Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Startsearch virus


  • This topic is locked This topic is locked
19 replies to this topic

#1 PersonaUser314

PersonaUser314

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 20 January 2012 - 09:35 PM

Originally created this topic in one of the other boards: http://www.bleepingcomputer.com/forums/topic439152.html/page__pid__2563982#entry2563982

I'm having an issue with the startsearch virus in Firefox - my homepage is reset to startsear.ch, startsearch.info or some variation on that rather than google (my orginal homepage) and my tabs from my last session are no longer restored.

Before asking for help here I'd scanned with Microsoft Security Essentials which detected nothing, and I'd deleted any startsearch files I could find in the Registry Editor (which were back again once my computer rebooted).
I was advised in the 'Am I infected?' board to download and scan with Security Check, Farbar Service Scanner, Minitoolbox, Malwarebytes, aswMBR, Gooredfix (the logs of which are in the link above), to restart Firefox with add-ons disabled and then uninstall and reinstall Firefox, both of which didn't solve the problem.

Here is the DDS log for my issue and I've attatched the additional DDS file and the GMER ark file. Hoping someone can help me out here!

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_29
Run by Lauren at 2:09:58 on 2012-01-21
Microsoft Windows 7 Home Premium 6.1.7601.1.932.81.1033.18.3317.2284 [GMT 0:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\explorer_update.exe
C:\Users\Lauren\AppData\Local\Akamai\netsession_win.exe
C:\Windows\System32\StikyNot.exe
C:\Users\Lauren\AppData\Local\Akamai\netsession_win.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\conhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
uStart Page = hxxp://startsear.info
mStart Page = hxxp://startsear.info
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {B530A9A4-1722-4D16-AAD6-AA85E3AD2ADE} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [Akamai NetSession Interface] "c:\users\lauren\appdata\local\akamai\netsession_win.exe"
uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Explorer Update] "c:\program files\internet explorer\explorer_update.exe"
StartupFolder: c:\users\lauren\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{5292756D-EE0E-432B-9105-EECC825BCECD} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{5292756D-EE0E-432B-9105-EECC825BCECD}\2445F40756E6A7F6E656 : DhcpNameServer = 192.168.22.22 192.168.22.23
TCP: Interfaces\{5292756D-EE0E-432B-9105-EECC825BCECD}\E4564776561627 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{8BB823E6-FE78-41B1-A824-F16DE6062387} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{C5387D32-A527-4127-BD1A-2E4922D0AEFA} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{E687C931-C817-4DEA-B03D-F218E4CF3E43} : DhcpNameServer = 192.168.1.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\lauren\appdata\roaming\mozilla\firefox\profiles\kj7vdly3.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: browser.startup.homepage - hxxp://startsear.info
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-13 20992]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
R3 netr73;Belkin Wireless 54G USB Network Adapter Driver for Vista;c:\windows\system32\drivers\netr73.sys [2009-10-26 464384]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-16 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-16 135664]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-4-28 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-21 1343400]
.
=============== Created Last 30 ================
.
2012-01-20 21:31:13 6557240 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{eb9b9abd-089e-4f97-8a2b-d689d2527946}\mpengine.dll
2012-01-20 20:50:21 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-20 20:50:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-18 09:07:31 1046528 --sha-w- c:\program files\internet explorer\bin\iexplore.exe
2012-01-18 00:00:31 6110435 --sha-w- c:\program files\internet explorer\explorer_update.exe
2012-01-17 22:23:06 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-17 22:23:06 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-17 22:23:06 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-17 22:23:06 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-17 22:23:06 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-17 22:23:06 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-17 22:23:06 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-17 22:23:06 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-17 22:23:06 100352 ----a-w- c:\windows\system32\sspicli.dll
2012-01-17 22:23:05 15872 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-11 14:11:38 1288472 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 14:11:34 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-11 14:11:31 514560 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 14:11:31 1328128 ----a-w- c:\windows\system32\quartz.dll
2012-01-03 13:10:44 182672 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-12-22 14:10:43 -------- d-----w- c:\program files\DAEMON Tools Lite
.
==================== Find3M ====================
.
2011-12-22 14:11:44 428088 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-11-24 04:25:27 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-11-05 04:35:00 981504 ----a-w- c:\windows\system32\wininet.dll
2011-11-05 04:26:03 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-05 02:48:51 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-26 04:47:40 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-26 04:47:40 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-26 04:28:12 38912 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-24 13:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 13:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
============= FINISH: 2:10:43.23 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:54 AM

Posted 26 January 2012 - 09:40 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/439195 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 PersonaUser314

PersonaUser314
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 27 January 2012 - 10:16 AM

I've already explained my issue in depth in post 1 and the other thread, but the long and short of it is that I'm constantly being redirected to startsearch sites instead of google and my Firefox options keep being reset.

