Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

r3.google.com redirect bug


  • This topic is locked This topic is locked
27 replies to this topic

#1 cycohexane

cycohexane

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 14 November 2010 - 03:57 PM

In google chrome, sometimes clicking a link from google search will delay me for a few seconds, then redirect me to some fake ad/search site. While it's loading, it says "waiting on r3.google.com" in my browser status bar. Also, I couldn't get GMER to run correctly - it loads up fine but most of the options are grayed out and I think it's because I'm running Windows 7 x64. So I don't have a GMER log...is there an alternative I could use? Thanks for the help!



DDS (Ver_10-11-10.01) - NTFS_AMD64
Run by xxx at 14:29:47.61 on Sun 11/14/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.4091.1817 [GMT -6:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\hasplms.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe
C:\Program Files (x86)\O2Micro Flash Memory Card Driver\o2flash.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnect.exe
C:\Users\xxx\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\xxx\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\xxx\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\xxx\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\xxx\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\xxx\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\xxx\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\xxx\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\xxx\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\xxx\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\xxx\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\xxx\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\xxx\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\xxx\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\xxx\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\xxx\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\xxx\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - C:\Program Files (x86)\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - No File
uRun: [Google Update] "C:\Users\xxx\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [AdobeBridge]
uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [CloneCDTray] "C:\Program Files (x86)\SlySoft\CloneCD\CloneCDTray.exe" /s
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - C:\Program Files (x86)\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://support.gateway.com/support/profiler/PCPitStop.CAB
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB-X64: {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - No File
mRun-x64: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun-x64: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"

================= FIREFOX ===================

FF - ProfilePath - C:\Users\MATTHE~1\AppData\Roaming\Mozilla\Firefox\Profiles\9890kdzh.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - prefs.js: keyword.enabled - false
FF - component: C:\Program Files (x86)\Google\Google Gears\Firefox\lib\ff36\gears.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.27\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: C:\Program Files (x86)\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\xxx\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\9890kdzh.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF - plugin: C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\9890kdzh.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falseC:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
R2 aksdf;aksdf;C:\Windows\System32\drivers\aksdf.sys [2009-12-17 71040]
R2 hasplms;Sentinel HASP License Manager;C:\Windows\system32\hasplms.exe -run --> C:\Windows\system32\hasplms.exe -run [?]
R2 MotoConnect Service;MotoConnect Service;C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe [2010-6-24 91456]
R2 StarWindServiceAE;StarWind AE Service;C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [2007-5-28 275968]
R3 DKRtWrt;DKRtWrt;C:\Windows\System32\drivers\DKRtWrt.sys [2010-8-10 51120]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\System32\drivers\NETw5s64.sys [2010-1-13 7675392]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\System32\drivers\nvhda64v.sys [2010-3-29 86120]
R3 O2MDRDR;O2MDRDR;C:\Windows\System32\drivers\o2mdx64.sys [2008-4-15 62040]
R3 O2SDRDR;O2SDRDR;C:\Windows\System32\drivers\o2sdx64.sys [2008-4-8 51928]
R3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
R3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
R3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\System32\drivers\vwifimp.sys [2009-7-13 17920]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-9-28 395264]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-25 135664]
S3 androidusb;ADB Interface Driver;C:\Windows\System32\drivers\motoandroid.sys [2009-7-10 31744]
S3 BTCFilterService;USB Networking Driver Filter Service;C:\Windows\System32\drivers\motfilt.sys [2009-1-29 6144]
S3 CAXHWAZL;CAXHWAZL;C:\Windows\System32\drivers\CAXHWAZL.sys [2006-10-19 296448]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2009-10-25 1038088]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2010-8-12 1375992]
S3 motandroidusb;Mot ADB Interface Driver;C:\Windows\System32\drivers\motoandroid.sys [2009-7-10 31744]
S3 motccgp;Motorola USB Composite Device Driver;C:\Windows\System32\drivers\motccgp.sys [2010-6-18 20992]
S3 motccgpfl;MotCcgpFlService;C:\Windows\System32\drivers\motccgpfl.sys [2009-1-29 9216]
S3 Motousbnet;Motorola USB Networking Driver Service;C:\Windows\System32\drivers\Motousbnet.sys [2010-4-1 26624]
S3 motusbdevice;Motorola USB Dev Driver;C:\Windows\System32\drivers\motusbdevice.sys [2010-1-25 10240]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-3-5 1255736]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;C:\Program Files\Zune\WMZuneComm.exe [2010-9-24 306416]
S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\System32\drivers\WSDPrint.sys [2009-7-13 23040]
S3 WSDScan;WSD Scan Support via UMB;C:\Windows\System32\drivers\WSDScan.sys [2009-7-13 25088]

=============== Created Last 30 ================

2010-11-14 20:12:46 34560 ----a-w- C:\Windows\SysWow64\drivers\Normandy.sys
2010-11-07 01:29:01 417792 ----a-w- C:\Program Files (x86)\Windows Media Player\Plugins\wmp_scrobbler.dll
2010-11-07 01:29:01 -------- d-----w- C:\PROGRA~3\Last.fm
2010-11-07 01:28:38 -------- d-----w- C:\Users\MATTHE~1\AppData\Local\Last.fm
2010-11-07 01:28:35 -------- d-----w- C:\Program Files (x86)\Last.fm
2010-11-06 22:10:09 -------- d-----w- C:\PROGRA~3\VertusTech
2010-11-06 22:10:08 -------- d-----w- C:\Program Files (x86)\Vertus Fluid Mask 3
2010-11-03 22:01:57 49752 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2010-10-23 02:26:30 -------- d-----w- C:\Program Files (x86)\SlySoft
2010-10-18 18:11:21 77824 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
2010-10-18 18:11:21 32768 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2010-10-18 18:11:21 225280 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll
2010-10-18 18:11:21 176128 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2010-10-18 18:11:20 610436 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
2010-10-18 18:02:14 -------- d-----w- C:\Program Files (x86)\Coupons

==================== Find3M ====================

2010-11-06 22:18:43 100 ----a-w- C:\Windows\SysWow64\prsgrc.dll
2010-11-06 22:10:17 1024 ----a-w- C:\Windows\SysWow64\grcauth2.dll
2010-11-06 22:10:17 1024 ----a-w- C:\Windows\SysWow64\grcauth1.dll
2010-11-06 22:10:17 1024 ----a-w- C:\Windows\SysWow64\g23oe3a.dll
2010-11-06 22:10:16 72 ----a-w- C:\Windows\SysWow64\ssprs.dll
2010-11-06 22:10:16 1024 ----a-w- C:\Windows\SysWow64\clauth2.dll
2010-11-06 22:10:16 1024 ----a-w- C:\Windows\SysWow64\clauth1.dll
2010-09-24 18:17:16 467696 ----a-w- C:\Windows\System32\ZuneWlanCfgSvc.exe
2010-09-15 09:50:37 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2010-08-17 09:15:49 99384 ----a-w- C:\Users\MATTHE~1\AppData\Roaming\inst.exe
2010-08-17 09:15:49 82816 ----a-w- C:\Users\MATTHE~1\AppData\Roaming\pcouffin.sys
2006-05-03 09:06:54 163328 --sh--r- C:\Windows\SysWOW64\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- C:\Windows\SysWOW64\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- C:\Windows\SysWOW64\nbDX.dll

============= FINISH: 14:30:16.51 ===============

Attached Files


Edited by elise025, 30 March 2011 - 01:26 AM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,103 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:47 PM

Posted 22 November 2010 - 07:41 AM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please Download Rootkit Unhooker Save it to your desktop.
  • extract RKUnhooker to your desktop
    Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file -
    you can get a free one from here - http://www.7-zip.org/
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 cycohexane

cycohexane
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 22 November 2010 - 10:00 PM

