[2012/01/12 22:57:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\1.1 Backup
[2011/05/04 15:40:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\7-Zip
[2011/11/12 03:52:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\Amazon
[2013/01/04 18:47:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\Audacity
[2012/12/06 20:34:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\Awesomium
[2011/12/10 21:45:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\Backup
[2011/01/23 06:15:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\BitTorrent
[2011/03/23 17:50:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\Blueberry
[2010/09/29 13:08:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\Canon
[2011/02/09 13:49:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\DAEMON Tools Lite
[2010/10/01 09:01:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\Elluminate
[2012/01/10 04:49:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\FCSB000063123
[2012/01/10 13:14:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\FCTB000062133
[2012/03/05 19:05:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\Firefly Studios
[2011/01/10 23:21:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\Formats
[2011/06/20 09:15:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\Hi-Rez Studios
[2011/11/29 23:55:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\id Software
[2011/05/31 21:11:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\ijjigame
[2011/03/23 17:48:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\LogSys
[2011/03/24 21:24:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\LolClient
[2012/01/28 20:49:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\NeopleLauncherDFO
[2013/02/05 23:03:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\Raptr
[2012/02/22 23:35:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\RotMG.Production
[2012/11/22 19:24:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\Sony Online Entertainment
[2011/12/26 18:33:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\SYSTEMAX Software Development
[2012/11/14 20:34:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\SystemRequirementsLab
[2012/02/09 21:50:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\Unity
[2013/02/04 18:03:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Parent\Application Data\WTouch

========== Purity Check ==========



< End of report >

And then, Extras.txt...








OTL Extras logfile created on: 2/5/2013 11:23:41 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Parent\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.75 Gb Total Physical Memory | 1.19 Gb Available Physical Memory | 68.16% Memory free
3.35 Gb Paging File | 2.96 Gb Available in Paging File | 88.57% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 34.45 Gb Free Space | 23.11% Space Free | Partition Type: NTFS