Second set of DDS logs (with the other DDS and GMER attatched~):
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_29
Run by Lauren at 14:55:36 on 2012-01-27
Microsoft Windows 7 Home Premium 6.1.7601.1.932.81.1033.18.3317.2337 [GMT 0:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\explorer_update.exe
C:\Users\Lauren\AppData\Local\Akamai\netsession_win.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Users\Lauren\AppData\Local\Akamai\netsession_win.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
uStart Page = hxxp://startsear.info
mStart Page = hxxp://startsear.info
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {B530A9A4-1722-4D16-AAD6-AA85E3AD2ADE} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [Akamai NetSession Interface] "c:\users\lauren\appdata\local\akamai\netsession_win.exe"
uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Explorer Update] "c:\program files\internet explorer\explorer_update.exe"
StartupFolder: c:\users\lauren\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{5292756D-EE0E-432B-9105-EECC825BCECD} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{5292756D-EE0E-432B-9105-EECC825BCECD}\2445F40756E6A7F6E656 : DhcpNameServer = 192.168.22.22 192.168.22.23
TCP: Interfaces\{5292756D-EE0E-432B-9105-EECC825BCECD}\E4564776561627 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{8BB823E6-FE78-41B1-A824-F16DE6062387} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{C5387D32-A527-4127-BD1A-2E4922D0AEFA} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{E687C931-C817-4DEA-B03D-F218E4CF3E43} : DhcpNameServer = 192.168.1.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\lauren\appdata\roaming\mozilla\firefox\profiles\kj7vdly3.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-13 20992]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
R3 netr73;Belkin Wireless 54G USB Network Adapter Driver for Vista;c:\windows\system32\drivers\netr73.sys [2009-10-26 464384]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-16 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-16 135664]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-4-28 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-21 1343400]
.
=============== Created Last 30 ================
.
2012-01-26 17:20:37 6557240 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{29529a8f-b138-4c56-925d-69d7941715f7}\mpengine.dll
2012-01-20 20:50:21 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-20 20:50:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-18 09:07:31 1046528 --sha-w- c:\program files\internet explorer\bin\iexplore.exe
2012-01-18 00:00:31 6110435 --sha-w- c:\program files\internet explorer\explorer_update.exe
2012-01-17 22:23:06 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-17 22:23:06 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-17 22:23:06 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-17 22:23:06 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-17 22:23:06 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-17 22:23:06 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-17 22:23:06 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-17 22:23:06 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-17 22:23:06 100352 ----a-w- c:\windows\system32\sspicli.dll
2012-01-17 22:23:05 15872 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-11 14:11:38 1288472 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 14:11:34 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-11 14:11:31 514560 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 14:11:31 1328128 ----a-w- c:\windows\system32\quartz.dll
2012-01-03 13:10:44 182672 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2012-01-23 13:40:57 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-04 09:26:22 236576 ------w- c:\windows\system32\MpSigStub.exe
2011-12-22 14:11:44 428088 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-11-24 04:25:27 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-11-05 04:35:00 981504 ----a-w- c:\windows\system32\wininet.dll
2011-11-05 04:26:03 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-05 02:48:51 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 14:57:06.47 ===============

Attached Files



#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:54 PM

Posted 27 January 2012 - 10:47 AM

Hello PersonaUser314 and welcome to BC.


Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

Posted Image


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

  • Leave your computer alone while ComboFix is running.
  • ComboFix will restart your computer if malware is found; allow it to do so.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Please do not mouseclick combofix's window while its running because it may call it to stall.
  • ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 PersonaUser314

PersonaUser314
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 27 January 2012 - 11:31 AM

Ran Combofix, here's the log:

ComboFix 12-01-27.01 - Lauren 27/01/2012 16:02:14.1.4 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.932.81.1033.18.3317.1912 [GMT 0:00]
Running from: c:\users\Lauren\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
Error: Cfiles.dat
.
((((((((((((((((((((((((( Files Created from 2011-12-27 to 2012-01-27 )))))))))))))))))))))))))))))))
.
.
2012-01-27 16:06 . 2012-01-27 16:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-27 14:57 . 2012-01-27 14:57 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{29529A8F-B138-4C56-925D-69D7941715F7}\MpKsl4272bf52.sys
2012-01-26 17:20 . 2012-01-06 04:19 6557240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{29529A8F-B138-4C56-925D-69D7941715F7}\mpengine.dll
2012-01-20 20:50 . 2012-01-20 20:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-20 20:50 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-18 09:07 . 2012-01-11 02:21 1046528 --sha-w- c:\program files\Internet Explorer\bin\iexplore.exe
2012-01-18 00:00 . 2012-01-17 17:50 6110435 --sha-w- c:\program files\Internet Explorer\explorer_update.exe
2012-01-17 22:23 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-17 22:23 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-17 22:23 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-17 22:23 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-17 22:23 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll
2012-01-17 22:23 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-17 22:23 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-17 22:23 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-17 22:23 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-17 22:23 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-11 14:11 . 2011-11-17 05:38 1288472 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 14:11 . 2011-11-19 14:01 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-11 14:11 . 2011-10-26 04:32 514560 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 14:11 . 2011-10-26 04:32 1328128 ----a-w- c:\windows\system32\quartz.dll
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-23 13:40 . 2011-06-16 19:28 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-06 04:19 . 2011-05-01 16:25 6557240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-01-04 09:26 . 2009-10-26 15:00 236576 ------w- c:\windows\system32\MpSigStub.exe
2011-12-22 14:11 . 2011-02-10 03:32 428088 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-11-24 04:25 . 2011-12-15 02:30 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-11-05 04:35 . 2011-12-15 02:30 981504 ----a-w- c:\windows\system32\wininet.dll
2011-11-05 04:26 . 2011-12-15 02:30 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-05 02:48 . 2011-12-15 02:30 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-12-21 07:42 . 2012-01-21 01:13 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\users\Lauren\AppData\Local\Akamai\netsession_win.exe" [2011-12-23 3334432]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"Explorer Update"="c:\program files\Internet Explorer\explorer_update.exe" [2012-01-17 6110435]
.
c:\users\Lauren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux4"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 inqgizgf;inqgizgf;c:\windows\system32\drivers\inqgizgf.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 135664]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 135664]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-21 1343400]
R4 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 MpKsl4272bf52;MpKsl4272bf52;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{29529A8F-B138-4C56-925D-69D7941715F7}\MpKsl4272bf52.sys [2012-01-27 29904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
S3 netr73;Belkin Wireless 54G USB Network Adapter Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2009-10-26 464384]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL4272BF52
*Deregistered* - uxdirpob
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 16:35]
.
2012-01-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 16:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://startsear.info
mStart Page = hxxp://startsear.info
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Lauren\AppData\Roaming\Mozilla\Firefox\Profiles\kj7vdly3.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
Toolbar-Locked - (no file)
AddRemove-Brass Restoration English_is1 - c:\program files\Brass Restoration English\unins000.exe
AddRemove-Katawa Shoujo Act 1 - c:\program files\Katawa Shoujo Act 1\Uninstall Katawa Shoujo Act 1.exe
AddRemove-{2624B969-7135-4EB1-B0F6-2D8C397B45F7}_is1 - c:\users\Lauren\Desktop\unins000.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_e286960.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-01-27 16:08:01
ComboFix-quarantined-files.txt 2012-01-27 16:08
.
Pre-Run: 144,446,201,856 bytes free
Post-Run: 144,794,533,888 bytes free
.
- - End Of File - - 2CA5ABA7892C01ED7E1F7EAC85147B29