Hi Elise,

Thanks for taking a look at my problems. Here are the logs in the order you requested them:


OTL logfile created on: 11/22/2010 8:38:58 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\xxx\Downloads
64bit- An unknown product (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 51.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 286.37 Gb Total Space | 121.15 Gb Free Space | 42.31% Space Free | Partition Type: NTFS

Computer Name: xxx-PC | User Name: xxx | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - File not found -- C:\Windows\SysWow64\hasplms.exe
PRC - [2010/11/22 20:38:39 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\xxx\Downloads\OTL.exe
PRC - [2010/11/21 00:40:18 | 000,016,856 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
PRC - [2010/11/21 00:40:17 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2010/11/01 15:36:03 | 000,974,904 | ---- | M] (Google Inc.) -- C:\Users\xxx\AppData\Local\Google\Chrome\Application\chrome.exe
PRC - [2010/10/29 10:31:34 | 012,487,856 | ---- | M] (Mozilla Messaging) -- C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
PRC - [2010/10/14 09:09:02 | 002,806,000 | ---- | M] (Emsi Software GmbH) -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
PRC - [2010/10/13 21:36:49 | 000,134,808 | ---- | M] (Google Inc.) -- C:\Program Files (x86)\Google\Update\1.2.183.39\GoogleCrashHandler.exe
PRC - [2010/06/24 13:34:52 | 000,091,456 | ---- | M] () -- C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe
PRC - [2010/06/24 13:34:50 | 000,279,360 | ---- | M] (Motorola) -- C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnect.exe
PRC - [2010/04/26 10:06:44 | 000,096,112 | ---- | M] (Microsoft Corp.) -- C:\Program Files (x86)\Microsoft\Office Live\OfficeLiveSignIn.exe
PRC - [2007/05/28 10:57:54 | 000,275,968 | ---- | M] (Rocket Division Software) -- C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
PRC - [2007/02/12 15:43:44 | 000,065,536 | ---- | M] (O2Micro International) -- C:\Program Files (x86)\O2Micro Flash Memory Card Driver\o2flash.exe


========== Modules (SafeList) ==========

MOD - [2010/11/22 20:38:39 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\xxx\Downloads\OTL.exe
MOD - [2009/07/13 19:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - File not found [Disabled | Stopped] -- C:\Windows\SysNative\PnkBstrA.exe -- (PnkBstrA)
SRV:64bit: - [2010/09/24 12:17:16 | 000,467,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV:64bit: - [2010/09/24 12:17:16 | 000,306,416 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\WMZuneComm.exe -- (WMZuneComm)
SRV:64bit: - [2010/09/24 12:17:10 | 008,251,120 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV:64bit: - [2009/12/17 06:10:38 | 003,750,400 | ---- | M] (SafeNet Inc.) [Auto | Running] -- C:\Windows\SysNative\hasplms.exe -- (hasplms)
SRV:64bit: - [2009/10/25 12:26:40 | 001,038,088 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe -- (FLEXnet Licensing Service 64)
SRV:64bit: - [2009/10/23 18:44:42 | 002,430,304 | ---- | M] (Diskeeper Corporation) [Auto | Running] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)
SRV:64bit: - [2009/07/13 19:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/13 19:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:64bit: - [2006/08/05 09:48:30 | 000,410,624 | ---- | M] (Conexant Systems, Inc.) [Auto | Stopped] -- C:\Windows\SysNative\drivers\XAudio64.exe -- (XAudioService)
SRV - [2010/11/21 15:41:47 | 001,375,992 | ---- | M] (Lavasoft) [On_Demand | Stopped] -- C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/10/14 09:09:02 | 002,806,000 | ---- | M] (Emsi Software GmbH) [Auto | Running] -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe -- (a2AntiMalware)
SRV - [2010/06/24 13:34:52 | 000,091,456 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe -- (MotoConnect Service)
SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/12/17 14:54:37 | 000,075,064 | ---- | M] () [Disabled | Stopped] -- C:\Windows\SysWOW64\PnkBstrA.exe -- (PnkBstrA)
SRV - [2009/10/25 12:26:31 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/07/16 16:04:16 | 000,316,664 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2009/06/10 15:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2007/05/28 10:57:54 | 000,275,968 | ---- | M] (Rocket Division Software) [Auto | Running] -- C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- (StarWindServiceAE)
SRV - [2007/02/12 15:43:44 | 000,065,536 | ---- | M] (O2Micro International) [Auto | Running] -- C:\Program Files (x86)\O2Micro Flash Memory Card Driver\o2flash.exe -- (o2flash)


