Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google searches redirected to scour.com


  • This topic is locked This topic is locked
9 replies to this topic

#1 Mok

Mok

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 25 March 2010 - 01:44 AM

Hello.

I have been running Windows in one form or another for 25 or more years and have never had a virus problem until now.

Last week I noticed that when I do a Google search the results would be fine but sometimes when I clicked on a link I would go to the wrong site. I thought nothing of it because I have a hardware firewall and was running avg free edition. I thought I was covered.

Today things took a turn for the worse. Now when I do a search, when I click a link I get redirected to scour.com. Doing searches by using the "open in new window" option prevents the redirection and allowed to me look into the matter. I discovered this site, and a new term : "Redirect Virus". I also discovered my face could turn quite red at the thought of these little punks getting away with stuff like this.

I uninstalled avg and downloaded and installed Microsoft Security Essentials. I've done a complete scan and it found nothing (like avg).
I have also installed the latest Adaware and it also found nothing other than a couple of cookies.

I have no idea how I got infected as I scoff at those who fall for the lame tactics used by most of the perpetrators of this foolishness. So, I am left without a clue as to how I got infected, thus showing I could easily get reinfected.

I am using Firefox 3.6.2, Windows 7 pro 64 bit. I have not opened IE since I might infect it or something (I know, unlikely but I don't know how these things work).

Any help here would be appreciated.
edit: I have performed the steps in the noob guide (Preparation Guide).
Note that during step 8 I got an error saying a file cannot be found in the system directory. This caused the checkmarks in gmer for "System" down to "Libraries" to be ghosted out. I got another error when I ran the scan saying "C:windows\system32\config\system: The process cannot access the file because it is being used by another process" but the scan did run. Unfortunately the ark.txt file I create when I use the save function is blank. I believe these errors are because I am using Windows 7.

I have attached the attach.txt log file created in the prep steps.

Please, help me before I search again....

EDIT: I have checked Internet Explorer 8 and I am getting a slight varation. About every 4th link I click on in a Google search is being redirected to a couple of different sites, one of which is Scour.com

Here is the DDS.txt log:

DDS (Ver_10-03-17.01) - NTFSX64
Run by Mergatroid at 1:15:42.70 on 25/03/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_17
Microsoft Windows 7 Professional 6.1.7600.0.1252.2.1033.18.4095.2660 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\PixArt\PAC7302\Monitor.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Ideazon\ZEngine\Zboard.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
D:\Temp\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mLocal Page = c:\windows\syswow64\blank.htm
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~2\micros~1\office12\GR469A~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [BackgroundSwitcher] "c:\program files (x86)\johnsadventures.com\john's background switcher\BackgroundSwitcher.exe"
mRun: [Zboard] c:\program files (x86)\ideazon\zengine\Zboard.exe
mRun: [GrooveMonitor] "c:\program files (x86)\microsoft office\office12\GrooveMonitor.exe"
mRun: [StartCCC] "c:\program files (x86)\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "c:\program files (x86)\ati\aticustomercare\ATICustomerCare.exe"
mRun: [SunJavaUpdateSched] "c:\program files (x86)\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files (x86)\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\users\mergat~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files (x86)\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~2\micros~1\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~1\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~1\office12\REFIEBAR.DLL
LSP: ipv6.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~2\micros~1\office12\GRA32A~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~2\micros~1\office12\GR469A~1.DLL
mRun-x64: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun-x64: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun-x64: [RtHDVCpl] c:\program files\realtek\audio\hda\RAVCpl64.exe
mRun-x64: [Skytel] c:\program files\realtek\audio\hda\Skytel.exe
mRun-x64: [PAC7302_Monitor] c:\windows\pixart\pac7302\Monitor.exe
mRun-x64: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey

================= FIREFOX ===================

FF - ProfilePath - c:\users\mergat~1\appdata\roaming\mozilla\firefox\profiles\6svqz973.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/firefox
FF - component: c:\users\mergatroid\appdata\roaming\mozilla\firefox\profiles\6svqz973.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npOGPPlugin.dll
FF - plugin: d:\apps\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: d:\apps\divx\divx plus web player\npdivx32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-25 69152]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 173984]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-9-23 202752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\lavasoft\ad-aware\AAWService.exe [2010-2-4 1263728]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 40832]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys [2009-12-19 314400]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-28 1255736]

=============== Created Last 30 ================

2010-03-25 05:35:28 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-25 05:28:42 69152 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-25 05:28:40 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-25 05:26:37 0 dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-25 05:26:32 0 d-----w- c:\programdata\Lavasoft
2010-03-25 05:26:32 0 d-----w- c:\program files (x86)\Lavasoft
2010-03-25 03:47:29 0 d-----w- c:\program files (x86)\Microsoft Antimalware
2010-03-25 03:47:27 0 d-----w- c:\program files\Microsoft Security Essentials
2010-03-13 06:06:27 276992 ----a-w- c:\windows\syswow64\a3dapi.dll
2010-03-13 05:49:06 306688 ----a-w- c:\windows\IsUninst.exe
2010-03-13 05:42:20 4096 ----a-w- c:\windows\d3dx.dat
2010-03-12 05:08:18 41984 ----a-w- c:\windows\system32\tmffbdrv.dll
2010-03-12 05:08:18 295936 ----a-w- c:\windows\system32\tmffbcpl.dll
2010-03-12 05:08:18 208304 ----a-w- c:\windows\system32\isrt.dll
2010-03-12 05:08:18 102832 ----a-w- c:\windows\system32\_IsRes.dll
2010-03-12 05:08:09 34304 ----a-w- c:\windows\syswow64\tmffbdrv.dll
2010-03-12 05:08:09 253952 ----a-w- c:\windows\syswow64\tmffbcpl.dll
2010-03-12 05:08:09 0 d-----w- c:\program files (x86)\Thrustmaster
2010-03-12 01:18:00 0 d-----w- c:\program files (x86)\directx
2010-03-04 05:11:51 0 d-----w- c:\program files (x86)\DCoder Image Source
2010-03-04 05:11:47 0 d-----w- c:\program files (x86)\FFMPEG Core Files
2010-03-04 05:11:30 0 d-----w- c:\program files (x86)\SHOUTcast Source
2010-03-04 05:11:28 0 d-----w- c:\program files (x86)\MONOGRAM AMR SplitterDecoder
2010-03-04 05:11:26 0 d-----w- c:\program files (x86)\CD Audio Reader Filter
2010-03-04 05:11:24 0 d-----w- c:\program files (x86)\OpenSource AVI Splitter
2010-03-04 05:11:22 0 d-----w- c:\program files (x86)\Gabest MPEG Splitter
2010-03-04 05:11:20 0 d-----w- c:\program files (x86)\OpenSource DTSAC3DD+ Source Filter
2010-03-04 05:11:16 0 d-----w- c:\program files (x86)\RealMedia
2010-03-04 05:11:01 0 d-----w- c:\program files (x86)\DScaler5
2010-03-04 05:10:55 580096 ----a-w- c:\windows\system32\ac3filter64.acm
2010-03-04 05:10:55 497664 ----a-w- c:\windows\syswow64\ac3filter.acm
2010-03-04 05:10:55 0 d-----w- c:\program files (x86)\AC3Filter
2010-03-04 05:10:43 0 d-----w- c:\program files (x86)\Bass Audio Decoder
2010-03-04 05:10:33 85504 ----a-w- c:\windows\syswow64\ff_vfw.dll
2010-03-04 04:52:29 0 d-----w- c:\program files (x86)\Combined Community Codec Pack
2010-03-04 02:17:53 0 d-----r- c:\users\mergat~1\appdata\roaming\Brother
2010-03-02 02:25:52 36734 ----a-w- c:\windows\syswow64\OggDSuninst.exe
2010-03-02 02:13:02 0 d-----w- c:\program files\DivX
2010-03-02 02:12:57 0 d-----w- c:\program files (x86)\common files\PX Storage Engine
2010-03-02 02:12:49 0 d-----w- c:\program files (x86)\common files\DivX Shared
2010-02-28 09:00:20 0 d-----w- c:\windows\syswow64\Wat
2010-02-28 09:00:20 0 d-----w- c:\windows\system32\Wat
2010-02-28 01:27:27 871408 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-02-28 01:27:19 24 ----a-w- c:\windows\drvlist.cfg
2010-02-28 01:27:18 176128 ----a-w- c:\windows\syswow64\ipv6.dll
2010-02-28 00:16:22 0 d-----w- c:\windows\system32\appmgmt
2010-02-26 06:25:56 0 d-----w- c:\users\mergatroid\dwhelper
2010-02-25 01:01:04 0 d-----w- c:\users\mergat~1\appdata\roaming\BitTorrent
2010-02-23 23:15:00 2048 ----a-w- c:\windows\syswow64\tzres.dll
2010-02-23 23:15:00 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-23 23:14:58 716800 ----a-w- c:\windows\syswow64\jscript.dll