Computer Name: K12-29575462567 | User Name: Parent | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Bridge] -- C:\Program Files\Adobe\Adobe Bridge CS5\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\Raptr\raptr.exe" = C:\Program Files\Raptr\raptr.exe:*:Enabled:Raptr Desktop App -- (Raptr, Inc)
"C:\Program Files\Raptr\raptr_im.exe" = C:\Program Files\Raptr\raptr_im.exe:*:Enabled:Raptr IM -- (Raptr, Inc)
"C:\Documents and Settings\Parent\Desktop\Superfighters Deluxe\Superfighters Deluxe.exe" = C:\Documents and Settings\Parent\Desktop\Superfighters Deluxe\Superfighters Deluxe.exe:*:Enabled:Superfighters Deluxe -- (MythoLogic Interactive)
"E:\pc version\Nazi Zombies Portable.exe" = E:\pc version\Nazi Zombies Portable.exe:*:Enabled:Nazi Zombies Portable
"E:\NZP\Nazi Zombies Portable.exe" = E:\NZP\Nazi Zombies Portable.exe:*:Enabled:Nazi Zombies Portable
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0D2DBE8A-43D0-7830-7AE7-CA6C99A832E7}" = Adobe Community Help
"{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}" = Microsoft_VC80_ATL_x86
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP280_series" = Canon MP280 series MP Drivers
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{19BFDA5D-1FE2-4F25-97F9-1A79DD04EE20}" = Microsoft XNA Framework Redistributable 3.1
"{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}" = YouTube Downloader 3.4
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{25B69FD9-E2FB-41CE-BB5F-22C418FF5FDB}" = Quake Live Internet Explorer Plugin
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 26
"{26A24AE4-039D-4CA4-87B4-2F83217009FF}" = Java 7 Update 9
"{2BFC7AA0-544C-4E3A-8796-67F3BE655BE9}" = Microsoft XNA Framework Redistributable 4.0
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{343666E2-A059-48AC-AD67-230BF74E2DB2}" = Apple Application Support
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4E868D3D-6EEB-4273-926C-2287236B5B79}" = 3DVIA player 5.0
"{54194F60-988C-4D03-B922-C2B00EFDA39A}" = NVIDIA PhysX
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
"{8215AC14-BFC2-4ECC-96D6-1030202F8BDF}" = Visual C++ 8.0 x86 Runtime Setup Package
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B9852AF-B0B0-47B7-9BC5-89A95D77B6C9}" = Media Player Utilities 4.36
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{901DC58A-5C1B-4315-BA40-5AD3D3A463B9}" = REACTOR
"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86
"{933B4015-4618-4716-A828-5289FC03165F}" = VC80CRTRedist - 8.0.50727.6195
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9CF4A37B-A8C4-44D7-8C53-13B9D9594BB2}" = Paint.NET v3.5.8
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A78FE97A-C0C8-49CE-89D0-EDD524A17392}" = PDF Settings CS5
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.4)
"{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{BA688606-4B20-4982-995E-EDADC6A6817E}" = League of Legends
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C151CE54-E7EA-4804-854B-F515368B0798}" = AMD Processor Driver
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CFC9F871-7C40-40B6-BE4A-B98A5B309716}" = Adobe Flash Professional CS5
"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86
"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86
"{DE3A9DC5-9A5D-6485-9662-347162C7E4CA}" = Adobe Media Player
"{E5F05232-96B6-4552-A480-785A60A94B21}" = System Requirements Lab CYRI
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{EA17F4FC-FDBF-4CF8-A529-2D983132D053}" = Skype™ 6.0
"{EA2DB6E0-72C5-4ef9-A3A0-E6705F4A6A9E}" = Nexon Game Manager
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F11A85D1-6BC5-4C49-92DE-658324F71188}" = NovaNET Multimedia Courseware
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6D6B258-E3CA-4AAC-965A-68D3E3140A8C}" = iTunes
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"469f6fef" = Contextual Tool Advertzilla
"7-Zip" = 7-Zip 9.20
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.14
"ATI Display Driver" = ATI Display Driver
"aTube Catcher" = aTube Catcher
"Audacity_is1" = Audacity 2.0.2
"Canon MP280 series User Registration" = Canon MP280 series User Registration
"CANONIJPLM100" = Canon Inkjet Printer/Scanner/Fax Extended Survey Program
"CanonMyPrinter" = Canon My Printer
"CanonSolutionMenuEX" = Canon Solution Menu EX
"CCleaner" = CCleaner
"chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help
"Cheat Engine 6.1_is1" = Cheat Engine 6.1
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"DivX Setup" = DivX Setup
"Easy-PhotoPrint EX" = Canon Easy-PhotoPrint EX
"Google Chrome" = Google Chrome
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"MagicDisc 2.7.106" = MagicDisc 2.7.106
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MapleStory" = MapleStory
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft.Net.Client.3.5" = Microsoft .NET Framework Client Profile
"MP Navigator EX 4.0" = Canon MP Navigator EX 4.0
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Owl and Mouse U.S. Map Puzzle" = Owl and Mouse U.S. Map Puzzle
"Pen Tablet Driver" = Bamboo
"Raptr" = Raptr
"Recuva" = Recuva
"Speccy" = Speccy
"Steam App 212160" = Vindictus
"Steam App 218" = Source SDK Base 2007
"Steam App 219640" = Chivalry: Medieval Warfare
"Steam App 440" = Team Fortress 2
"Steam App 8980" = Borderlands
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR 4.00 (32-bit)
"winusb0100" = Microsoft WinUsb 1.0
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01007" = Microsoft User-Mode Driver Framework Feature Pack 1.7
"Xfire" = Xfire (remove only)
"Xvid Video Codec 1.3.1" = Xvid Video Codec

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{373B1718-8CC5-4567-8EE2-9033AD08A680}" = ROBLOX Player for Parent
"RivalGaming" = RivalGaming
"Smart Fortress 2012" = Smart Fortress 2012
"SOE-C:/Documents and Settings/Parent/Application Data/Sony Online Entertainment/ApplicationUpdater" = applicationupdater
"UnityWebPlayer" = Unity Web Player

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 1/25/2013 4:48:09 AM | Computer Name = K12-29575462567 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module qnzrdjc.dll, version 1.9.22.107, fault address 0x00001230.