========== Driver Services (SafeList) ==========

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\PCTINDIS5X64.SYS -- (PCTINDIS5X64)
DRV:64bit: - [2010/06/18 14:09:42 | 000,030,208 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\motmodem.sys -- (motmodem)
DRV:64bit: - [2010/06/18 13:42:40 | 000,020,992 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\motccgp.sys -- (motccgp)
DRV:64bit: - [2010/05/25 00:17:02 | 000,834,544 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\sptd.sys -- (sptd)
DRV:64bit: - [2010/04/01 13:44:06 | 000,026,624 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Motousbnet.sys -- (Motousbnet)
DRV:64bit: - [2010/01/28 08:25:02 | 000,086,120 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA)
DRV:64bit: - [2010/01/25 18:57:54 | 000,010,240 | ---- | M] (Motorola Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\motusbdevice.sys -- (motusbdevice)
DRV:64bit: - [2010/01/24 01:03:39 | 000,082,816 | ---- | M] (VSO Software) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\pcouffin.sys -- (pcouffin)
DRV:64bit: - [2010/01/13 14:37:18 | 007,675,392 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NETw5s64.sys -- (NETw5s64) Intel®
DRV:64bit: - [2009/12/17 06:10:48 | 000,130,816 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\aksfridge.sys -- (aksfridge)
DRV:64bit: - [2009/12/17 06:10:44 | 000,071,040 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\aksdf.sys -- (aksdf)
DRV:64bit: - [2009/12/17 06:10:38 | 000,053,760 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\akshasp.sys -- (akshasp)
DRV:64bit: - [2009/12/17 06:10:36 | 000,318,464 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\hardlock.sys -- (hardlock)
DRV:64bit: - [2009/12/17 06:10:34 | 000,025,344 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\aksusb.sys -- (aksusb)
DRV:64bit: - [2009/12/17 06:10:32 | 000,056,960 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\akshhl.sys -- (akshhl)
DRV:64bit: - [2009/10/21 00:04:36 | 000,051,120 | ---- | M] (Diskeeper Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\DKRtWrt.sys -- (DKRtWrt)
DRV:64bit: - [2009/09/28 08:22:00 | 000,395,264 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\yk62x64.sys -- (yukonw7)
DRV:64bit: - [2009/07/13 19:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/13 19:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 19:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 19:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 19:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 19:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 18:39:20 | 000,023,040 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV:64bit: - [2009/07/13 18:35:37 | 000,025,088 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WSDScan.sys -- (WSDScan)
DRV:64bit: - [2009/07/13 18:10:47 | 000,011,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\rootmdm.sys -- (ROOTMODEM)
DRV:64bit: - [2009/07/13 17:31:10 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus)
DRV:64bit: - [2009/07/10 12:06:50 | 000,031,744 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\motoandroid.sys -- (motandroidusb)
DRV:64bit: - [2009/07/10 12:06:50 | 000,031,744 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\motoandroid.sys -- (androidusb)
DRV:64bit: - [2009/06/18 20:12:32 | 000,272,432 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
DRV:64bit: - [2009/06/12 14:51:46 | 000,031,744 | ---- | M] (Research in Motion Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\RimSerial_AMD64.sys -- (RimVSerPort)
DRV:64bit: - [2009/06/10 15:01:11 | 001,485,312 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\VSTDPV6.SYS -- (SrvHsfV92)
DRV:64bit: - [2009/06/10 15:01:11 | 000,740,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\VSTCNXT6.SYS -- (SrvHsfWinac)
DRV:64bit: - [2009/06/10 15:01:11 | 000,292,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\VSTAZL6.SYS -- (SrvHsfHDA)
DRV:64bit: - [2009/06/10 14:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 14:35:28 | 005,434,368 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\netw5v64.sys -- (netw5v64) Intel®
DRV:64bit: - [2009/06/10 14:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 14:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 14:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 14:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/02/17 11:11:25 | 000,031,400 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV:64bit: - [2009/01/29 16:18:12 | 000,009,216 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\motccgpfl.sys -- (motccgpfl)
DRV:64bit: - [2009/01/29 16:11:38 | 000,006,144 | ---- | M] (Motorola Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\motfilt.sys -- (BTCFilterService)
DRV:64bit: - [2008/08/22 09:05:42 | 000,030,088 | R--- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\swmsflt.sys -- (swmsflt)
DRV:64bit: - [2008/04/15 09:14:40 | 000,062,040 | ---- | M] (O2Micro ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\o2mdx64.sys -- (O2MDRDR)
DRV:64bit: - [2008/04/08 09:46:44 | 000,051,928 | ---- | M] (O2Micro ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\o2sdx64.sys -- (O2SDRDR)
DRV:64bit: - [2007/11/02 14:52:02 | 000,008,576 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\motswch.sys -- (MotoSwitchService)
DRV:64bit: - [2007/02/15 18:57:06 | 000,040,648 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ElbyCDFL.sys -- (ElbyCDFL)
DRV:64bit: - [2006/10/19 03:33:34 | 001,513,472 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CAX_DPV.sys -- (HSF_DPV)
DRV:64bit: - [2006/10/19 03:31:12 | 000,296,448 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CAXHWAZL.sys -- (CAXHWAZL)
DRV:64bit: - [2006/10/19 03:30:10 | 000,731,648 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CAX_CNXT.sys -- (winachsf)
DRV:64bit: - [2006/08/05 09:42:48 | 000,009,728 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Stopped] -- C:\Windows\SysNative\drivers\XAudio64.sys -- (XAudio)
DRV:64bit: - [2006/06/20 06:27:24 | 000,017,024 | ---- | M] (Conexant) [Kernel | Auto | Stopped] -- C:\Windows\SysNative\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2010/11/14 20:58:11 | 000,034,560 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysWow64\drivers\Normandy.sys -- (Normandy)
DRV - [2010/09/19 07:57:36 | 000,084,752 | ---- | M] (Emsi Software GmbH) [File_System | On_Demand | Stopped] -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2accx64.sys -- (a2acc)
DRV - [2008/08/14 06:57:42 | 000,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysWow64\drivers\adfs.sys -- (adfs)
DRV - [2007/02/15 18:57:06 | 000,040,648 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysWOW64\drivers\ElbyCDFL.sys -- (ElbyCDFL)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = DB 31 03 EB D1 0C CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.order.1: "Yahoo"
FF - prefs.js..browser.search.param.yahoo-fr: "megaup"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "megaup"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "www.google.com"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.1
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.7.2
FF - prefs.js..extensions.enabledItems: de-DE@dictionaries.addons.mozilla.org:2.0.2
FF - prefs.js..extensions.enabledItems: {000a9d1c-beef-4f90-9363-039d445309b8}:0.5.36.0
FF - prefs.js..extensions.enabledItems: iaplayer@instantaction.com:0.4.1.1
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.6.1
FF - prefs.js..extensions.enabledItems: foxmarks@kei.com:3.9.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: ietab@ip.cn:1.95.20100932
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?ei=utf-8&fr=megaup&p="
FF - prefs.js..keyword.enabled: false


FF - HKLM\software\mozilla\Firefox\Extensions\\{000a9d1c-beef-4f90-9363-039d445309b8}: C:\Program Files (x86)\Google\Google Gears\Firefox\ [2010/03/06 00:06:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/11/21 00:40:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010/11/21 00:40:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.6\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2010/10/29 10:31:34 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.6\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins

[2010/04/06 22:00:38 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Mozilla\Extensions
[2010/01/23 23:31:38 | 000,000,000 | ---D | M] (No name found) -- C:\Users\xxx\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010/04/06 22:00:38 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org
[2010/11/22 20:02:15 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\9890kdzh.default\extensions
[2010/11/15 18:54:05 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\9890kdzh.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/10/16 16:08:46 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\9890kdzh.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2009/10/22 19:20:39 | 000,000,000 | ---D | M] (DriverAgent Plugin for Firefox and Opera) -- C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\9890kdzh.default\extensions\{F8CC37C3-CBEB-4A00-8CBF-26A88693F0C5}
[2010/11/18 02:25:09 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\9890kdzh.default\extensions\de-DE@dictionaries.addons.mozilla.org
[2010/09/30 18:18:26 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\9890kdzh.default\extensions\foxmarks@kei.com
[2009/10/22 19:20:37 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\9890kdzh.default\extensions\iaplayer@instantaction.com
[2010/11/18 02:25:16 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\9890kdzh.default\extensions\ietab@ip.cn
[2010/09/22 00:30:40 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\9890kdzh.default\extensions\personas@christopher.beard
[2009/06/06 00:15:18 | 000,002,164 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\9890kdzh.default\searchplugins\bing.xml
[2010/11/21 21:14:52 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2010/05/11 23:31:04 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/08/24 23:20:27 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/10/22 20:36:57 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2009/11/19 15:16:28 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
[2010/09/15 03:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/11/19 15:16:29 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll

O1 HOSTS File: ([2010/11/15 13:39:41 | 000,000,771 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 activate.adobe.com
O2 - BHO: (Google Gears Helper) - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files (x86)\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - No CLSID value found.
O4:64bit: - HKLM..\Run: [Zune Launcher] C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKLM..\Run: [CloneCDTray] C:\Program Files (x86)\SlySoft\CloneCD\CloneCDTray.exe (SlySoft, Inc.)
O4 - HKCU..\Run: [AdobeBridge] File not found
O4 - HKCU..\Run: [RESTART_STICKY_NOTES] C:\Windows\SysWow64\StikyNot.exe File not found
O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10k_Plugin.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files (x86)\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll (Google Inc.)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://support.gateway.com/support/profiler/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab (DLM Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 129.81.16.21 129.81.224.50
O18:64bit: - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20:64bit: - Winlogon\Notify\WB: DllName - Reg Error: Key error. - C:\Program Files (x86)\Stardock\MyColors\fast64.dll File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{04b640ba-d005-11de-8c03-001d72fa13bd}\Shell - "" = AutoRun
O33 - MountPoints2\{04b640ba-d005-11de-8c03-001d72fa13bd}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{4613b77e-f8ca-11de-acef-001d72fa13bd}\Shell - "" = AutoRun
O33 - MountPoints2\{4613b77e-f8ca-11de-acef-001d72fa13bd}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\{89aa4200-c611-11df-a771-001d72fa13bd}\Shell - "" = AutoRun
O33 - MountPoints2\{89aa4200-c611-11df-a771-001d72fa13bd}\Shell\AutoRun\command - "" = H:\setup.exe -- File not found
O33 - MountPoints2\{d190a0cd-a44f-11df-8421-00216bd04802}\Shell - "" = AutoRun
O33 - MountPoints2\{d190a0cd-a44f-11df-8421-00216bd04802}\Shell\AutoRun\command - "" = F:\setup.exe -- File not found
O33 - MountPoints2\{f0c3cfe5-c978-11de-be3d-001d72fa13bd}\Shell - "" = AutoRun
O33 - MountPoints2\{f0c3cfe5-c978-11de-be3d-001d72fa13bd}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{f0c3d451-c978-11de-be3d-001d72fa13bd}\Shell - "" = AutoRun
O33 - MountPoints2\{f0c3d451-c978-11de-be3d-001d72fa13bd}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O33 - MountPoints2\{fe4ff483-06c5-11df-a895-001d72fa13bd}\Shell - "" = AutoRun
O33 - MountPoints2\{fe4ff483-06c5-11df-a895-001d72fa13bd}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (autocheck lsdelete) - File not found
O34 - HKLM BootExecute: (autocheck lsdelete) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/15 14:00:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Emsisoft Anti-Malware
[2010/11/15 14:00:54 | 000,000,000 | ---D | C] -- C:\Users\xxx\Documents\Anti-Malware
[2010/11/15 13:12:17 | 000,000,000 | R--D | C] -- C:\32788R22FWJFW
[2010/11/14 14:12:36 | 000,000,000 | ---D | C] -- C:\Users\xxx\Desktop\idfjioer3
[2010/11/14 14:12:19 | 000,719,574 | ---- | C] (UG North ) -- C:\Users\xxx\Desktop\RkU3.8.388.590.exe
[2010/11/06 19:29:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Last.fm
[2010/11/06 19:28:38 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Local\Last.fm
[2010/11/06 19:28:35 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Last.fm
[2010/11/06 16:10:09 | 000,000,000 | ---D | C] -- C:\ProgramData\VertusTech
[2010/11/06 16:10:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Vertus Fluid Mask 3
[2010/11/03 16:01:57 | 000,049,752 | ---- | C] (Sunbelt Software) -- C:\Windows\SysNative\drivers\SBREDrv.sys
[2010/01/24 01:03:39 | 000,082,816 | ---- | C] (VSO Software) -- C:\Users\xxx\AppData\Roaming\pcouffin.sys
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/22 20:41:03 | 000,000,910 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/11/22 20:05:00 | 000,000,936 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2583363982-885666210-410721866-1000UA.job
[2010/11/22 19:07:24 | 000,726,316 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/11/22 19:07:24 | 000,624,178 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/11/22 19:07:24 | 000,106,522 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/11/22 19:05:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2583363982-885666210-410721866-1000Core.job
[2010/11/22 18:33:48 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/11/21 22:41:00 | 000,000,906 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/11/21 20:06:32 | 000,380,198 | ---- | M] () -- C:\Users\xxx\Desktop\fencingreceipt.png
[2010/11/21 17:00:38 | 000,013,472 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/11/21 17:00:38 | 000,013,472 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/11/21 16:53:00 | 3217,199,104 | -HS- | M] () -- C:\hiberfil.sys
[2010/11/20 21:39:41 | 000,001,976 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2010/11/18 13:33:50 | 000,024,203 | ---- | M] () -- C:\Users\xxx\Desktop\kiokchem331tentative.png
[2010/11/17 21:54:24 | 000,066,557 | ---- | M] () -- C:\Users\xxx\Desktop\LSMSA Transcript Request Form 2010 Revision.pdf
[2010/11/15 14:06:02 | 002,312,714 | ---- | M] () -- C:\Users\xxx\Desktop\Freshman-Academic-Planning-Guide-2010-2011-May-25-10.pdf
[2010/11/15 14:01:07 | 000,001,053 | ---- | M] () -- C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk
[2010/11/15 13:39:41 | 000,000,771 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2010/11/15 13:11:12 | 003,909,976 | ---- | M] () -- C:\Users\xxx\Desktop\ComboFix.exe
[2010/11/14 20:58:11 | 000,034,560 | ---- | M] () -- C:\Windows\SysWow64\drivers\Normandy.sys
[2010/11/12 15:54:57 | 000,032,972 | ---- | M] () -- C:\Users\xxx\Desktop\middle eastern.jpg
[2010/11/11 11:16:12 | 000,000,584 | ---- | M] () -- C:\Users\xxx\Documents\grstyles.stl
[2010/11/09 11:06:00 | 003,576,272 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010/11/08 10:32:38 | 000,296,448 | ---- | M] () -- C:\Users\xxx\Desktop\gmer.exe
[2010/11/06 16:36:05 | 000,059,806 | ---- | M] () -- C:\Users\xxx\Desktop\kmno4purple - Matthew Proof.jpg
[2010/11/06 16:18:43 | 000,000,350 | ---- | M] () -- C:\Windows\SysWow64\d842ehw.tgz
[2010/11/06 16:18:43 | 000,000,114 | ---- | M] () -- C:\Windows\SysWow64\prsgrc.tgz
[2010/11/06 16:18:43 | 000,000,100 | ---- | M] () -- C:\Windows\SysWow64\prsgrc.dll
[2010/11/06 16:18:43 | 000,000,086 | ---- | M] () -- C:\Windows\SysWow64\ssprs.tgz
[2010/11/06 16:10:17 | 000,001,024 | ---- | M] () -- C:\Windows\SysWow64\grcauth2.dll
[2010/11/06 16:10:17 | 000,001,024 | ---- | M] () -- C:\Windows\SysWow64\grcauth1.dll
[2010/11/06 16:10:17 | 000,001,024 | ---- | M] () -- C:\Windows\SysWow64\g23oe3a.tgz
[2010/11/06 16:10:17 | 000,001,024 | ---- | M] () -- C:\Windows\SysWow64\g23oe3a.dll
[2010/11/06 16:10:16 | 000,001,024 | ---- | M] () -- C:\Windows\SysWow64\clauth2.dll
[2010/11/06 16:10:16 | 000,001,024 | ---- | M] () -- C:\Windows\SysWow64\clauth1.dll
[2010/11/06 16:10:16 | 000,000,072 | ---- | M] () -- C:\Windows\SysWow64\ssprs.dll
[2010/11/05 22:01:30 | 000,002,442 | ---- | M] () -- C:\Users\xxx\Desktop\Google Chrome.lnk
[2010/11/04 10:16:50 | 000,166,745 | ---- | M] () -- C:\Users\xxx\Desktop\MoneyPak Sample.png
[2010/11/03 16:01:57 | 000,049,752 | ---- | M] (Sunbelt Software) -- C:\Windows\SysNative\drivers\SBREDrv.sys
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/21 20:06:32 | 000,380,198 | ---- | C] () -- C:\Users\xxx\Desktop\fencingreceipt.png
[2010/11/18 13:33:49 | 000,024,203 | ---- | C] () -- C:\Users\xxx\Desktop\kiokchem331tentative.png
[2010/11/17 21:54:24 | 000,066,557 | ---- | C] () -- C:\Users\xxx\Desktop\LSMSA Transcript Request Form 2010 Revision.pdf
[2010/11/15 14:06:02 | 002,312,714 | ---- | C] () -- C:\Users\xxx\Desktop\Freshman-Academic-Planning-Guide-2010-2011-May-25-10.pdf
[2010/11/15 14:01:07 | 000,001,053 | ---- | C] () -- C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk
[2010/11/15 13:10:58 | 003,909,976 | ---- | C] () -- C:\Users\xxx\Desktop\ComboFix.exe
[2010/11/14 14:37:11 | 000,296,448 | ---- | C] () -- C:\Users\xxx\Desktop\gmer.exe
[2010/11/14 14:12:46 | 000,034,560 | ---- | C] () -- C:\Windows\SysWow64\drivers\Normandy.sys
[2010/11/12 15:55:09 | 000,032,972 | ---- | C] () -- C:\Users\xxx\Desktop\middle eastern.jpg
[2010/11/06 16:36:10 | 000,059,806 | ---- | C] () -- C:\Users\xxx\Desktop\kmno4purple - Matthew Proof.jpg
[2010/11/06 16:10:17 | 000,001,024 | ---- | C] () -- C:\Windows\SysWow64\g23oe3a.tgz
[2010/11/04 10:16:55 | 000,166,745 | ---- | C] () -- C:\Users\xxx\Desktop\MoneyPak Sample.png
[2010/10/22 20:31:03 | 000,000,041 | -HS- | C] () -- C:\ProgramData\.zreglib
[2010/04/18 21:22:13 | 000,000,207 | ---- | C] () -- C:\Windows\SMMacro.INI
[2010/01/24 01:04:31 | 000,000,668 | ---- | C] () -- C:\Users\xxx\AppData\Roaming\vso_ts_preview.xml
[2010/01/24 01:04:11 | 000,000,033 | ---- | C] () -- C:\Users\xxx\AppData\Roaming\pcouffin.log
[2010/01/24 01:03:39 | 000,099,384 | ---- | C] () -- C:\Users\xxx\AppData\Roaming\inst.exe
[2010/01/24 01:03:39 | 000,007,859 | ---- | C] () -- C:\Users\xxx\AppData\Roaming\pcouffin.cat
[2010/01/24 01:03:39 | 000,001,167 | ---- | C] () -- C:\Users\xxx\AppData\Roaming\pcouffin.inf
[2009/12/17 14:30:10 | 000,000,331 | ---- | C] () -- C:\Windows\game.ini
[2009/11/21 13:12:02 | 000,057,904 | ---- | C] () -- C:\Windows\SysWow64\wbload.dll
[2009/11/05 20:44:37 | 000,027,648 | ---- | C] () -- C:\Windows\SysWow64\AVSredirect.dll
[2009/10/23 21:54:20 | 000,001,268 | ---- | C] () -- C:\ProgramData\hpzinstall.log
[2009/10/23 11:50:37 | 000,004,608 | ---- | C] () -- C:\Users\xxx\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/13 17:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 17:16:42 | 000,001,024 | ---- | C] () -- C:\Windows\SysWow64\grcauth2.dll
[2009/07/13 17:16:42 | 000,001,024 | ---- | C] () -- C:\Windows\SysWow64\grcauth1.dll
[2009/07/13 17:16:42 | 000,001,024 | ---- | C] () -- C:\Windows\SysWow64\g23oe3a.dll
[2009/07/13 17:16:42 | 000,001,024 | ---- | C] () -- C:\Windows\SysWow64\clauth2.dll
[2009/07/13 17:16:42 | 000,001,024 | ---- | C] () -- C:\Windows\SysWow64\clauth1.dll
[2009/07/13 17:16:42 | 000,000,336 | ---- | C] () -- C:\Windows\SysWow64\d842ehw.dll
[2009/07/13 17:16:42 | 000,000,100 | ---- | C] () -- C:\Windows\SysWow64\prsgrc.dll
[2009/07/13 17:16:42 | 000,000,072 | ---- | C] () -- C:\Windows\SysWow64\ssprs.dll
[2009/07/13 17:16:42 | 000,000,016 | -H-- | C] () -- C:\Windows\SysWow64\v16qi5y.dll
[2009/07/13 15:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[1998/08/16 05:00:00 | 000,004,096 | ---- | C] () -- C:\Windows\SysWow64\sysres.dll