==================== Find3M ====================

2010-02-24 15:16:06 212864 ------w- c:\windows\system32\MpSigStub.exe
2010-01-19 09:05:57 424960 ----a-w- c:\windows\system32\secproc.dll
2010-01-19 09:05:57 422912 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-19 09:05:57 121856 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-19 09:05:57 121856 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-19 09:00:44 305152 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-19 09:00:43 357888 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-19 09:00:37 356352 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-19 09:00:37 306688 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-18 23:29:31 85504 ----a-w- c:\windows\syswow64\secproc_ssp_isv.dll
2010-01-18 23:29:31 85504 ----a-w- c:\windows\syswow64\secproc_ssp.dll
2010-01-18 23:29:31 365568 ----a-w- c:\windows\syswow64\secproc_isv.dll
2010-01-18 23:29:30 369152 ----a-w- c:\windows\syswow64\secproc.dll
2010-01-18 23:28:33 324608 ----a-w- c:\windows\syswow64\RMActivate_isv.exe
2010-01-18 23:28:33 277504 ----a-w- c:\windows\syswow64\RMActivate_ssp_isv.exe
2010-01-18 23:28:30 320512 ----a-w- c:\windows\syswow64\RMActivate.exe
2010-01-18 23:28:30 280064 ----a-w- c:\windows\syswow64\RMActivate_ssp.exe
2010-01-11 07:12:38 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 1:16:02.93 ===============

Attached Files


Edited by Mok, 25 March 2010 - 08:20 PM.


BC AdBot (Login to Remove)

 


#2 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:40 PM

Posted 28 March 2010 - 07:03 AM

Hi Mok, and welcome to Bleeping Computer.

Download OTL.exe by OldTimer to your Desktop.
  • Close all windows and double click OTL.exe.
  • Click Run Scan and let the program run uninterrupted.
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.

Then,
Please go to http://www.virustotal.com/ , click on Browse, and upload the following file for analysis:

c:\program files (x86)\mozilla firefox\plugins\npOGPPlugin.dll

Then click Send File. Allow the file to be uploaded and scanned. Then, please post a link to the results page for me to see.
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#3 Mok

Mok
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 29 March 2010 - 07:43 PM

Thanks much for your help.


Here is the link to the analysis of the npOGPPlugin.dll

http://www.virustotal.com/analisis/0f36a6e...e587-1269910061

Here is OTL.txt:

OTL logfile created on: 29/03/2010 7:38:30 PM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Mergatroid\Desktop
64bit- An unknown product (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 69.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 28.51 Gb Total Space | 7.95 Gb Free Space | 27.87% Space Free | Partition Type: NTFS
Drive D: | 120.44 Gb Total Space | 93.89 Gb Free Space | 77.95% Space Free | Partition Type: NTFS
Drive E: | 664.82 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MERGATROID-PC
Current User Name: Mergatroid
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/29 19:38:16 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Mergatroid\Desktop\OTL.exe
PRC - [2010/03/25 00:28:08 | 000,818,256 | ---- | M] (Lavasoft) -- C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/03/25 00:28:07 | 001,263,728 | ---- | M] (Lavasoft) -- C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/03/24 22:03:03 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2009/07/20 05:00:00 | 000,077,824 | ---- | M] () -- C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
PRC - [2009/06/04 19:56:20 | 000,057,344 | ---- | M] (Ideazon, Inc.) -- C:\Program Files (x86)\Ideazon\ZEngine\Zboard.exe
PRC - [2008/10/25 08:18:50 | 000,098,696 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
PRC - [2006/11/03 12:01:16 | 000,319,488 | ---- | M] (PixArt Imaging Incorporation) -- C:\Windows\PixArt\PAC7302\Monitor.exe