Error - 1/25/2013 5:42:18 AM | Computer Name = K12-29575462567 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module ieframe.dll, version 8.0.6001.18939, fault address 0x00205cec.

Error - 1/25/2013 12:13:35 PM | Computer Name = K12-29575462567 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module qnzrdjc.dll, version 1.9.22.107, fault address 0x00001230.

Error - 1/25/2013 12:13:54 PM | Computer Name = K12-29575462567 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module qnzrdjc.dll, version 1.9.22.107, fault address 0x00001230.

Error - 1/25/2013 3:20:24 PM | Computer Name = K12-29575462567 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module qnzrdjc.dll, version 1.9.22.107, fault address 0x00001230.

Error - 1/27/2013 10:48:57 PM | Computer Name = K12-29575462567 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module qnzrdjc.dll, version 1.9.22.107, fault address 0x00001230.

Error - 1/29/2013 5:55:41 PM | Computer Name = K12-29575462567 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module urlmon.dll, version 8.0.6001.18939, fault address 0x0002a1b0.

Error - 2/4/2013 10:28:38 AM | Computer Name = K12-29575462567 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module unknown, version 0.0.0.0, fault address 0x03761164.

Error - 2/4/2013 10:28:52 AM | Computer Name = K12-29575462567 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module , version 0.0.0.0, fault address 0x00000000.

Error - 2/4/2013 6:49:44 PM | Computer Name = K12-29575462567 | Source = Application Error | ID = 1000
Description = Faulting application pev.exe, version 0.0.0.0, faulting module pev.exe,
version 0.0.0.0, fault address 0x0008d1c0.

[ System Events ]
Error - 2/4/2013 7:06:32 PM | Computer Name = K12-29575462567 | Source = Service Control Manager | ID = 7022
Description = The SharedAccess service hung on starting.

Error - 2/4/2013 7:07:11 PM | Computer Name = K12-29575462567 | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service iPod Service
with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}

Error - 2/4/2013 7:07:16 PM | Computer Name = K12-29575462567 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the iPod Service service
to connect.

Error - 2/4/2013 7:07:16 PM | Computer Name = K12-29575462567 | Source = Service Control Manager | ID = 7000
Description = The iPod Service service failed to start due to the following error:
%%1053

Error - 2/5/2013 4:31:02 AM | Computer Name = K12-29575462567 | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.2.6 for the Network Card with network
address 1CC1DE5B3F91 has been denied by the DHCP server 192.168.2.1 (The DHCP Server
sent a DHCPNACK message).

Error - 2/6/2013 12:01:10 AM | Computer Name = K12-29575462567 | Source = Service Control Manager | ID = 7023
Description = The Wg111nd5 service terminated with the following error: %%126

Error - 2/6/2013 12:01:10 AM | Computer Name = K12-29575462567 | Source = Service Control Manager | ID = 7000
Description = The EngineServer service failed to start due to the following error:
%%3

Error - 2/6/2013 12:01:10 AM | Computer Name = K12-29575462567 | Source = Service Control Manager | ID = 7023
Description = The Inotask service terminated with the following error: %%126

Error - 2/6/2013 12:01:10 AM | Computer Name = K12-29575462567 | Source = Service Control Manager | ID = 7000
Description = The McAfee Virus and Spyware Protection Service service failed to
start due to the following error: %%3

Error - 2/6/2013 12:01:10 AM | Computer Name = K12-29575462567 | Source = Service Control Manager | ID = 7023
Description = The OEM02Dev service terminated with the following error: %%126


< End of report >

#14 Noviciate

Noviciate

  • Malware Response Team
  • 4,996 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:32 AM

Posted 08 February 2013 - 03:59 PM

Good evening. smile.png

Run OTL.exe.
 