========== LOP Check ==========

[2009/10/23 09:40:07 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\acccore
[2010/04/18 21:22:12 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Advanced Chemistry Development
[2010/10/24 11:44:16 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Azureus
[2010/09/19 00:35:01 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\BitComet
[2010/03/21 13:39:32 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Command and Conquer 4
[2010/02/13 16:07:10 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Command and Conquer 4 Beta
[2009/10/24 16:04:56 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\DAEMON Tools Lite
[2010/09/28 10:18:34 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\LimeWire
[2010/05/18 15:40:35 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\LolClient
[2010/03/14 15:04:10 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\LolClient.F24C99354F615F3BAB18AE7B93E3F9B9E8784FA6.1
[2009/10/25 13:13:38 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Sierra Wireless
[2009/11/14 12:38:23 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Stardock
[2010/09/26 20:36:14 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\SteelBytes
[2010/03/12 02:45:23 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Sync App Settings
[2010/01/23 23:31:38 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Thunderbird
[2010/03/21 16:03:24 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Ubisoft
[2010/08/17 03:15:50 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Vso
[2009/07/13 23:08:49 | 000,030,992 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 24 bytes -> C:\Windows:12118A7CF7951C3A

< End of report >

OTL Extras logfile created on: 11/22/2010 8:38:58 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\xxx\Downloads
64bit- An unknown product (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 51.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 286.37 Gb Total Space | 121.15 Gb Free Space | 42.31% Space Free | Partition Type: NTFS

Computer Name: MATTHEWKIOK-PC | User Name: xxx | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\System32\ieframe.DLL (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.url [@ = InternetShortcut] -- C:\Windows\System32\ieframe.DLL (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07EEE598-5F21-4B57-B40B-46592625B3D9}" = Zune Language Pack (PTB)
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX870_series" = Canon MX870 series MP Drivers
"{295CFB7C-A57E-4313-93E7-68E7CE1D0332}" = Adobe WinSoft Linguistics Plugin x64
"{2C4E2E4E-A7C9-4CCB-BF03-FE6EBD5D4AB7}" = Windows Mobile Device Updater Component
"{2D74E972-5A85-44DC-9193-8A302BA8C181}" = Photoshop Camera Raw_x64
"{55D55008-E5F6-47D6-B16F-B2A40D4D145F}" = 64 Bit HP CIO Components Installer
"{5C93E291-A1CC-4E51-85C6-E194209FCDB4}" = Zune Language Pack (PTG)
"{5F5FEF58-F4D8-488B-BDB3-6D5B22192B02}" = HP Photosmart C5500 All-In-One Driver Software 13.0 Rel. 4
"{6631325A-9B1B-4EE7-8E64-8CC4A6F10643}" = Adobe Fonts All x64
"{6740BCB0-5863-47F4-80F4-44F394DE4FE2}" = Zune Language Pack (NLD)
"{6B33492E-FBBC-4EC3-8738-09E16E395A10}" = Zune Language Pack (ESP)
"{7006ED29-58F2-40C3-AE87-039287AD20B6}" = Zune
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{82B3C254-537C-4C6D-9C79-7671A011536A}" = O2Micro Flash Memory Card Reader Driver (x64)
"{82ED9FB2-55AF-4A61-A6F3-506CEE112779}" = Motorola Mobile Drivers Installation 4.7.1
"{858CCC22-7029-4426-B4D5-58C38742EBD3}" = Diskeeper 2010 Pro Premier
"{8875A1C0-6308-4790-8CF6-D34E89880052}" = Adobe Linguistics CS4 x64
"{887797BF-37A5-4199-B0C9-0D38D6196E9A}" = Adobe Anchor Service x64 CS4
"{8C8D673B-20FB-43E6-BCB7-9B3F78F2E762}" = Adobe Type Support x64 CS4
"{8DAA31EB-6830-4006-A99F-4DF8AB24714F}" = Adobe CSI CS4 x64
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007
"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
"{90BA8112-80B3-4617-A3C1-BD2771B60F74}" = Adobe CMaps x64 CS4
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9B48B0AC-C813-4174-9042-476A887592C7}" = Windows Live ID Sign-in Assistant
"{A3454894-144A-4D80-B605-C128FE0D7329}" = Adobe Drive CS4 x64
"{BE236D9A-52EC-4A17-82DA-84B5EAD31E3E}" = Zune Language Pack (DEU)
"{C5D37FFA-7483-410B-982B-91E93FD3B7DA}" = Zune Language Pack (ITA)
"{C68D33B1-0204-4EBE-BC45-A6E432B1D13A}" = Zune Language Pack (FRA)
"{D40172D6-CE2D-4B72-BF5F-26A04A900B7B}" = Adobe Photoshop CS4 (64 Bit)
"{DAE239CE-EB9D-4EB3-B0D4-528D6BAA48FD}" = Bonjour
"{DFFABE78-8173-4E97-9C5C-22FB26192FC5}" = Adobe PDF Library Files x64 CS4
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"HP Imaging Device Functions" = HP Imaging Device Functions 13.0
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"M-WIN-G 7.0.1 1213989_is1" = Wolfram Mathematica 7 for Students (M-WIN-G 7.0.1 1213989)
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"WinRAR archiver" = WinRAR archiver
"Zune" = Zune