========== Modules (SafeList) ==========

MOD - [2010/03/29 19:38:16 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Mergatroid\Desktop\OTL.exe
MOD - [2009/07/13 20:15:07 | 000,486,912 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\comdlg32.dll
MOD - [2009/07/13 20:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2010/02/28 04:00:19 | 001,255,736 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\SysNative\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV:64bit: - [2009/12/09 20:30:34 | 000,017,416 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2009/09/23 17:28:02 | 000,202,752 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2009/07/20 13:36:14 | 000,160,784 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV:64bit: - [2009/07/13 20:41:59 | 000,229,888 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\wwansvc.dll -- (WwanSvc)
SRV:64bit: - [2009/07/13 20:41:56 | 000,202,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\wbiosrvc.dll -- (WbioSrvc)
SRV:64bit: - [2009/07/13 20:41:56 | 000,195,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\umrdp.dll -- (UmRdpService)
SRV:64bit: - [2009/07/13 20:41:56 | 000,163,840 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\umpo.dll -- (Power)
SRV:64bit: - [2009/07/13 20:41:55 | 000,044,544 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\themeservice.dll -- (Themes)
SRV:64bit: - [2009/07/13 20:41:54 | 000,065,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\sppuinotify.dll -- (sppuinotify)
SRV:64bit: - [2009/07/13 20:41:54 | 000,029,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\sensrsvc.dll -- (SensrSvc)
SRV:64bit: - [2009/07/13 20:41:54 | 000,017,920 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\StorSvc.dll -- (StorSvc)
SRV:64bit: - [2009/07/13 20:41:53 | 001,361,920 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\PeerDistSvc.dll -- (PeerDistSvc)
SRV:64bit: - [2009/07/13 20:41:53 | 000,327,168 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\pnrpsvc.dll -- (PNRPsvc)
SRV:64bit: - [2009/07/13 20:41:53 | 000,327,168 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\pnrpsvc.dll -- (p2pimsvc)
SRV:64bit: - [2009/07/13 20:41:53 | 000,187,904 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\provsvc.dll -- (HomeGroupProvider)
SRV:64bit: - [2009/07/13 20:41:53 | 000,067,072 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\SysNative\RpcEpMap.dll -- (RpcEptMapper)
SRV:64bit: - [2009/07/13 20:41:53 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\pnrpauto.dll -- (PNRPAutoReg)
SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/13 20:41:18 | 000,231,936 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\ListSvc.dll -- (HomeGroupListener)
SRV:64bit: - [2009/07/13 20:40:54 | 001,127,936 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\FntCache.dll -- (FontCache)
SRV:64bit: - [2009/07/13 20:40:28 | 000,314,368 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\dhcpcore.dll -- (Dhcp)
SRV:64bit: - [2009/07/13 20:40:28 | 000,291,328 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\defragsvc.dll -- (defragsvc)
SRV:64bit: - [2009/07/13 20:40:24 | 000,689,152 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\cscsvc.dll -- (CscService)
SRV:64bit: - [2009/07/13 20:40:13 | 000,083,968 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\bthserv.dll -- (bthserv)
SRV:64bit: - [2009/07/13 20:40:10 | 000,100,864 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\SysNative\bdesvc.dll -- (BDESVC)
SRV:64bit: - [2009/07/13 20:40:05 | 000,114,688 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\AxInstSv.dll -- (AxInstSV)
SRV:64bit: - [2009/07/13 20:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:64bit: - [2009/07/13 20:40:01 | 000,032,256 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appidsvc.dll -- (AppIDSvc)
SRV:64bit: - [2009/07/13 20:39:51 | 001,503,744 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\wbengine.exe -- (wbengine)
SRV:64bit: - [2009/07/13 20:39:28 | 003,524,608 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\SysNative\sppsvc.exe -- (sppsvc)
SRV:64bit: - [2009/07/13 20:39:11 | 000,689,152 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\FXSSVC.exe -- (Fax)
SRV - [2010/03/25 00:28:07 | 001,263,728 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/07/13 22:20:14 | 000,000,000 | ---D | M] [On_Demand | Stopped] -- C:\Windows\Vss -- (VSS)
SRV - [2009/07/13 22:20:14 | 000,000,000 | ---D | M] [Unknown | Stopped] -- C:\Windows\SysWOW64\Msdtc -- (MSDTC)
SRV - [2009/07/13 20:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysWOW64\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/13 20:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/13 15:30:11 | 000,061,056 | ---- | M] () [On_Demand | Stopped] -- C:\Windows\SysWOW64\wbem\vds.mof -- (vds)
SRV - [2009/06/10 15:39:58 | 000,089,920 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_64)
SRV - [2008/10/25 11:44:08 | 000,065,888 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)
SRV - [2007/05/31 11:11:54 | 000,443,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2007/05/31 11:11:46 | 000,225,672 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2010/02/27 20:27:27 | 000,871,408 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\sptd.sys -- (sptd)
DRV:64bit: - [2010/02/04 10:53:02 | 000,069,152 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\Lbd.sys -- (Lbd)
DRV:64bit: - [2009/12/19 09:11:40 | 000,314,400 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2009/09/30 09:34:30 | 000,121,872 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV:64bit: - [2009/09/23 18:01:24 | 006,175,744 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag)
DRV:64bit: - [2009/07/13 20:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/13 20:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 20:48:04 | 000,153,152 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\ksecpkg.sys -- (KSecPkg)
DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 20:48:04 | 000,014,416 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\hwpolicy.sys -- (hwpolicy)
DRV:64bit: - [2009/07/13 20:47:49 | 000,055,376 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\fsdepends.sys -- (FsDepends)
DRV:64bit: - [2009/07/13 20:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 20:45:56 | 000,022,096 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\wimmount.sys -- (WIMMount)