#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:54 PM

Posted 27 January 2012 - 10:26 PM

Hi,

We need to execute a ComboFix script.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy-paste the text in the code box below into it:

File::
c:\windows\system32\drivers\inqgizgf.sys
c:\program files\internet explorer\explorer_update.exe

DDS::
uStart Page = hxxp://startsear.info
mStart Page = hxxp://startsear.info
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;
uURLSearchHooks: H - No File
BHO: {B530A9A4-1722-4D16-AAD6-AA85E3AD2ADE} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File

Driver::
inqgizgf

4. Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 PersonaUser314

PersonaUser314
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 29 January 2012 - 07:34 PM

Here's the second log:

ComboFix 12-01-29.02 - Lauren 30/01/2012 0:19.2.4 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.932.81.1033.18.3317.2390 [GMT 0:00]
Running from: c:\users\Lauren\Desktop\ComboFix.exe
Command switches used :: c:\users\Lauren\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\program files\internet explorer\explorer_update.exe"
"c:\windows\system32\drivers\inqgizgf.sys"
.
Error: Cfiles.dat
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\internet explorer\explorer_update.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_inqgizgf
.
.
((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-30 )))))))))))))))))))))))))))))))
.
.
2012-01-30 00:25 . 2012-01-30 00:26 -------- d-----w- c:\users\Lauren\AppData\Local\temp
2012-01-30 00:25 . 2012-01-30 00:25 -------- d-----w- c:\users\Lauren1\AppData\Local\temp
2012-01-30 00:25 . 2012-01-30 00:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-30 00:17 . 2012-01-06 04:19 6557240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F22984AE-EA02-4796-B3F4-B73CF15376D0}\mpengine.dll
2012-01-27 17:37 . 2012-01-27 17:37 -------- d-----w- c:\program files\iPod
2012-01-20 20:50 . 2012-01-20 20:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-20 20:50 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-18 09:07 . 2012-01-11 02:21 1046528 --sha-w- c:\program files\Internet Explorer\bin\iexplore.exe
2012-01-17 22:23 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-17 22:23 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-17 22:23 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-17 22:23 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-17 22:23 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll
2012-01-17 22:23 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-17 22:23 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-17 22:23 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-17 22:23 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-17 22:23 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-11 14:11 . 2011-11-17 05:38 1288472 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 14:11 . 2011-11-19 14:01 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-11 14:11 . 2011-10-26 04:32 514560 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 14:11 . 2011-10-26 04:32 1328128 ----a-w- c:\windows\system32\quartz.dll
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-23 13:40 . 2011-06-16 19:28 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-06 04:19 . 2011-05-01 16:25 6557240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-01-04 09:26 . 2009-10-26 15:00 236576 ------w- c:\windows\system32\MpSigStub.exe
2011-12-22 14:11 . 2011-02-10 03:32 428088 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-11-24 04:25 . 2011-12-15 02:30 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-11-05 04:35 . 2011-12-15 02:30 981504 ----a-w- c:\windows\system32\wininet.dll
2011-11-05 04:26 . 2011-12-15 02:30 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-05 02:48 . 2011-12-15 02:30 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-12-21 07:42 . 2012-01-21 01:13 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\users\Lauren\AppData\Local\Akamai\netsession_win.exe" [2011-12-23 3334432]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
.
c:\users\Lauren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux4"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 135664]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 135664]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-21 1343400]
R4 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
S3 netr73;Belkin Wireless 54G USB Network Adapter Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2009-10-26 464384]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 16:35]
.
2012-01-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 16:35]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = 127.0.0.1:9421
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Lauren\AppData\Roaming\Mozilla\Firefox\Profiles\kj7vdly3.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Explorer Update - c:\program files\Internet Explorer\explorer_update.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_e286960.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\WUDFHost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2012-01-30 00:29:40 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-30 00:29
ComboFix2.txt 2012-01-27 16:08
.
Pre-Run: 150,451,900,416 bytes free
Post-Run: 150,302,203,904 bytes free
.
- - End Of File - - 5D17F724EEF9BAC070113A6D896D9166