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{0166E190-92D7-482A-A220-DE8B7354383A}" = Demigod
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0D67A4E4-5BE0-4C9A-8AD8-AB552B433F23}" = Adobe Setup
"{0EF5BEA9-B9D3-46d7-8958-FB69A0BAEACC}" = Status
"{0F367CA3-3B2F-43F9-A44A-25A8EE69E45D}" = Scan
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{12A1B519-5934-4508-ADBD-335347B0DC87}" = Video Web Camera
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E16F01-2E2D-4248-A42F-76261C147B6C}" = Adobe Drive CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{171E6C1E-B5FC-11DF-B115-005056C00008}" = Google Earth Plug-in
"{1EC71BFB-01A3-4239-B6AF-B1AE656B15C0}" = TrayApp
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{24A8F35A-5DF5-4E88-9314-6CD6195BB283}" = Java 3D 1.3.1 (OpenGL) Runtime
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java™ 6 Update 22
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2A414CBE-CDF3-48C6-A91B-D3D4522F8EB5}" = HASP SRM Run-time
"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm
"{2FA41EBB-3F5A-35C3-85D6-51EC72A11FBD}" = Google Gears
"{2FF8C687-DB7D-4adc-A5DC-57983EC25046}" = DeviceDiscovery
"{354D401F-05B6-4A1D-8E92-47C1BBC5302C}" = C5500
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3D5044A5-97B8-45C0-B956-BB2376569188}" = Windows Live Movie Maker
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{3F5C371F-8EA2-4F25-9D3D-D0B4526E3AEA}" = NVIDIA PhysX
"{43CDF946-F5D9-4292-B006-BA0D92013021}" = WebReg
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{4E7C28C7-D5DA-4E9F-A1CA-60490B54AE35}" = UnloadSupport
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support
"{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6BBA26E9-AB03-4FE7-831A-3535584CA002}" = Toolbox
"{6DD5A7FC-0DC3-4BCC-BCDF-3A4EBE565799}" = PS_AIO_04_C5500_Software_Min
"{6F3D2F66-F050-45E3-BEB1-6523FE6D6690}" = MergeModules
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{75D84EF7-0D8C-4e70-B3FA-7B42A5D4E0EB}" = Mass Effect 2
"{760E3EF8-577D-483E-9CB2-E759880AD82E}" = League of Legends
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{8570BEE8-0CA3-4977-9AB1-80ED93F0513C}" = Assassin's Creed II
"{888F1505-C2B3-4FDE-835D-36353EBD4754}" = Ubisoft Game Launcher
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002A-0000-1000-0000000FF1CE}_ENTERPRISE_{E64BA721-2310-4B55-BE5A-2925F9706192}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-002A-0409-1000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0116-0409-1000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{92606477-9366-4D3B-8AE3-6BE4B29727AB}" = League of Legends
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{9E9B6958-F339-489A-A984-520047E96921}" = Cn3D 4.1
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.1
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{B7B3E9B3-FB14-4927-894B-E9124509AF5A}" = Adobe Flash Player 10 ActiveX
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{BD7204BA-DD64-499E-9B55-6A282CDF4FA4}" = Destinations
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{CAE4213F-F797-439D-BD9E-79B71D115BE3}" = HPPhotoGadget
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E1E502E2-C006-49DB-9C0C-F2196E51826F}_is1" = Rootkit Unhooker LE 3.8 SR 2
"{E4848436-0345-47E2-B648-8B522FCDA623}" = Adobe Photoshop CS4
"{EA450D5D-95EA-4FD0-B8B0-6D8E68FBE2C7}" = Impulse
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FB9607C0-17B8-42B8-BB99-A1C9F7038363}" = Wolfram Notebook Indexer 2.0
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"8461-7759-5462-8226" = Vuze
"ACDLabs in C__ACDFREE12_" = ACD/Labs Software in C:\ACDFREE12\
"ACDLabs in C__Program_Files_(x86)_ACDFREE12_" = ACD/Labs Software in C:\Program Files (x86)\ACDFREE12\
"Ad-Aware" = Ad-Aware
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_faf656ef605427ee2f42989c3ad31b8" = Adobe Photoshop CS4
"AIM_7" = AIM 7
"Allway Sync_is1" = Allway Sync version 10.1.1
"Audacity_is1" = Audacity 1.2.6
"BitComet" = BitComet 1.24
"CloneCD" = CloneCD
"Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows
"Demigod" = Demigod
"Ear Training 101 & Rhythmic Patternsv. 4.0" = Ear Training 101 & Rhythmic Patterns
"Emsisoft Anti-Malware_is1" = Emsisoft Anti-Malware 5.0
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Impulse" = Impulse
"InstallShield_{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}" = Call of Duty® 4 - Modern Warfare™ 1.6 Patch
"InstallShield_{931C37FC-594D-43A9-B10F-A2F2B1F03498}" = Call of Duty® 4 - Modern Warfare™ 1.7 Patch
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"LastFM_is1" = Last.fm 1.5.4.27091
"LimeWire" = LimeWire PRO 5.5.1
"MotoConnect" = MotoConnect 1.1.31
"Mozilla Firefox (3.6.12)" = Mozilla Firefox (3.6.12)
"Mozilla Thunderbird (3.1.6)" = Mozilla Thunderbird (3.1.6)
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"StarCraft II" = StarCraft II
"Steam App 50280" = Mafia II - Demo
"SUPER ©" = SUPER © Version 2010.bld.38 (May 2, 2010)
"VertusFluidMask3" = Vertus Fluid Mask 3 3.0.10
"VLC media player" = VLC media player 1.0.5
"WinLiveSuite_Wave3" = Windows Live Essentials

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >


After installing rootkitunhooker, I couldn't open the program no matter what settings I tried, and I followed all the directions (randomly naming everything associated with it). Here is the error I got:
Posted Image

I'm running a legitmate copy of Windows 7 x64 Professional Edition btw. Thanks for your time!

Edited by elise025, 30 March 2011 - 01:28 AM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,103 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:47 PM

Posted 23 November 2010 - 11:06 AM

Hi again,


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 cycohexane

cycohexane
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 24 November 2010 - 02:36 AM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5179

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

11/24/2010 1:34:32 AM
mbam-log-2010-11-24 (01-34-32).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 315694
Time elapsed: 57 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Downloads\Assassins_Creed_II-crack-SKIDROW\SKIDROW\ubiorbitapi_r2.dll (Trojan.Agent.CK) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\ubiorbitapi_r2.dll (Trojan.Agent.CK) -> Quarantined and deleted successfully.
C:\Users\xxx\Apps\ChemOffice Ultra 2008 11.01\tbe\keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\xxx\Apps\Cracks\Multi keygen.exe (Trojan.Orsam) -> Quarantined and deleted successfully.
C:\Users\xxx\backup\Other Stuff\Cracks\Multi keygen.exe (Trojan.Orsam) -> Quarantined and deleted successfully.