DRV:64bit: - [2009/07/13 20:45:55 | 000,217,680 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vhdmp.sys -- (vhdmp)
DRV:64bit: - [2009/07/13 20:45:55 | 000,200,272 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vmbus.sys -- (vmbus)
DRV:64bit: - [2009/07/13 20:45:55 | 000,046,672 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\vmstorfl.sys -- (storflt)
DRV:64bit: - [2009/07/13 20:45:55 | 000,036,432 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\vdrvroot.sys -- (vdrvroot)
DRV:64bit: - [2009/07/13 20:45:55 | 000,034,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\storvsc.sys -- (storvsc)
DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 20:45:46 | 000,214,096 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\rdyboost.sys -- (rdyboost)
DRV:64bit: - [2009/07/13 20:45:45 | 000,050,768 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\pcw.sys -- (pcw)
DRV:64bit: - [2009/07/13 20:43:14 | 000,460,504 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\cng.sys -- (CNG)
DRV:64bit: - [2009/07/13 20:43:13 | 000,223,448 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\fvevol.sys -- (fvevol)
DRV:64bit: - [2009/07/13 19:17:46 | 000,024,064 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\rdpbus.sys -- (rdpbus)
DRV:64bit: - [2009/07/13 19:16:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV:64bit: - [2009/07/13 19:10:24 | 000,060,416 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV:64bit: - [2009/07/13 19:09:50 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usb8023x.sys -- (usb_rndisx)
DRV:64bit: - [2009/07/13 19:09:26 | 000,012,800 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\wfplwf.sys -- (WfpLwf)
DRV:64bit: - [2009/07/13 19:08:13 | 000,035,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ndiscap.sys -- (NdisCap)
DRV:64bit: - [2009/07/13 19:07:21 | 000,024,576 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vwifibus.sys -- (vwifibus)
DRV:64bit: - [2009/07/13 19:07:13 | 000,227,840 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\1394ohci.sys -- (1394ohci)
DRV:64bit: - [2009/07/13 19:07:00 | 000,350,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HdAudio.sys -- (HdAudAddService)
DRV:64bit: - [2009/07/13 19:06:52 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\umpass.sys -- (UmPass)
DRV:64bit: - [2009/07/13 19:06:32 | 000,109,568 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV:64bit: - [2009/07/13 19:06:24 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV:64bit: - [2009/07/13 19:05:37 | 000,112,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\WUDFPf.sys -- (WudfPf)
DRV:64bit: - [2009/07/13 19:02:08 | 000,015,360 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\MTConfig.sys -- (MTConfig)
DRV:64bit: - [2009/07/13 19:00:34 | 000,038,912 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CompositeBus.sys -- (CompositeBus)
DRV:64bit: - [2009/07/13 19:00:13 | 000,006,656 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\beep.sys -- (Beep)
DRV:64bit: - [2009/07/13 18:52:39 | 000,061,440 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\appid.sys -- (AppID)
DRV:64bit: - [2009/07/13 18:50:17 | 000,029,696 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\SysNative\drivers\scfilter.sys -- (scfilter)
DRV:64bit: - [2009/07/13 18:42:58 | 000,006,656 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vms3cap.sys -- (s3cap)
DRV:64bit: - [2009/07/13 18:42:44 | 000,021,760 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VMBusHID.sys -- (VMBusHID)
DRV:64bit: - [2009/07/13 18:37:18 | 000,040,448 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\discache.sys -- (discache)
DRV:64bit: - [2009/07/13 18:31:06 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hidbatt.sys -- (HidBatt)
DRV:64bit: - [2009/07/13 18:31:03 | 000,017,664 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CmBatt.sys -- (CmBatt)
DRV:64bit: - [2009/07/13 18:27:17 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\acpipmi.sys -- (AcpiPmi)
DRV:64bit: - [2009/07/13 18:24:27 | 000,514,048 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\csc.sys -- (CSC)
DRV:64bit: - [2009/07/13 18:19:25 | 000,060,928 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdppm.sys -- (AmdPPM)
DRV:64bit: - [2009/06/17 11:54:30 | 000,057,872 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LMouFilt.Sys -- (LMouFilt)
DRV:64bit: - [2009/06/17 11:54:22 | 000,055,312 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LHidFilt.Sys -- (LHidFilt)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2007/11/08 11:29:22 | 000,527,872 | ---- | M] (PixArt Imaging Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\PAC7302.SYS -- (PAC7302)
DRV:64bit: - [2007/07/23 11:57:04 | 000,052,992 | ---- | M] (Ideazon Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Alpham164.sys -- (Alpham1)
DRV:64bit: - [2007/03/20 13:51:04 | 000,021,760 | ---- | M] (Ideazon Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Alpham264.sys -- (Alpham2)
DRV:64bit: - [2005/03/29 02:30:38 | 000,008,192 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ASACPI.sys -- (MTsensor)
DRV - [2010/01/08 18:53:58 | 000,000,000 | ---D | M] [Kernel | System | Running] -- C:\Windows\CSC -- (CSC)
DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/13 20:16:02 | 000,014,336 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\Windows\SysWOW64\netbios.dll -- (NetBIOS)
DRV - [2009/06/10 16:28:14 | 000,001,088 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysWOW64\wbem\mpsdrv.mof -- (mpsdrv)
DRV - [2009/06/10 16:15:18 | 000,003,066 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysWOW64\wbem\tcpip.mof -- (Tcpip)
DRV - [2007/11/08 11:30:08 | 000,454,656 | ---- | M] (PixArt Imaging Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysWOW64\drivers\PAC7302.sys -- (PAC7302)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ca.msn.com/?lang=en-ca&OCID=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-ca
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = AF 62 31 EB 7D CC CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://www.google.ca/firefox"
FF - prefs.js..extensions.enabledItems: {84b24861-62f6-364b-eba5-2e5e2061d7e6}:0.9.3
FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.7
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7.2