#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:54 PM

Posted 30 January 2012 - 04:53 AM

Thanks, we need to run some more test.


:step1: Please go to http://virscan.org/
  • Navigate the following file path into the "Suspicious files to scan" box on the top of the page:

    c:\program files\internet explorer\bin\iexplore.exe

  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.


:step2: Please download SystemLook from jpshortstuff and save it to your Desktop

Download Mirror #1
Download Mirror #2

  • Double-click the SystemLook and copy-paste the following into the box
    :dir
    c:\program files\internet explorer\bin
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply


:step3: Download OTL by OldTimer from one of the links below:

Link 1
Link 2

  • Save it to your desktop.
  • Close all open windows on the Task Bar.
  • Double click the OTL icon to run the program (run as Administrator for Windows Vista/7).
  • Put a check mark on Scan All Users.
  • Click the Run Scan button and let it run uninterrupted.
  • It will create two reports namely OTL.txt (will be opened) and Extras.txt (will be minimized).
  • Post the contents of both reports when you reply.
  • Exit OTL.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 PersonaUser314

PersonaUser314
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 02 February 2012 - 09:33 AM

I wasn't able to complete step 1, I looked in the Internet Explorer\bin file but the .exe file wasn't there. I checked to see if it was a hidden file, but it still didn't turn up.

Here's the rest of the logs:

SystemLook 30.07.11 by jpshortstuff
Log created at 14:32 on 02/02/2012 by Lauren
Administrator - Elevation successful

========== dir ==========

c:\program files\internet explorer\bin - Parameters: "(none)"

---Files---
iexplore.exe --ahs-- 1046528 bytes [09:07 18/01/2012] [02:21 11/01/2012]

---Folders---
None found.

-= EOF =-

OTL:

OTL logfile created on: 2/2/2012 2:29:17 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Lauren\Desktop
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.24 Gb Total Physical Memory | 2.34 Gb Available Physical Memory | 72.19% Memory free
6.48 Gb Paging File | 5.59 Gb Available in Paging File | 86.25% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 450.70 Gb Total Space | 135.02 Gb Free Space | 29.96% Space Free | Partition Type: NTFS
Drive D: | 15.00 Gb Total Space | 14.03 Gb Free Space | 93.55% Space Free | Partition Type: NTFS
Drive J: | 2.36 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: LAUREN-PC | User Name: Lauren | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/02 14:27:40 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Lauren\Desktop\OTL.exe
PRC - [2012/01/03 13:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/12/23 05:57:30 | 003,334,432 | ---- | M] (Akamai Technologies, Inc) -- C:\Users\Lauren\AppData\Local\Akamai\netsession_win.exe
PRC - [2011/06/15 14:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2011/04/27 14:39:26 | 000,208,944 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
PRC - [2011/04/27 14:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2011/02/25 05:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010/11/20 03:17:48 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe


========== Modules (No Company Name) ==========

MOD - [2011/06/24 21:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/06/24 21:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll


========== Win32 Services (SafeList) ==========

SRV - [2012/01/27 01:00:44 | 003,342,112 | ---- | M] () [Auto | Running] -- c:\program files\common files\akamai/netsession_win_e286960.dll -- (Akamai)
SRV - [2012/01/03 13:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/04/27 14:39:26 | 000,208,944 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV - [2011/04/27 14:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2010/05/21 23:20:28 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2009/07/16 17:04:16 | 000,316,664 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2009/07/14 01:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 01:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - [2011/12/22 14:11:44 | 000,428,088 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2011/04/27 14:25:24 | 000,065,024 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2011/04/18 12:18:50 | 000,043,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
DRV - [2010/11/20 01:24:42 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 00:59:46 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2009/10/26 14:41:47 | 000,464,384 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netr73.sys -- (netr73)
DRV - [2009/02/24 18:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mcdbus.sys -- (mcdbus)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1:9421

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1:9421



IE - HKU\S-1-5-21-2179354138-2495226338-1312034963-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKU\S-1-5-21-2179354138-2495226338-1312034963-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2179354138-2495226338-1312034963-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1:9421

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/02/02 00:55:28 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2012/01/21 01:13:33 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Lauren\AppData\Roaming\Mozilla\Extensions
[2012/01/30 00:14:29 | 000,002,105 | ---- | M] () -- C:\Users\Lauren\AppData\Roaming\Mozilla\Firefox\Profiles\kj7vdly3.default\searchplugins\google.xml
[2012/01/21 01:13:23 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/02/02 00:55:26 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll

========== Chrome ==========

CHR - default_search_provider: Bing ()
CHR - default_search_provider: search_url = http://www.bing.com/search?setmkt=en-GB&q={searchTerms}
CHR - default_search_provider: suggest_url = http://api.bing.com/osjson.aspx?query={searchTerms}&language={language}

O1 HOSTS File: ([2012/01/30 00:26:18 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2179354138-2495226338-1312034963-1000..\Run: [Akamai NetSession Interface] C:\Users\Lauren\AppData\Local\Akamai\netsession_win.exe (Akamai Technologies, Inc)
O4 - Startup: C:\Users\Lauren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk = File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2179354138-2495226338-1312034963-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2179354138-2495226338-1312034963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2179354138-2495226338-1312034963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5292756D-EE0E-432B-9105-EECC825BCECD}: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8BB823E6-FE78-41B1-A824-F16DE6062387}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C5387D32-A527-4127-BD1A-2E4922D0AEFA}: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E687C931-C817-4DEA-B03D-F218E4CF3E43}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) -C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/06/26 05:48:55 | 000,000,047 | R--- | M] () - J:\AUTORUN.INF -- [ UDF ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/02 14:27:37 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\Lauren\Desktop\OTL.exe
[2012/02/01 03:01:57 | 002,036,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_40.dll
[2012/02/01 03:01:56 | 000,452,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_40.dll
[2012/02/01 03:01:55 | 004,379,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_40.dll
[2012/02/01 03:01:38 | 002,414,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_31.dll
[2012/01/30 00:29:42 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/01/30 00:26:26 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/01/30 00:25:04 | 000,000,000 | ---D | C] -- C:\Users\Lauren\AppData\Local\temp
[2012/01/30 00:18:11 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/01/29 00:27:27 | 000,000,000 | ---D | C] -- C:\Users\Lauren\Desktop\UMvC3 looped character themes 1-12
[2012/01/27 23:08:18 | 000,000,000 | ---D | C] -- C:\Users\Lauren\Desktop\Marvel vs. Capcom 3 - Fate of Two Worlds OST
[2012/01/27 17:37:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2012/01/27 17:37:09 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/01/27 16:01:05 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/01/27 16:01:05 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/01/27 16:01:05 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/01/27 16:01:01 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/01/27 16:00:58 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/01/26 01:24:44 | 000,000,000 | ---D | C] -- C:\Users\Lauren\Desktop\The E! couples tourney -FABERRY LOLS
[2012/01/21 19:38:56 | 000,000,000 | ---D | C] -- C:\Users\Lauren\Desktop\Fixers
[2012/01/21 01:13:28 | 000,000,000 | ---D | C] -- C:\Users\Lauren\AppData\Roaming\Mozilla
[2012/01/21 01:13:22 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2012/01/20 20:50:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/01/20 20:50:21 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/01/20 20:50:21 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/01/18 09:07:28 | 000,000,000 | ---D | C] -- C:\Users\Lauren\AppData\Roaming\Opera
[2012/01/17 22:23:06 | 000,314,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\webio.dll
[2012/01/17 22:23:05 | 000,015,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sspisrv.dll
[2012/01/11 14:11:34 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\packager.dll
[2012/01/11 14:11:31 | 001,328,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\quartz.dll
[2012/01/11 14:11:31 | 000,514,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\qdvd.dll
[2011/09/02 22:59:20 | 000,216,064 | ---- | C] ( ) -- C:\Windows\System32\lagarith.dll
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/02 14:27:40 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Lauren\Desktop\OTL.exe
[2012/02/02 14:26:36 | 000,013,776 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/02/02 14:26:36 | 000,013,776 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/02/02 14:26:05 | 000,139,264 | ---- | M] () -- C:\Users\Lauren\Desktop\SystemLook.exe
[2012/02/02 14:23:44 | 000,620,814 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/02/02 14:23:44 | 000,108,034 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/02/02 14:20:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/02/02 14:19:32 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/02/02 14:19:19 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/02/02 14:19:12 | 2608,730,112 | -HS- | M] () -- C:\hiberfil.sys
[2012/02/01 02:15:55 | 000,000,214 | ---- | M] () -- C:\Users\Lauren\Desktop\Star Trek Online.url
[2012/02/01 00:44:57 | 002,882,688 | ---- | M] () -- C:\Users\Lauren\Desktop\Gold Digger - Glee.mp3
[2012/01/31 23:47:46 | 006,536,992 | ---- | M] () -- C:\Users\Lauren\Desktop\113 Cerberus Battle.mp3
[2012/01/31 23:36:45 | 006,404,645 | ---- | M] () -- C:\Users\Lauren\Desktop\218 Geryon Battle 1.mp3