I will let you know whether the symptoms have gone away or not after this. The files removed by the program have been on my computer for several months without ever causing difficulty, so I'm cautiously optimistic right now...Anyway I'll keep you posted. Thanks for the help so far!

Edited by elise025, 30 March 2011 - 01:30 AM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,103 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:47 PM

Posted 24 November 2010 - 06:21 AM

Please keep me posted on the original problem.

P2P WARNING
-------------------
Going over your logs I noticed that you have BitComet and LimeWire installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall BitComet and LimeWire, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.


ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  • Push the Posted Image button.
  • Push Posted Image


If you wish to keep it, please do not use it until your computer is cleaned.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 cycohexane

cycohexane
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 28 November 2010 - 04:22 PM

Hi Elise,

Here are the things ESET found:

C:\Users\Matthew Kiok\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\1f3f8202-3167dd70 multiple threats deleted - quarantined
C:\Users\Matthew Kiok\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\1fd53268-11132bf8 probably a variant of Win32/Agent.DYXWUMY trojan deleted - quarantined
C:\Users\Matthew Kiok\Downloads\sr-aciif.7z a variant of Win32/Packed.VMProtect.AAA trojan deleted - quarantined

Unfortunately, the r3.google.com redirect is still present. Although I've noticed that it changes my google search results page slightly when it hijacks the links. Normally my google pages are at a larger font, but when the page gets hijacked, the font is much smaller. Just for reference, I use the search feature in firefox or google chrome more often than going to google.com then searching my result, so maybe the search feature in the browsers are infected?

Thanks for your time!

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,103 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:47 PM

Posted 28 November 2010 - 04:38 PM

What happens to your search results when using the r3.google.com page?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 cycohexane

cycohexane
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 28 November 2010 - 05:25 PM

I took some screenshots of a normal google search versus the hijacked ones:

Posted Image
^^ This is a normal search
Posted Image
^^ This is a hijacked search (notice the never ending loading circle at the tab and the redirected link at the bottom left)
Posted Image
^^ This is the first thing that comes up when I click the link
Posted Image
^^ This page is variable - after the "loading" screen different advertisements will come up each time I click the link again

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,103 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:47 PM

Posted 29 November 2010 - 04:32 AM

Lets also do a rootkit scan here.

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.Link 1
Link 2
Link 3
  • Double-click on MBRCheck.exe to run it. Vista/Windows 7 users right-click and select Run As Administrator.
  • It will open a black screen with some data on it...please do not fix anything (if it gives you an option).
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will be created on the desktop.
  • Copy and paste the contents of that log in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 cycohexane

cycohexane
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 29 November 2010 - 06:20 AM

Thanks for your patience so far, Elise:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Professional
Windows Information: (build 7600), 64-bit
Base Board Manufacturer: Gateway
BIOS Manufacturer: Phoenix Technologies LTD
System Manufacturer: Gateway
System Product Name: P-7805u
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 176):
0x0301C000 \SystemRoot\system32\ntoskrnl.exe
0x035F8000 \SystemRoot\system32\hal.dll
0x00BB5000 \SystemRoot\system32\kdcom.dll
0x00C30000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00C74000 \SystemRoot\system32\PSHED.dll
0x00C88000 \SystemRoot\system32\CLFS.SYS
0x00CE6000 \SystemRoot\system32\CI.dll
0x00E84000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00F28000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x01045000 \SystemRoot\System32\Drivers\spaf.sys
0x0116B000 \SystemRoot\System32\Drivers\WMILIB.SYS
0x01174000 \SystemRoot\System32\Drivers\SCSIPORT.SYS
0x011A3000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x01000000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x0100A000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x00F37000 \SystemRoot\system32\DRIVERS\pci.sys
0x01017000 \SystemRoot\System32\drivers\partmgr.sys
0x0102C000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x01035000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x00F6A000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x00F7F000 \SystemRoot\System32\drivers\volmgrx.sys
0x00FDB000 \SystemRoot\System32\drivers\mountmgr.sys
0x00FF5000 \SystemRoot\system32\DRIVERS\atapi.sys
0x00E00000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x00E2A000 \SystemRoot\system32\DRIVERS\msahci.sys
0x00E35000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x00E45000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x00DA6000 \SystemRoot\system32\drivers\fltmgr.sys
0x00E50000 \SystemRoot\system32\drivers\fileinfo.sys
0x01215000 \SystemRoot\System32\Drivers\Ntfs.sys
0x014C3000 \SystemRoot\System32\Drivers\msrpc.sys
0x01521000 \SystemRoot\System32\Drivers\ksecdd.sys
0x0153B000 \SystemRoot\System32\Drivers\cng.sys
0x015AE000 \SystemRoot\System32\drivers\pcw.sys
0x015BF000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x01690000 \SystemRoot\system32\drivers\ndis.sys
0x01782000 \SystemRoot\system32\drivers\NETIO.SYS
0x01600000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01802000 \SystemRoot\System32\drivers\tcpip.sys
0x0162B000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01675000 \SystemRoot\system32\DRIVERS\vmstorfl.sys
0x01400000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x01685000 \SystemRoot\System32\Drivers\spldr.sys
0x0144C000 \SystemRoot\System32\drivers\rdyboost.sys
0x017E2000 \SystemRoot\System32\Drivers\mup.sys
0x017F4000 \SystemRoot\System32\drivers\hwpolicy.sys
0x01486000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x015C9000 \SystemRoot\system32\DRIVERS\disk.sys
0x013B8000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x00C00000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x013F3000 \SystemRoot\System32\Drivers\Null.SYS
0x015F9000 \SystemRoot\System32\Drivers\Beep.SYS
0x00E64000 \SystemRoot\System32\drivers\vga.sys
0x02C78000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x02C9D000 \SystemRoot\System32\drivers\watchdog.sys
0x02CAD000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x02CB6000 \SystemRoot\system32\drivers\rdpencdd.sys
0x02CBF000 \SystemRoot\system32\drivers\rdprefmp.sys
0x02CC8000 \SystemRoot\System32\Drivers\Msfs.SYS
0x02CD3000 \SystemRoot\System32\Drivers\Npfs.SYS
0x02CE4000 \SystemRoot\system32\DRIVERS\tdx.sys
0x02D02000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x02D0F000 \SystemRoot\system32\drivers\afd.sys
0x02D99000 \SystemRoot\System32\DRIVERS\netbt.sys
0x02DDE000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x02C00000 \SystemRoot\system32\DRIVERS\pacer.sys
0x02C26000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x02C3C000 \SystemRoot\system32\DRIVERS\netbios.sys
0x02C4B000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x02DE7000 \SystemRoot\system32\DRIVERS\termdd.sys
0x03AC7000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x03B18000 \SystemRoot\system32\drivers\nsiproxy.sys
0x03B24000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x03B2F000 \SystemRoot\System32\Drivers\ElbyCDIO.sys
0x03B39000 \SystemRoot\System32\drivers\discache.sys
0x03B48000 \SystemRoot\system32\drivers\csc.sys
0x03BCB000 \SystemRoot\System32\Drivers\dfsc.sys
0x03BE9000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x03A00000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x0FEF7000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x10B89000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x0FE00000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x10B8B000 \SystemRoot\System32\drivers\dxgmms1.sys
0x10BD1000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x03A26000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x10BDE000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x03A7C000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x03C7E000 \SystemRoot\system32\DRIVERS\yk62x64.sys
0x03E68000 \SystemRoot\system32\DRIVERS\NETw5s64.sys
0x045C7000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x03E00000 \SystemRoot\system32\DRIVERS\1394ohci.sys
0x03E3E000 \SystemRoot\system32\DRIVERS\o2sdx64.sys
0x03E4A000 \SystemRoot\system32\DRIVERS\o2mdx64.sys
0x03E58000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x045D4000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x03CE3000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x03CF2000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x045F2000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x03D3B000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x03D4A000 \SystemRoot\System32\Drivers\ElbyCDFL.sys
0x03D58000 \SystemRoot\System32\Drivers\aiq3axhn.SYS
0x03C00000 \SystemRoot\System32\Drivers\agl6qp9f.SYS
0x045F4000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x03C45000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x03C5B000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x04A5D000 \SystemRoot\system32\drivers\ks.sys
0x04AA0000 \SystemRoot\System32\Drivers\RootMdm.sys
0x04AA8000 \SystemRoot\system32\drivers\modem.sys
0x04AB7000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x04ACD000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x04AF1000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x04AFD000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x04B2C000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x04B47000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x04B68000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x04B82000 \SystemRoot\system32\DRIVERS\RimSerial_AMD64.sys
0x04B8A000 \SystemRoot\system32\DRIVERS\rdpbus.sys
0x04B95000 \SystemRoot\system32\DRIVERS\swenum.sys
0x04B97000 \SystemRoot\system32\DRIVERS\umbus.sys
0x04A00000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x068FC000 \SystemRoot\system32\drivers\HdAudio.sys
0x06958000 \SystemRoot\system32\drivers\portcls.sys
0x06995000 \SystemRoot\system32\drivers\drmk.sys
0x069B7000 \SystemRoot\system32\drivers\ksthunk.sys
0x06800000 \SystemRoot\system32\DRIVERS\VSTAZL6.SYS
0x06A07000 \SystemRoot\system32\DRIVERS\VSTDPV6.SYS
0x06CA4000 \SystemRoot\system32\DRIVERS\VSTCNXT6.SYS
0x06D6F000 \SystemRoot\system32\drivers\nvhda64v.sys
0x06D88000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x06D9D000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x06DBA000 \SystemRoot\System32\Drivers\usbvideo.sys
0x06DE8000 \SystemRoot\System32\Drivers\crashdmp.sys
0x06C00000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x06C0C000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x06C17000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x00010000 \SystemRoot\System32\win32k.sys
0x06C2A000 \SystemRoot\System32\drivers\Dxapi.sys
0x00480000 \SystemRoot\System32\TSDDD.dll
0x00650000 \SystemRoot\System32\cdd.dll
0x00890000 \SystemRoot\System32\ATMFD.DLL
0x06C44000 \SystemRoot\system32\drivers\luafv.sys
0x06C67000 \SystemRoot\system32\drivers\WudfPf.sys
0x06C88000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x06B7B000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x06BCE000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x06BE1000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x074B3000 \SystemRoot\system32\drivers\HTTP.sys
0x0757B000 \SystemRoot\system32\DRIVERS\vwifimp.sys
0x07585000 \SystemRoot\system32\DRIVERS\bowser.sys
0x075A3000 \SystemRoot\System32\drivers\mpsdrv.sys
0x075BB000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x07400000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x0744E000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x07471000 \SystemRoot\System32\Drivers\adfs.SYS
0x07489000 \??\C:\Windows\system32\drivers\aksdf.sys
0x06852000 \SystemRoot\System32\Drivers\fastfat.SYS
0x06888000 \SystemRoot\system32\DRIVERS\aksfridge.sys
0x068A8000 \??\C:\Windows\system32\drivers\hardlock.sys
0x07A4D000 \SystemRoot\system32\drivers\peauth.sys
0x07AF3000 \SystemRoot\System32\Drivers\secdrv.SYS
0x07AFE000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x07B2B000 \SystemRoot\System32\drivers\tcpipreg.sys
0x07B3D000 \SystemRoot\System32\DRIVERS\srv2.sys
0x08099000 \SystemRoot\System32\DRIVERS\srv.sys
0x0812F000 \SystemRoot\system32\DRIVERS\DKRtWrt.sys
0x081B0000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x08000000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x08009000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x08085000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x0814D000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x08166000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x08173000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x0819F000 \SystemRoot\system32\DRIVERS\monitor.sys
0x77A70000 \Windows\System32\ntdll.dll
0x478D0000 \Windows\System32\smss.exe
0xFFD90000 \Windows\System32\apisetschema.dll