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/03/24 22:03:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010/03/24 22:03:03 | 000,000,000 | ---D | M]

[2009/11/13 21:58:13 | 000,000,000 | ---D | M] -- C:\Users\Mergatroid\AppData\Roaming\Mozilla\Extensions
[2010/03/28 22:00:01 | 000,000,000 | ---D | M] -- C:\Users\Mergatroid\AppData\Roaming\Mozilla\Firefox\Profiles\6svqz973.default\extensions
[2010/01/24 14:16:18 | 000,000,000 | ---D | M] (mediaplayerconnectivity) -- C:\Users\Mergatroid\AppData\Roaming\Mozilla\Firefox\Profiles\6svqz973.default\extensions\{84b24861-62f6-364b-eba5-2e5e2061d7e6}
[2010/01/22 18:30:59 | 000,000,000 | ---D | M] (FireFTP) -- C:\Users\Mergatroid\AppData\Roaming\Mozilla\Firefox\Profiles\6svqz973.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
[2010/03/26 17:17:15 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Mergatroid\AppData\Roaming\Mozilla\Firefox\Profiles\6svqz973.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/01/16 19:26:10 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2009/10/06 04:40:40 | 000,098,304 | ---- | M] (OGPlanet Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npOGPPlugin.dll

O1 HOSTS File: ([2009/06/10 16:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech, Inc.)
O4:64bit: - HKLM..\Run: [MSSE] C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [PAC7302_Monitor] C:\Windows\PixArt\PAC7302\Monitor.exe (PixArt Imaging Incorporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\SkyTel.exe (Realtek Semiconductor Corp.)
O4:64bit: - HKLM..\Run: [Windows Mobile Device Center] C:\Windows\WindowsMobile\wmdc.exe (Microsoft Corporation)
O4 - HKLM..\Run: [ATICustomerCare] C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [Zboard] C:\Program Files (x86)\Ideazon\ZEngine\Zboard.exe (Ideazon, Inc.)
O4 - HKCU..\Run: [BackgroundSwitcher] C:\Program Files (x86)\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe (johnsadventures.com)
O4 - Startup: C:\Users\Mergatroid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.59.176.13 64.59.176.15 64.59.177.226
O18:64bit: - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20:64bit: - Winlogon\Notify\LBTWlgn: DllName - Reg Error: Key error. - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (pku2u) - C:\Windows\SysNative\pku2u.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\SysWow64\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [1999/02/10 12:02:24 | 000,000,063 | R--- | M] () - E:\Autorun.inf -- [ CDFS ]
O33 - MountPoints2\{835f63f7-fcd2-11de-8501-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{835f63f7-fcd2-11de-8501-806e6f6e6963}\Shell\AutoRun\command - "" = E:\Descent3AutoRun.exe -- [1999/05/19 07:23:08 | 000,032,768 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/29 19:38:12 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Users\Mergatroid\Desktop\OTL.exe
[2010/03/25 00:28:42 | 000,069,152 | ---- | C] (Lavasoft AB) -- C:\Windows\SysNative\drivers\Lbd.sys
[2010/03/25 00:28:42 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\DRVSTORE
[2010/03/25 00:28:40 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\Windows\SysNative\drivers\SBREDrv.sys
[2010/03/25 00:26:37 | 000,000,000 | -H-D | C] -- C:\ProgramData\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2010/03/25 00:26:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2010/03/25 00:26:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Lavasoft
[2010/03/24 22:47:29 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Antimalware
[2010/03/24 22:47:27 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/03/21 00:06:48 | 000,243,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64.dll
[2010/03/21 00:06:48 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\setup16.exe
[2010/03/21 00:06:48 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntvdm64.dll
[2010/03/21 00:06:48 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\instnm.exe
[2010/03/21 00:06:48 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wow32.dll
[2010/03/21 00:06:48 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\user.exe
[2010/03/21 00:06:47 | 000,960,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\CPFilters.dll
[2010/03/21 00:06:47 | 000,641,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\CPFilters.dll
[2010/03/21 00:06:47 | 000,613,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\psisdecd.dll
[2010/03/21 00:06:47 | 000,552,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msdri.dll
[2010/03/21 00:06:47 | 000,465,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\psisdecd.dll
[2010/03/21 00:06:47 | 000,288,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\MSNP.ax
[2010/03/21 00:06:47 | 000,204,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSNP.ax
[2010/03/21 00:06:46 | 000,424,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\secproc.dll
[2010/03/21 00:06:46 | 000,422,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\secproc_isv.dll
[2010/03/21 00:06:46 | 000,369,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\secproc.dll
[2010/03/21 00:06:46 | 000,365,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\secproc_isv.dll
[2010/03/21 00:06:46 | 000,357,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\RMActivate_isv.exe
[2010/03/21 00:06:46 | 000,356,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\RMActivate.exe
[2010/03/21 00:06:46 | 000,324,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\RMActivate_isv.exe
[2010/03/21 00:06:46 | 000,320,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\RMActivate.exe
[2010/03/21 00:06:46 | 000,306,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\RMActivate_ssp.exe
[2010/03/21 00:06:46 | 000,305,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\RMActivate_ssp_isv.exe
[2010/03/21 00:06:46 | 000,280,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\RMActivate_ssp.exe
[2010/03/21 00:06:46 | 000,277,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\RMActivate_ssp_isv.exe
[2010/03/21 00:06:46 | 000,121,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\secproc_ssp_isv.dll
[2010/03/21 00:06:46 | 000,121,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\secproc_ssp.dll
[2010/03/21 00:06:46 | 000,085,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\secproc_ssp_isv.dll
[2010/03/21 00:06:46 | 000,085,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\secproc_ssp.dll
[2010/03/13 01:06:27 | 000,276,992 | ---- | C] (Aureal Semiconductor) -- C:\Windows\SysWow64\a3dapi.dll
[2010/03/13 00:49:06 | 000,306,688 | ---- | C] (InstallShield Software Corporation) -- C:\Windows\IsUninst.exe
[2010/03/12 00:08:18 | 000,295,936 | ---- | C] (Thrustmaster) -- C:\Windows\SysNative\tmffbcpl.dll
[2010/03/12 00:08:18 | 000,208,304 | ---- | C] (Macrovision Corporation) -- C:\Windows\SysNative\isrt.dll
[2010/03/12 00:08:18 | 000,102,832 | ---- | C] (Macrovision Corporation) -- C:\Windows\SysNative\_IsRes.dll
[2010/03/12 00:08:18 | 000,041,984 | ---- | C] (Thrustmaster) -- C:\Windows\SysNative\tmffbdrv.dll
[2010/03/12 00:08:09 | 000,253,952 | ---- | C] (Thrustmaster) -- C:\Windows\SysWow64\tmffbcpl.dll
[2010/03/12 00:08:09 | 000,034,304 | ---- | C] (Thrustmaster) -- C:\Windows\SysWow64\tmffbdrv.dll
[2010/03/12 00:08:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Thrustmaster
[2010/03/12 00:07:51 | 000,000,000 | ---D | C] -- C:\Users\Mergatroid\AppData\Roaming\InstallShield
[2010/03/11 20:18:00 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\directx
[2010/03/04 00:11:51 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\DCoder Image Source
[2010/03/04 00:11:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\FFMPEG Core Files
[2010/03/04 00:11:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SHOUTcast Source
[2010/03/04 00:11:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MONOGRAM AMR SplitterDecoder
[2010/03/04 00:11:26 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\CD Audio Reader Filter
[2010/03/04 00:11:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\OpenSource AVI Splitter
[2010/03/04 00:11:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Gabest MPEG Splitter
[2010/03/04 00:11:20 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\OpenSource DTSAC3DD+ Source Filter
[2010/03/04 00:11:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\RealMedia
[2010/03/04 00:11:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\DScaler5
[2010/03/04 00:10:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AC3Filter
[2010/03/04 00:10:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Bass Audio Decoder
[2010/03/04 00:04:05 | 000,000,000 | ---D | C] -- C:\Users\Mergatroid\AppData\Roaming\Media Player Classic
[2010/03/03 23:52:29 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Combined Community Codec Pack
[2010/03/03 21:33:10 | 000,000,000 | ---D | C] -- C:\Users\Mergatroid\AppData\Local\ElevatedDiagnostics
[2010/03/03 21:17:53 | 000,000,000 | R--D | C] -- C:\Users\Mergatroid\AppData\Roaming\Brother
[2010/03/01 21:26:09 | 000,000,000 | ---D | C] -- C:\Users\Mergatroid\AppData\Roaming\DivX
[2010/03/01 21:13:02 | 000,000,000 | ---D | C] -- C:\Program Files\DivX
[2010/03/01 21:12:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\PX Storage Engine
[2010/03/01 21:12:49 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\DivX Shared
[2010/02/28 17:42:21 | 000,000,000 | ---D | C] -- C:\Users\Mergatroid\AppData\Roaming\GRETECH
[2010/02/28 04:00:20 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Wat
[2010/02/28 04:00:20 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Wat
[2010/02/27 20:27:18 | 000,176,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ipv6.dll

========== Files - Modified Within 30 Days ==========

[2010/03/29 19:39:20 | 004,194,304 | -HS- | M] () -- C:\Users\Mergatroid\NTUSER.DAT
[2010/03/29 19:38:16 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Mergatroid\Desktop\OTL.exe
[2010/03/29 17:44:55 | 000,015,040 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/03/29 17:44:55 | 000,015,040 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/03/29 17:40:59 | 000,713,888 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/03/29 17:40:59 | 000,619,206 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/03/29 17:40:59 | 000,107,388 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/03/29 17:37:47 | 000,000,394 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2010/03/29 17:36:50 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/03/29 17:36:47 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/03/29 17:36:44 | 3220,525,056 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/29 02:34:28 | 003,851,607 | -H-- | M] () -- C:\Users\Mergatroid\AppData\Local\IconCache.db
[2010/03/25 18:22:09 | 000,110,016 | ---- | M] () -- C:\Users\Mergatroid\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/03/25 18:22:04 | 000,421,304 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010/03/25 18:03:24 | 000,000,478 | ---- | M] () -- C:\Windows\win.ini
[2010/03/25 00:28:39 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\Windows\SysNative\drivers\SBREDrv.sys
[2010/03/25 00:28:33 | 000,015,880 | ---- | M] () -- C:\Windows\SysNative\lsdelete.exe
[2010/03/25 00:26:37 | 000,001,148 | ---- | M] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2010/03/24 22:47:27 | 000,001,037 | ---- | M] () -- C:\Users\Public\Desktop\Microsoft Security Essentials.lnk
[2010/03/13 00:42:20 | 000,004,096 | ---- | M] () -- C:\Windows\d3dx.dat
[2010/03/03 19:51:17 | 000,012,288 | ---- | M] () -- C:\Users\Mergatroid\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/01 21:25:52 | 000,036,734 | ---- | M] () -- C:\Windows\SysWow64\OggDSuninst.exe
[2010/02/27 20:27:27 | 000,871,408 | ---- | M] () -- C:\Windows\SysNative\drivers\sptd.sys
[2010/02/27 20:27:19 | 000,000,024 | ---- | M] () -- C:\Windows\drvlist.cfg
[2010/02/27 20:27:18 | 000,176,128 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\ipv6.dll