[2012/01/31 22:46:48 | 002,211,313 | ---- | M] () -- C:\Users\Lauren\Desktop\224 Mode Select.mp3
[2012/01/31 22:32:53 | 003,838,166 | ---- | M] () -- C:\Users\Lauren\Desktop\203 Shoot the Works (Dante Battle 2).mp3
[2012/01/31 12:44:05 | 000,237,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2012/01/30 00:26:18 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/01/30 00:13:16 | 000,000,176 | ---- | M] () -- C:\Users\Lauren\defogger_reenable
[2012/01/29 15:27:46 | 003,987,456 | ---- | M] () -- C:\Users\Lauren\Desktop\Buenos Aires.mp3
[2012/01/29 04:16:23 | 005,767,296 | ---- | M] () -- C:\Users\Lauren\Desktop\Pumped Up Kicks.mp3
[2012/01/29 01:44:07 | 017,084,121 | ---- | M] () -- C:\Users\Lauren\Desktop\Twister Combo.mp3
[2012/01/27 17:37:42 | 000,001,715 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/01/26 18:09:06 | 003,304,704 | ---- | M] () -- C:\Users\Lauren\Desktop\Planet Terror - Cherrys Dance of Death.mp3
[2012/01/23 13:40:57 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2012/01/21 01:13:24 | 000,001,062 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/01/09 02:22:28 | 000,004,096 | -H-- | M] () -- C:\Users\Lauren\AppData\Local\keyfile3.drm
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/02 14:26:04 | 000,139,264 | ---- | C] () -- C:\Users\Lauren\Desktop\SystemLook.exe
[2012/02/01 02:15:55 | 000,000,214 | ---- | C] () -- C:\Users\Lauren\Desktop\Star Trek Online.url
[2012/02/01 00:44:48 | 002,882,688 | ---- | C] () -- C:\Users\Lauren\Desktop\Gold Digger - Glee.mp3
[2012/01/31 23:47:40 | 006,536,992 | ---- | C] () -- C:\Users\Lauren\Desktop\113 Cerberus Battle.mp3
[2012/01/31 23:36:37 | 006,404,645 | ---- | C] () -- C:\Users\Lauren\Desktop\218 Geryon Battle 1.mp3
[2012/01/31 22:46:33 | 002,211,313 | ---- | C] () -- C:\Users\Lauren\Desktop\224 Mode Select.mp3
[2012/01/31 22:32:41 | 003,838,166 | ---- | C] () -- C:\Users\Lauren\Desktop\203 Shoot the Works (Dante Battle 2).mp3
[2012/01/30 00:13:02 | 000,000,176 | ---- | C] () -- C:\Users\Lauren\defogger_reenable
[2012/01/29 15:26:10 | 003,987,456 | ---- | C] () -- C:\Users\Lauren\Desktop\Buenos Aires.mp3
[2012/01/29 04:16:12 | 005,767,296 | ---- | C] () -- C:\Users\Lauren\Desktop\Pumped Up Kicks.mp3
[2012/01/29 01:43:37 | 017,084,121 | ---- | C] () -- C:\Users\Lauren\Desktop\Twister Combo.mp3
[2012/01/27 17:37:42 | 000,001,715 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/01/27 16:01:05 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/01/27 16:01:05 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/01/27 16:01:05 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/01/27 16:01:05 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/01/27 16:01:05 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/01/26 18:08:54 | 003,304,704 | ---- | C] () -- C:\Users\Lauren\Desktop\Planet Terror - Cherrys Dance of Death.mp3
[2012/01/21 01:13:24 | 000,001,074 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2012/01/21 01:13:24 | 000,001,062 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/01/09 02:22:28 | 000,004,096 | -H-- | C] () -- C:\Users\Lauren\AppData\Local\keyfile3.drm
[2011/09/02 22:59:25 | 000,175,616 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2011/09/02 22:59:23 | 000,000,038 | ---- | C] () -- C:\Windows\avisplitter.ini
[2011/09/02 22:59:20 | 003,164,160 | ---- | C] () -- C:\Windows\System32\x264vfw.dll
[2011/09/02 22:59:19 | 000,650,752 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2011/09/02 22:59:19 | 000,243,200 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2011/09/02 22:59:19 | 000,074,752 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2011/04/18 15:34:18 | 000,011,164 | -HS- | C] () -- C:\Users\Lauren\AppData\Local\ge1h52kug87a71m260f6foj7c8hp6q36c
[2011/04/18 15:34:18 | 000,011,164 | -HS- | C] () -- C:\ProgramData\216868543
[2011/04/18 15:33:59 | 000,011,966 | -HS- | C] () -- C:\ProgramData\ge1h52kug87a71m260f6foj7c8hp6q36c
[2011/03/29 21:33:28 | 000,000,000 | ---- | C] () -- C:\Users\Lauren\AppData\Roaming\4555xx.ini
[2010/12/02 00:12:32 | 000,003,584 | ---- | C] () -- C:\Users\Lauren\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/14 22:36:43 | 000,140,288 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll
[2010/06/11 15:29:38 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2009/10/29 13:01:43 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/10/26 14:42:13 | 000,200,704 | ---- | C] () -- C:\Windows\System32\UpdateDriver.exe
[2009/10/26 14:42:12 | 000,005,224 | ---- | C] () -- C:\Windows\System32\ucuiinfo.ini
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/07/14 04:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 04:33:53 | 000,391,816 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/07/14 02:05:48 | 000,620,814 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009/07/14 02:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/14 02:05:48 | 000,108,034 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009/07/14 02:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/14 02:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/14 02:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/13 23:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 23:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 23:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/06/10 21:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI

========== Files - Unicode (All) ==========
[2011/09/03 23:57:21 | 000,002,036 | ---- | M] ()(C:\Users\Public\Desktop\The Sims? 3.lnk) -- C:\Users\Public\Desktop\The Sims™ 3.lnk
[2011/09/03 23:57:21 | 000,002,036 | ---- | C] ()(C:\Users\Public\Desktop\The Sims? 3.lnk) -- C:\Users\Public\Desktop\The Sims™ 3.lnk

< End of report >

Extras:

OTL Extras logfile created on: 2/2/2012 2:29:17 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Lauren\Desktop
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.24 Gb Total Physical Memory | 2.34 Gb Available Physical Memory | 72.19% Memory free
6.48 Gb Paging File | 5.59 Gb Available in Paging File | 86.25% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 450.70 Gb Total Space | 135.02 Gb Free Space | 29.96% Space Free | Partition Type: NTFS
Drive D: | 15.00 Gb Total Space | 14.03 Gb Free Space | 93.55% Space Free | Partition Type: NTFS
Drive J: | 2.36 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: LAUREN-PC | User Name: Lauren | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2179354138-2495226338-1312034963-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{21AE04E8-EBF6-40DB-9AA9-B7A80C5D057D}" = mkv2vob
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java™ 6 Update 29
"{2A3FC24C-6EC0-4519-A52B-FDA4EA9B2D24}" = Windows Live Messenger
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{343666E2-A059-48AC-AD67-230BF74E2DB2}" = Apple Application Support
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{40719211-D09A-11DF-BA30-0013D3D69929}" = MSVCRT Redists
"{45057FCE-5784-48BE-8176-D9D00AF56C3C}" = The Sims™ 3 Late Night
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{6AE22174-4FFA-4572-B692-31F0C386ED38}" = Consolas Font Family
"{6B4AD1A9-E73A-4184-9D6B-072F8A3C5EBA}" = VoiceOver Kit
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{910F4A29-1134-49E0-AD8B-56E4A3152BD1}" = The Sims™ 3 Ambitions
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9559F7CA-5E34-4237-A2D9-D856464AD727}" = Project64 1.6
"{A4B9033B-D183-4A6C-9BCB-6BC8F80B939D}" = RPS CRT
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B3DAF54F-DB25-4586-9EF1-96D24BB14088}" = Windows Movie Maker 2.6
"{BA26FFA5-6D47-47DB-BE56-34C357B5F8CC}" = The Sims™ 3 World Adventures
"{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}" = The Sims™ 3
"{C6150D8A-86ED-41D3-87BB-F3BB51B0B77F}" = Windows Live ID Sign-in Assistant
"{C8A86EA6-DB77-4A33-830F-D5BCCC24457A}" = ギャラクシーエンジェル
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{E5B21F11-6933-4E0B-A25C-7963E3C07D11}" = Windows Live Messenger
"{E6B88BD6-E4B2-4701-A648-B6DAC6E491CC}" = The Sims™ 3 Generations
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F3759A9F-7AFA-4FB4-8DF1-53F26B979DEE}" = Belkin 54Mbps Wireless Network Adapter
"{F6D6B258-E3CA-4AAC-965A-68D3E3140A8C}" = iTunes
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"7-Zip" = 7-Zip 4.65
"8461-7759-5462-8226" = Vuze
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Akamai" = Akamai NetSession Interface Service
"Alon Audio Extractor(Freeware)_is1" = Alon Audio Extractor 3.0
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.9
"Audacity_is1" = Audacity 1.2.6
"DAEMON Tools Lite" = DAEMON Tools Lite
"EADM" = EA Download Manager
"HDMI" = Intel® Graphics Media Accelerator Driver
"IsoBuster_is1" = IsoBuster 2.8.5
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 7.7.0
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
"MBACWIN" = MELTY BLOOD Act Cadenza Ver.B WindowsӁ
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox 10.0 (x86 en-GB)" = Mozilla Firefox 10.0 (x86 en-GB)
"Open Codecs" = Xiph.Org Open Codecs 0.85.17777
"Shin Megami Tensei: Imagine Online" = Shin Megami Tensei: Imagine Online
"Steam App 105600" = Terraria
"Steam App 12900" = Audiosurf
"Steam App 32370" = Star Wars: Knights of the Old Republic
"Steam App 34270" = SEGA Genesis & Mega Drive Classics
"Steam App 9900" = Star Trek Online
"StepMania" = StepMania 3.9a (remove only)
"TVWiz" = Intel® TV Wizard
"WinGimp-2.0_is1" = GIMP 2.6.7
"WinLiveSuite" = Windows Live Essentials

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2179354138-2495226338-1312034963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Akamai" = Akamai NetSession Interface
"Yume Nikki 0.10 English v3" = Yume Nikki 0.10 English v3

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:54 PM

Posted 02 February 2012 - 10:24 AM

Hi,

Please tell me how's the computer running after doing the instructions below.


:step1: Please reopen OTL on your desktop.
  • Copy and Paste the following code into the Custom Scan/Fixes text box.