  • Copy and paste the following into the Custom Scans/Fixes box at the bottom:

    :OTL
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = Reg Error: Value error.
    IE - HKCU\..\URLSearchHook: - No CLSID value found
    IE - HKCU\..\URLSearchHook: {4219427b-0228-4356-a78b-eb7668d37d07} - SOFTWARE\Classes\CLSID\{4219427b-0228-4356-a78b-eb7668d37d07}\InprocServer32 File not found
    IE - HKCU\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (advertzilla) - {dc604963-79a8-78fa-9751-607d04851c50} - C:\WINDOWS\system32\4d96feab.dll File not found
    O3 - HKLM\..\Toolbar: (InboxDollars) - {47980628-3844-42AA-A0DD-E2D86BBA9600} - C:\Documents and Settings\Parent\My Documents\InboxDollars\Toolbar.dll File not found
    O3 - HKCU\..\Toolbar\WebBrowser: (InboxDollars) - {47980628-3844-42AA-A0DD-E2D86BBA9600} - C:\Documents and Settings\Parent\My Documents\InboxDollars\Toolbar.dll File not found
    O4 - HKLM..\Run: [fvXurBUAjfb.exe] C:\Documents and Settings\All Users\Application Data\fvXurBUAjfb.exe File not found
    O4 - HKCU..\Run: [AdobeBridge] File not found
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (Reg Error: Key error.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Reg Error: Value error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O18 - Protocol\Handler\myrm {4D034FC3-013F-4b95-B544-44D49ABE3E76} - C:\Program Files\McAfee\Managed VirusScan\Agent\MyRmProt5.0.0.811.dll File not found

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Click the Run Fix button at the top.
  • Let the program run until it has completed and then reboot the PC when it is done.

Assuming that the PC behaves itself afterwards, and this is just a little tidying up, then you are about done. You need to uninstall Java™ 6 Update 26 as it is an old version and a security risk and then get tyourself an anti-virus double-quick. There are a few free one available, of which the following have been on my PC at one time or another:

 

 

AVG Free Edition: Available here.
avast! 4 Home Edition: Available here
AntiVir Personal Edition Classic : Available here
Microsoft Security Essentials: Available here

 

Select just one and install, update and scan. Running two, or more, at the same time risks conflictions, so don't go there.

 

Finally, I am unsure from your log whether or not you have a software firewall installed. If you have, and i've missed it, please ignore this.
If you haven't, or are using the firewall that comes with Service Pack 2, then you need to install one. While the SP2 firewall is better than nothing, it doesn't monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will.
There are a few free firewalls available, of which the following two I have also used myself:
Comodo Firewall Pro, available here.
Zone Alarm, available here.

Again, while you can download them all to see which one you prefer, only install one at a time - running two or more firewalls simultaneously can cause conflicts resulting in less, not more, protection.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Create a new Restore Point with a memorable name - this will give a clean one should you need it in the future. If you use a Restore Point from before this point you may reinstall any infection that was present at the time, so only do so if using this latest one doesn't solve any issues.
A tutorial for System Restore is available here.

Run OTL and click on the CleanUp button at the top - it will peform a little housekeeping to leave your PC a little less cluttered.

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet. It's a little old, but still contains some good ideas.

 


Logs answered since Christmas Day: 42

Threads completed: 11

Threads closed after some work but not completed: 10

Threads closed following a total lack of response from poster: 15

 

 


#15 Kaljinyu

Kaljinyu
  • Topic Starter

  • Members
  • 328 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 09 February 2013 - 07:29 AM

Alright, I ran the custom fix, but how do I update Java?

 

So far it's seeming like we've got this licked.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users