========== Files Created - No Company Name ==========

[2010/03/28 15:40:58 | 000,000,394 | ---- | C] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2010/03/25 00:35:28 | 000,015,880 | ---- | C] () -- C:\Windows\SysNative\lsdelete.exe
[2010/03/25 00:26:37 | 000,001,148 | ---- | C] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2010/03/24 22:47:27 | 000,001,037 | ---- | C] () -- C:\Users\Public\Desktop\Microsoft Security Essentials.lnk
[2010/03/13 00:42:20 | 000,004,096 | ---- | C] () -- C:\Windows\d3dx.dat
[2010/03/04 00:10:55 | 000,580,096 | ---- | C] () -- C:\Windows\SysNative\ac3filter64.acm
[2010/03/04 00:10:55 | 000,497,664 | ---- | C] () -- C:\Windows\SysWow64\ac3filter.acm
[2010/03/04 00:10:33 | 000,085,504 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll
[2010/03/01 21:26:06 | 000,012,288 | ---- | C] () -- C:\Users\Mergatroid\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/01 21:25:52 | 000,036,734 | ---- | C] () -- C:\Windows\SysWow64\OggDSuninst.exe
[2010/02/27 20:27:27 | 000,871,408 | ---- | C] () -- C:\Windows\SysNative\drivers\sptd.sys
[2010/02/27 20:27:19 | 000,000,024 | ---- | C] () -- C:\Windows\drvlist.cfg
[2010/02/09 00:22:21 | 000,129,024 | ---- | C] () -- C:\Windows\SysWow64\AVERM.dll
[2010/02/09 00:22:21 | 000,028,672 | ---- | C] () -- C:\Windows\SysWow64\AVEQT.dll
[2010/01/17 19:28:48 | 000,056,320 | ---- | C] () -- C:\Windows\SysWow64\iyvu9_32.dll
[2009/11/15 03:00:33 | 000,000,566 | ---- | C] () -- C:\Windows\SysWow64\SP7302.ini
[2009/11/14 21:57:21 | 000,001,769 | ---- | C] () -- C:\Windows\Language_trs.ini
[2009/11/14 18:47:45 | 000,000,410 | ---- | C] () -- C:\Windows\BRWMARK.INI
[2009/11/14 02:56:30 | 000,038,467 | ---- | C] () -- C:\Users\Mergatroid\AppData\Roaming\Comma Separated Values (Windows).ADR
[2009/11/14 02:53:02 | 000,038,300 | ---- | C] () -- C:\Users\Mergatroid\AppData\Roaming\Microsoft Excel 97-2003.ADR
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2007/12/28 02:22:02 | 000,010,296 | ---- | C] () -- C:\Windows\SysWow64\drivers\ASUSHWIO.SYS
[2002/10/06 13:42:57 | 000,237,568 | ---- | C] () -- C:\Windows\SysWow64\OggDS.dll
[2002/10/04 18:04:25 | 000,921,600 | ---- | C] () -- C:\Windows\SysWow64\vorbisenc.dll
[2002/10/04 18:04:24 | 000,188,416 | ---- | C] () -- C:\Windows\SysWow64\vorbis.dll
[2002/10/04 18:04:17 | 000,045,056 | ---- | C] () -- C:\Windows\SysWow64\ogg.dll
< End of report >

Edited by Mok, 29 March 2010 - 07:53 PM.


#4 Mok

Mok
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 29 March 2010 - 07:44 PM

Here is Extras.txt

OTL Extras logfile created on: 29/03/2010 7:38:30 PM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Mergatroid\Desktop
64bit- An unknown product (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 69.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 28.51 Gb Total Space | 7.95 Gb Free Space | 27.87% Space Free | Partition Type: NTFS
Drive D: | 120.44 Gb Total Space | 93.89 Gb Free Space | 77.95% Space Free | Partition Type: NTFS
Drive E: | 664.82 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MERGATROID-PC
Current User Name: Mergatroid
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{2C4FFF38-9FA5-C451-E79D-FAB3848C7F5A}" = ccc-utility64
"{5324EDAC-DED3-3A65-6881-84B4B8A8A7F9}" = ATI Catalyst Install Manager
"{626672CD-BFCF-49A9-AEFE-AB0FED3BFC5B}" = Windows Mobile Device Center
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007
"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
"{92DBCA36-9B41-4DD1-941A-AED149DD37F0}" = Windows Mobile Device Center Driver Update
"{95C9C76F-ECF3-40FA-94F8-5DDFB6BAF40D}" = Microsoft Security Essentials
"{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
"{E590FD1C-E8C6-4D2E-8CA9-77B403F7EE01}" = Microsoft Antimalware
"{EE936C7A-EA40-31D5-9B65-8E3E089C3828}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148
"{F3F18612-7B5D-4C05-86C9-AB50F6F71727}" = KhalInstallWrapper
"Microsoft Security Essentials" = Microsoft Security Essentials

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1FF713E1-FE5E-4AD0-9C8C-B2E877846B45}" = Catalyst Control Center - Branding
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{2FDBBCEA-62DB-45F4-B6E5-0E1FB2A1F29D}" = Visual C++ 8.0 Runtime Setup Package (x64)
"{338F08AB-C262-42C7-B000-34DE1A475273}" = Ad-Aware Email Scanner for Outlook
"{3EA20BCC-983E-E2FB-7655-F701160703AF}" = Catalyst Control Center HydraVision Full
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{4DDF49C7-E23B-28E4-D899-DE1950411061}" = Catalyst Control Center Graphics Light
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{61814DD5-D192-7D9F-4070-08058E94C765}" = Catalyst Control Center Core Implementation
"{64E47A5F-B3C4-476A-9100-2D006BD1FFB4}" = Z Engine
"{672017AB-BD22-FEED-D058-BC761279EF3D}" = Catalyst Control Center InstallProxy
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{72736F5F-520D-472A-88CC-7B02872FD34E}" = ATI Catalyst Registration
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{87BB78C4-F36D-4D93-A7C7-F80F18219848}" = AMD DnD V1.0.19
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8136 8168 8169 Ethernet Driver
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8B251F4A-0B78-2045-B802-CDB67F594E53}" = Catalyst Control Center Graphics Previews Vista
"{8F5A0981-5CDC-41D0-BCA2-AD3B777FC358}" = Thrustmaster Force Feedback Driver
"{8F808D5F-7635-EE62-F2B4-42D72D74443C}" = Catalyst Control Center Graphics Previews Common
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002A-0000-1000-0000000FF1CE}_ENTERPRISE_{E64BA721-2310-4B55-BE5A-2925F9706192}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-002A-0409-1000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0116-0409-1000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{A202BDBA-753F-41B9-B649-CFB0B45FC03E}" = Star Wars Galactic Battlegrounds
"{A498D9EB-927B-459B-85D6-DD6EF8C2C564}" = erLT
"{A59AB961-BE82-41E0-B0FB-648DFA6DDEA4}" = PC Camera
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.1
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{BC4C00F4-3043-BA09-C401-A4728663ECCE}" = ccc-core-static
"{C27B2B08-B5BD-A210-73AF-83A740ECC32F}" = Catalyst Control Center Graphics Full New
"{C6AA63A6-3248-2D28-3BAA-AA9C6B8D84BE}" = CCC Help English
"{DA703982C580418795BF4001AA9D7061}" = DivX Plus Media Foundation Components
"{DD3DAD13-289E-440E-A5D3-3EFB25305018}_is1" = John's Background Switcher 4.1
"{DDEDAF6C-488E-4CDA-8276-1CCF5F3C5C32}" = Command & Conquer 3
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F18EF558-2BCE-99DE-4021-46726B061BD2}" = Catalyst Control Center Graphics Full Existing
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"AC3Filter_is1" = AC3Filter 1.63b
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Bass Audio Decoder" = Bass Audio Decoder (remove only)
"BitTorrent" = BitTorrent
"CD Audio Reader Filter" = CD Audio Reader Filter (remove only)
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2009-09-09
"DCoder Image Source" = DCoder Image Source (remove only)
"Descent3" = Descent 3
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"DScaler 5 Mpeg Decoders_is1" = DScaler 5 Mpeg Decoders
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ffdshow_is1" = ffdshow [rev 3124] [2009-11-03]
"FFMPEG Core Files" = FFMPEG Core Files (remove only)
"Gabest MPEG Splitter" = Gabest MPEG Splitter (remove only)
"GOM Player" = GOM Player
"Guild Wars" = Guild Wars
"JetFighter IV Update 4" = JetFighter IV Update 4
"MechWarrior Vengeance" = MechWarrior Vengeance
"MONOGRAM AMR Splitter/Decoder" = MONOGRAM AMR Splitter/Decoder (remove only)
"Mozilla Firefox (3.6.2)" = Mozilla Firefox (3.6.2)
"OggDS" = Direct Show Ogg Vorbis Filter (remove only)
"OGPlanet Game Launcher US" = OGPlanet Game Launcher
"Open Video Converter_is1" = Open Video Converter version 3.0.3
"OpenSource AVI Splitter" = OpenSource AVI Splitter (remove only)
"OpenSource DTS/AC3/DD+ Source Filter" = OpenSource DTS/AC3/DD+ Source Filter (remove only)
"RealMedia" = RealMedia (remove only)
"SeriousSam2" = Serious Sam 2
"SHOUTcast Source" = SHOUTcast Source (remove only)
"Ultra Video Converter_is1" = Ultra Video Converter 4.4.0827
"WinRAR archiver" = WinRAR archiver