    :OTL
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1:9421
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1:9421
    IE - HKU\S-1-5-21-2179354138-2495226338-1312034963-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1:9421
    O4 - Startup: C:\Users\Lauren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk = File not found
    [2011/04/18 15:34:18 | 000,011,164 | -HS- | C] () -- C:\Users\Lauren\AppData\Local\ge1h52kug87a71m260f6foj7c8hp6q36c
    [2011/04/18 15:34:18 | 000,011,164 | -HS- | C] () -- C:\ProgramData\216868543
    [2011/04/18 15:33:59 | 000,011,966 | -HS- | C] () -- C:\ProgramData\ge1h52kug87a71m260f6foj7c8hp6q36c
    [2011/03/29 21:33:28 | 000,000,000 | ---- | C] () -- C:\Users\Lauren\AppData\Roaming\4555xx.ini
    
    :Files
    c:\program files\internet explorer\bin
    ipconfig /flushdns /c
    
    :Commands
    [EMPTYTEMP] 
    
  • Push the Run Fix button.
  • OTL may ask to reboot the machine. Please do so if asked.
  • A massage box "Fix complete! Click OK to open the fix log." will pop-up.
  • Click the OK button and a report will open.
  • Copy and Paste that report in your next reply.



:step2: ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close, but make sure you copy the logfile first.
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:54 PM

Posted 05 February 2012 - 07:00 PM

Are you still with me?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 PersonaUser314

PersonaUser314
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 05 February 2012 - 09:02 PM

Yes I'm still here, sorry about that.

OTL crashes on attempting to run with the code given for the CS/F box. I tried it 3 times and it crashes once it reaches the 'scanning modules' stage.

Here's the ESET Log:


ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=a4296ec2d12b5a46901a351f988162d8
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-02-06 01:58:40
# local_time=2012-02-06 01:58:40 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776574 100 94 24499268 80956166 0 0
# compatibility_mode=8192 67108863 100 0 3716 3716 0 0
# scanned=165292
# found=2
# cleaned=0
# scan_time=3745
C:\Program Files\Internet Explorer\bin\iexplore.exe a variant of Win32/BitCoinMiner application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Lauren\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\ac8c29b-1344be85 Java/TrojanDownloader.OpenStream.NBW trojan (unable to clean) 00000000000000000000000000000000 I

#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:54 PM

Posted 06 February 2012 - 10:05 AM

Hi,

OTL crashes on attempting to run with the code given for the CS/F box. I tried it 3 times and it crashes once it reaches the 'scanning modules' stage.

You need to click the Run Fix button and not the Scan button. Please try it again but use the below script instead.


:OTL
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1:9421
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1:9421
IE - HKU\S-1-5-21-2179354138-2495226338-1312034963-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1:9421
O4 - Startup: C:\Users\Lauren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk = File not found
[2011/04/18 15:34:18 | 000,011,164 | -HS- | C] () -- C:\Users\Lauren\AppData\Local\ge1h52kug87a71m260f6foj7c8hp6q36c
[2011/04/18 15:34:18 | 000,011,164 | -HS- | C] () -- C:\ProgramData\216868543
[2011/04/18 15:33:59 | 000,011,966 | -HS- | C] () -- C:\ProgramData\ge1h52kug87a71m260f6foj7c8hp6q36c
[2011/03/29 21:33:28 | 000,000,000 | ---- | C] () -- C:\Users\Lauren\AppData\Roaming\4555xx.ini

:Files
c:\program files\internet explorer\bin
ipconfig /flushdns /c
C:\Users\Lauren\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\ac8c29b-1344be85

:Commands
[EMPTYTEMP]

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#14 PersonaUser314

PersonaUser314
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 06 February 2012 - 12:05 PM

Ah, my bad sorry ==''

Here's the log for the OTL with the second script:

All processes killed
========== OTL ==========
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKU\S-1-5-21-2179354138-2495226338-1312034963-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
C:\Users\Lauren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk moved successfully.
C:\Users\Lauren\AppData\Local\ge1h52kug87a71m260f6foj7c8hp6q36c moved successfully.
C:\ProgramData\216868543 moved successfully.
C:\ProgramData\ge1h52kug87a71m260f6foj7c8hp6q36c moved successfully.
C:\Users\Lauren\AppData\Roaming\4555xx.ini moved successfully.
========== FILES ==========
c:\program files\internet explorer\bin folder moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Lauren\Desktop\Fixers\cmd.bat deleted successfully.
C:\Users\Lauren\Desktop\Fixers\cmd.txt deleted successfully.
C:\Users\Lauren\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\ac8c29b-1344be85 moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56504 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Lauren
->Temp folder emptied: 9305164 bytes
->Temporary Internet Files folder emptied: 11927685 bytes
->Java cache emptied: 680661 bytes
->FireFox cache emptied: 1104636930 bytes
->Google Chrome cache emptied: 6138516 bytes
->Flash cache emptied: 292471 bytes

User: Lauren1
->Temp folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 117354 bytes
RecycleBin emptied: 1013760 bytes

Total Files Cleaned = 1,082.00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 02062012_170051

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

#15 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:54 PM

Posted 06 February 2012 - 12:12 PM

How's the computer running now?


:step1: Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
  • Download the latest version of Java Runtime Environment (JRE) Version 7.
  • Look for "Java SE 7u2".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".

    • Select "Windows x86 Offline" and click on jre-7u2-windows-i586.exe
  • Save it to your desktop
  • Close any programs you may have running - especially your web browser.
  • Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).
  • Reboot your computer once all Java components are removed.
  • Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.


:step2: Please run OTL and click the "Quick Scan" button, post the new report for my review.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users