Processes (total 56):
0 System Idle Process
4 System
276 C:\Windows\System32\smss.exe
380 csrss.exe
444 C:\Windows\System32\wininit.exe
460 csrss.exe
504 C:\Windows\System32\services.exe
520 C:\Windows\System32\lsass.exe
528 C:\Windows\System32\lsm.exe
660 C:\Windows\System32\svchost.exe
724 C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
732 C:\Windows\System32\winlogon.exe
812 C:\Windows\System32\nvvsvc.exe
852 C:\Windows\System32\svchost.exe
936 C:\Windows\System32\svchost.exe
992 C:\Windows\System32\svchost.exe
320 C:\Windows\System32\svchost.exe
484 C:\Windows\System32\svchost.exe
1120 C:\Windows\System32\svchost.exe
1212 C:\Windows\System32\nvvsvc.exe
1348 C:\Windows\System32\spoolsv.exe
1384 C:\Windows\System32\svchost.exe
1420 C:\Windows\System32\svchost.exe
1560 C:\Program Files (x86)\Bonjour\mDNSResponder.exe
1636 C:\Windows\System32\hasplms.exe
1688 C:\Windows\SysWOW64\svchost.exe
1876 C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe
1928 C:\Program Files (x86)\O2Micro Flash Memory Card Driver\o2flash.exe
2008 C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
1152 C:\Windows\System32\taskhost.exe
1192 C:\Windows\System32\dwm.exe
1828 C:\Windows\explorer.exe
2084 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
2104 C:\Windows\System32\svchost.exe
2180 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2484 C:\Windows\System32\svchost.exe
2504 C:\Windows\System32\SearchIndexer.exe
2600 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2632 C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnect.exe
2740 C:\Program Files (x86)\Google\Update\1.2.183.39\GoogleCrashHandler.exe
2792 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2808 C:\Program Files\Zune\ZuneLauncher.exe
2956 C:\Windows\System32\StikyNot.exe
2044 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
2804 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
2984 C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
3596 C:\Program Files\Windows Media Player\wmpnetwk.exe
3084 C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
1516 C:\Program Files (x86)\Mozilla Firefox\firefox.exe
1232 C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
1056 C:\Windows\System32\SearchProtocolHost.exe
4008 C:\Windows\System32\SearchFilterHost.exe
568 C:\Windows\explorer.exe
3516 C:\Users\xxx\Downloads\MBRCheck.exe
2928 C:\Windows\System32\conhost.exe
1888 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`ee100000 (NTFS)

PhysicalDrive0 Model Number: ST9320421AS, Rev: SD13

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


Done!

Edited by elise025, 30 March 2011 - 01:30 AM.


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,103 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:47 PM

Posted 29 November 2010 - 06:41 AM

Do you have this problem only in FF or also in IE?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,103 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:47 PM

Posted 02 December 2010 - 06:58 AM

Hi, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 cycohexane

cycohexane
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 02 December 2010 - 11:51 AM

Hi sorry for the delay. I actually have trouble replicating it in IE - it seems to only affect firefox and chrome, and more specifically, through www.google.com and not the built in search bar.

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,103 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:47 PM

Posted 02 December 2010 - 12:26 PM

Please click Start > Programs >Mozilla Firefox and choose the option to start Firefox in Safe mode.

If that runs without problems, it means that one of your firefox add-ons is causing this.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users