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 03/03/2010 10:56:07 PM | Computer Name = Mergatroid-PC | Source = Application Error | ID = 1000
Description = Faulting application name: AVIMux_GUI.exe, version: 1.17.6.1, time
stamp: 0x44d8df09 Faulting module name: AVIMux_GUI.exe, version: 1.17.6.1, time
stamp: 0x44d8df09 Exception code: 0xc0000005 Fault offset: 0x00041d91 Faulting process
id: 0x12d4 Faulting application start time: 0x01cabb463c5b0083 Faulting application
path: D:\temporary\AVIMux_GUI.exe Faulting module path: D:\temporary\AVIMux_GUI.exe
Report
Id: 7a5d3ced-2739-11df-8912-002354e23560

Error - 03/03/2010 10:56:31 PM | Computer Name = Mergatroid-PC | Source = Application Error | ID = 1000
Description = Faulting application name: AVIMux_GUI.exe, version: 1.17.6.1, time
stamp: 0x44d8df09 Faulting module name: AVIMux_GUI.exe, version: 1.17.6.1, time
stamp: 0x44d8df09 Exception code: 0xc0000005 Fault offset: 0x00041d91 Faulting process
id: 0x1c4 Faulting application start time: 0x01cabb464b1322d5 Faulting application
path: D:\temporary\AVIMux_GUI.exe Faulting module path: D:\temporary\AVIMux_GUI.exe
Report
Id: 88c47076-2739-11df-8912-002354e23560

Error - 13/03/2010 1:39:09 AM | Computer Name = Mergatroid-PC | Source = Application Error | ID = 1000
Description = Faulting application name: jf4sim.exe, version: 0.0.0.0, time stamp:
0x3c48d4d6 Faulting module name: jf4sim.exe, version: 0.0.0.0, time stamp: 0x3c48d4d6
Exception
code: 0xc0000005 Fault offset: 0x0000adfe Faulting process id: 0x12d4 Faulting application
start time: 0x01cac26f48b26a22 Faulting application path: D:\Games\JetFighter IV\jf4sim.exe
Faulting
module path: D:\Games\JetFighter IV\jf4sim.exe Report Id: be9bc110-2e62-11df-ad9d-002354e23560

Error - 13/03/2010 1:46:03 AM | Computer Name = Mergatroid-PC | Source = Application Hang | ID = 1002
Description = The program jf4.exe version 0.0.0.0 stopped interacting with Windows
and was closed. To see if more information about the problem is available, check
the problem history in the Action Center control panel. Process ID: 324 Start Time:
01cac26ff2bf1f3a Termination Time: 4 Application Path: D:\Games\JetFighter IV\jf4.exe

Report
Id:

Error - 21/03/2010 1:20:34 AM | Computer Name = Mergatroid-PC | Source = Application Hang | ID = 1002
Description = The program jf4.exe version 0.0.0.0 stopped interacting with Windows
and was closed. To see if more information about the problem is available, check
the problem history in the Action Center control panel. Process ID: 10d8 Start Time:
01cac8b5fdb26c8a Termination Time: 0 Application Path: D:\Games\JETFIG~1\jf4.exe Report
Id:

Error - 21/03/2010 1:24:01 AM | Computer Name = Mergatroid-PC | Source = Application Hang | ID = 1002
Description = The program jf4.exe version 0.0.0.0 stopped interacting with Windows
and was closed. To see if more information about the problem is available, check
the problem history in the Action Center control panel. Process ID: 120c Start Time:
01cac8b660c15a42 Termination Time: 0 Application Path: D:\Games\JetFighter IV\jf4.exe

Report
Id:

Error - 21/03/2010 1:30:04 AM | Computer Name = Mergatroid-PC | Source = Application Hang | ID = 1002
Description = The program jf4.exe version 0.0.0.0 stopped interacting with Windows
and was closed. To see if more information about the problem is available, check
the problem history in the Action Center control panel. Process ID: 1134 Start Time:
01cac8b6eb0f3386 Termination Time: 6966 Application Path: D:\Games\JetFighter IV\jf4.exe

Report
Id:

Error - 21/03/2010 1:31:10 AM | Computer Name = Mergatroid-PC | Source = Application Hang | ID = 1002
Description = The program jf4sim.exe version 0.0.0.0 stopped interacting with Windows
and was closed. To see if more information about the problem is available, check
the problem history in the Action Center control panel. Process ID: 898 Start Time:
01cac8b6f7f62f61 Termination Time: 0 Application Path: D:\Games\JETFIG~1\jf4sim.exe

Report
Id:

Error - 25/03/2010 1:27:00 AM | Computer Name = Mergatroid-PC | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 26/03/2010 6:13:34 PM | Computer Name = Mergatroid-PC | Source = Windows Search Service | ID = 3007
Description =

[ System Events ]
Error - 10/02/2010 7:47:29 PM | Computer Name = Mergatroid-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 12:02:55 AM on ?10/?02/?2010 was unexpected.

Error - 01/03/2010 11:12:50 PM | Computer Name = Mergatroid-PC | Source = DCOM | ID = 10010
Description =

Error - 11/03/2010 9:29:20 PM | Computer Name = Mergatroid-PC | Source = cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 11/03/2010 11:26:33 PM | Computer Name = Mergatroid-PC | Source = cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 12/03/2010 9:03:56 PM | Computer Name = Mergatroid-PC | Source = cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 13/03/2010 1:54:01 AM | Computer Name = Mergatroid-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 11:52:12 PM on ?12/?03/?2010 was unexpected.

Error - 14/03/2010 1:47:14 AM | Computer Name = Mergatroid-PC | Source = cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 25/03/2010 1:27:00 AM | Computer Name = Mergatroid-PC | Source = Service Control Manager | ID = 7030
Description = The Lavasoft Ad-Aware Service service is marked as an interactive
service. However, the system is configured to not allow interactive services.
This service may not function properly.

Error - 26/03/2010 6:15:04 PM | Computer Name = Mergatroid-PC | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Windows
Search service to connect.

Error - 26/03/2010 6:15:04 PM | Computer Name = Mergatroid-PC | Source = Service Control Manager | ID = 7000
Description = The Windows Search service failed to start due to the following error:
%%1053


< End of report >


#5 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:40 PM

Posted 30 March 2010 - 01:48 PM

Hi again Mok and thank you for the logfiles!.. smile.gif.

Firstly,
Please run OTL.exe.
  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
    O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
    O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
    O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
    O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found
    o10 - protocol_catalog9\catalog_entries\000000000001 - file not found
    o10 - protocol_catalog9\catalog_entries\000000000002 - file not found
    o10 - protocol_catalog9\catalog_entries\000000000003 - file not found
    o10 - protocol_catalog9\catalog_entries\000000000004 - file not found
    o10 - protocol_catalog9\catalog_entries\000000000015 - file not found
    O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
    :Commands
    [emptytemp]
    [EMPTYFLASH]

  • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Secondly,
Please go to http://www.virustotal.com/ , click on Browse, and upload the following file for analysis:

C:\Windows\SysWow64\ipv6.dll

Then click Send File. Allow the file to be uploaded and scanned. Then, please post a link to the results page for me to see.

Thirdly,
Please run OTL.exe.
  • Copy the command below to the clipboard by highlighting it and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    IPv6.dll /RS

  • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
  • Under Processes, Modules, Services, Drivers, Standard Registry, Files created/Modified within check: None
  • Click the blue Run Scan button.
  • A log in Notepad will appear. Copy the contents of the log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe

Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#6 Mok

Mok
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 30 March 2010 - 05:59 PM

Hello

Here is the link to the scan analysis for ipv6.dll:

http://www.virustotal.com/analisis/b8ad7bd...408f-1269988984

Here is the OTL results:

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Mergatroid
->Temp folder emptied: 370088946 bytes
->Temporary Internet Files folder emptied: 84959809 bytes
->Java cache emptied: 46783154 bytes
->FireFox cache emptied: 92963731 bytes
->Flash cache emptied: 25594 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1254498 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50400 bytes
RecycleBin emptied: 3873063 bytes

Total Files Cleaned = 572.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Mergatroid
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\: LSP stack updated.

OTL by OldTimer - Version 3.1.37.3 log created on 03302010_173325

Files\Folders moved on Reboot...
C:\Users\Mergatroid\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

Here are the results of the IPv6.dll /RS scan:

OTL logfile created on: 30/03/2010 5:50:06 PM - Run 2
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Mergatroid\Desktop
64bit- An unknown product (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 67.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 28.51 Gb Total Space | 8.39 Gb Free Space | 29.41% Space Free | Partition Type: NTFS
Drive D: | 120.44 Gb Total Space | 93.89 Gb Free Space | 77.95% Space Free | Partition Type: NTFS
Drive E: | 664.82 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MERGATROID-PC
Current User Name: Mergatroid
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Custom Scans ==========


< IPv6.dll /RS >
< End of report >




#7 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:40 PM

Posted 31 March 2010 - 01:18 PM

Hi again Mok and thank you for the logfile!!.. smile.gif.

You may delete this file manually:
C:\Windows\SysWow64\ipv6.dll

Logfiles look clean to me... Does any problem persist??.. If yes, I'll need to see a fresh OTL logfile (just OTL.txt) and know if you use a router...

Let's update outdated programs (with security vulnerabilities):
Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "JDK 6 Update 19 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • In the Window that opens, select Windows, your Language, check the "agree" box and click Continue.
  • Click on the link to download Windows Offline Installation and save to your Desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start -> Control Panel -> Programs and Features, highlight a program to see the available option on the toolbar for it. Choose Uninstall for Java™ 6 Update 17
  • Then from your desktop double-click on jre-6u19-windows-i586.exe that you downloaded to install the newest version.

To make sure you have the latest version of Adobe Flash Player installed:
1. To uninstall an older version, download this file to your Desktop: uninstall_flash_player.exe
2. Quit ALL running applications, including all Internet Explorer or other browser windows, and messenger applications (like AOL Instant Messenger, Yahoo Messenger, MSN Messenger.
3. Double-click on the file you've downloaded to uninstall Flash.
4. If uninstalled successfully, go to this site: Install Adobe Flash Player, and choose Agree and install now. This will install the newest version of Flash for your browser (note: Flash plugins for IE and Firefox must be installed separately).
Note: I recommend you uncheck an optional install (Free McAfee Security Scan or Free Google Toolbar).
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#8 Mok

Mok
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 31 March 2010 - 09:00 PM

Good day

I have been doing searches with FF and MSIE tonight. It seems the redirection has stopped. At least I have not been redirected tonight.

I'll keep my fingers crossed that I don't see this problem again. It REALLY sucked.

I updated flash and java to the latest versions. Unfortunately flash decided it had to have its own download manager installed. I hate it when companies do that. I am using a router. It's a Liksys wired router. I use the firewall in it in place of the Windows firewall. I have changed the setup login account and password.

I have uninstalled Adaware and am just using MS Security Essentials now.

I appreciate your help on this. I wonder what it was that stopped the redirection from happening? Was it the code you had me run in OTL? I did update Windows 7 this week. Perhaps there was something there?

One thing is for sure. Bleeping computer.com has found a permanent place in my bookmarks.

Thanks again.

#9 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:40 PM

Posted 01 April 2010 - 07:41 AM

Hi again Mok!!.. smile.gif.

QUOTE(Mok @ Apr 1 2010, 04:00 AM) View Post
I have been doing searches with FF and MSIE tonight. It seems the redirection has stopped. At least I have not been redirected tonight.

I'll keep my fingers crossed that I don't see this problem again. It REALLY sucked.
(...)
I wonder what it was that stopped the redirection from happening? Was it the code you had me run in OTL? I did update Windows 7 this week. Perhaps there was something there?

It should be ok now... That ipv6.dll file was the only malicious thing visible in the logs... It's a hacked file that redirects connections via a questionable source... However, when you posted an OTL logfile, infection has not been active anymore - I guess one of the tools you've run removed an active infection - it left some leftovers, though, and that's what I removed with a script in OTL...

QUOTE
Unfortunately flash decided it had to have its own download manager installed. I hate it when companies do that.

Actually, their "download manager" is not a bad idea... Anyway, it will remove itself on reboot, so it won't stay on your system for long... smile.gif..

QUOTE
I am using a router. It's a Liksys wired router. I use the firewall in it in place of the Windows firewall. I have changed the setup login account and password.

Ok... The reason I've asked is that we've had quite many infections targeting routers recently... They're usually able to change its setting thanks to the fact users forget to change default password for their router...

QUOTE
One thing is for sure. Bleeping computer.com has found a permanent place in my bookmarks.

Thank you for these kind words!.. thumbup2.gif

If there are no more issues in the next couple of days, please do the following:
Firstly,
To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.
  • Click the CleanUp button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Secondly,
Please set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
  • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
  • Click "OK" to select the partition or drive you desire.
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one. More details and screenshots for Disk Cleanup in Windows Vista can be found here and for Windows 7 here.

Finally,
Please check my site - snemelk.hekko.pl. There, you'll find a few steps to make your web browsing safer. :thumbup:

Also, I recommend you to read Tony Klein's excellent article: How did I get infected?, With steps so it does not happen again!
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#10 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:40 PM

Posted 16 April 2010 - 05:30 PM

Glad we could help. smile.gif

If you need this topic reopened, just send me a PM (Send message from my profile) with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users