Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Chrome redirecting issue


  • This topic is locked This topic is locked
8 replies to this topic

#1 Michael Barrera

Michael Barrera

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 09 February 2012 - 07:21 PM

Win 7 x64
Chrome 16.0.912.77 m

Have scanned my machine numerous times and no infections

If i do a google search in chrome, after selecting a few search results i get re-directed to:

http://shoppinghornet.com
and
http://r.looksmart.com/og/pr=Psr;ro=1;rc=1;digest=ee8c0929282ce8e53a23d81fd3feaaed;kid=0818f1332844e668683fe2f12eb376c0;t=1328767803;v=8;data=JtRKnbb9OmVteivnoazq9gvMpw_fBRz1PdCJHc796HD1UJT4L4eiuvM6-5FVjfLuQuXeunZJBlOJgJJjFm-ymI-kucI4WM_Xg27VqWukqXJIwieQerRJLoj0DhinHAT9SnF5cAYTH5nBs3q93iIjVO_fcm6dYTAw-4rOrNvZJIdNwuxmfkZfew;uh=138x3868787693965519175;la=1294450;lm=1831041;ad=754609682;ag=764732468;kw=1562123927;qt=spider%20monkey;vr=20;lt=BM;ip=184.32.201.158;p

Not sure what is going on. Have cleared all cookies and cache info. Host files looks correct with 127.0.0.1

Please advise and thank you in advance.
Mike

BC AdBot (Login to Remove)

 


#2 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:12:28 PM

Posted 09 February 2012 - 08:46 PM

Hello Michael Barrera and welcome to BC!! :thumbsup:

My name is bloopie and I'll be happy to help you with your problems!!

Have scanned my machine numerous times and no infections

Which scans have you run? Could you post those logs here please?

We need to get a better view of your machine and it's symptoms:

What internet browser is your normal browser?

Do you use any other browser(s), and do you have the same problem with those other browsers?

==========================

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

==========================

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
==========================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

Please post the logs from MBAM, aswMBR, and Gmer, as well as any logs you've already recently run in your next reply. These are important!

If you have any problems with the above, please let me know! :thumbup2:

bloopie

Edited by bloopie, 09 February 2012 - 08:47 PM.


#3 Michael Barrera

Michael Barrera
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 11 February 2012 - 10:49 AM

Hi Bloopie,

Issue is only present in Chrome which is my browser of choice. It is Chrome version 17.0.963.46 m.

Below are all logs you requested.

MalwareBytes

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.11.04

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Administrator :: X2 [administrator]

Protection: Disabled

2/11/2012 9:39:14 AM
mbam-log-2012-02-11 (09-39-14).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 413352
Time elapsed: 42 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 6
C:\Program Files (x86)\Application Updater\APPLICATIONUPDATER.EXE.del (PUP.Dealio.TB) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Common Files\lsmass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Common Files\lsmass.exe.del (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\ProgramData\wscntfy.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Administrator\Downloads\SoftonicDownloader_for_trojan-remover.exe (PUP.BundleOffer.Downloader.S) -> Quarantined and deleted successfully.
C:\Windows\assembly\temp\kwrd.dll (PUP.BitMiner) -> Quarantined and deleted successfully.

(end)

aswMBR log:

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-11 10:23:00
-----------------------------
10:23:00.449 OS Version: Windows x64 6.1.7600
10:23:00.450 Number of processors: 2 586 0x2302
10:23:00.451 ComputerName: X2 UserName:
10:23:06.150 Initialize success
10:29:11.684 AVAST engine defs: 12021100
10:29:27.295 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-5
10:29:27.298 Disk 0 Vendor: WDC_WD3200SD-01KNB0 08.05J08 Size: 305245MB BusType: 3
10:29:27.303 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T0L0-0
10:29:27.307 Disk 1 Vendor: Maxtor_6Y250P0 YAR41BW0 Size: 239372MB BusType: 3
10:29:27.311 Disk 2 (boot) \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP5T0L0-7
10:29:27.315 Disk 2 Vendor: WDC_WD740GD-00FLC0 33.08F33 Size: 70911MB BusType: 3
10:29:27.378 Disk 2 MBR read successfully
10:29:27.382 Disk 2 MBR scan
10:29:27.390 Disk 2 Windows XP default MBR code
10:29:27.414 Disk 2 Partition 1 00 07 HPFS/NTFS NTFS 70909 MB offset 2048
10:29:27.422 Service scanning
10:29:38.285 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
10:29:38.853 Modules scanning
10:29:38.860 Disk 2 trace - called modules:
10:29:38.881 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8003ca72c0]<<sptd.sys ataport.SYS pciide.sys
10:29:38.888 1 nt!IofCallDriver -> \Device\Harddisk2\DR2[0xfffffa8004868060]
10:29:38.897 3 CLASSPNP.SYS[fffff880013cf43f] -> nt!IofCallDriver -> [0xfffffa8003c59d20]
10:29:38.905 5 ACPI.sys[fffff8800100b769] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP5T0L0-7[0xfffffa8004707060]
10:29:38.913 \Driver\atapi[0xfffffa8004601570] -> IRP_MJ_CREATE -> 0xfffffa8003ca72c0
10:29:43.144 AVAST engine scan C:\Windows
10:29:50.934 AVAST engine scan C:\Windows\system32
10:34:00.359 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-FQ [Drp]
10:34:05.476 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-HO [Rtk]
10:36:31.247 File: C:\Windows\assembly\temp\U\80000004.@ **INFECTED** Win64:ZAccess-A [Trj]
10:36:31.382 File: C:\Windows\assembly\temp\U\80000032.@ **INFECTED** Win32:DNSChanger-VJ [Trj]
10:36:35.236 AVAST engine scan C:\Windows\system32\drivers
10:37:10.897 AVAST engine scan C:\Users\Administrator
10:40:23.390 AVAST engine scan C:\ProgramData
10:48:45.501 Scan finished successfully
10:49:01.305 Disk 2 MBR has been saved successfully to "C:\Users\Administrator\Desktop\MBR.dat"
10:49:01.313 The log file has been saved successfully to "C:\Users\Administrator\Desktop\aswMBR.txt"

#4 Michael Barrera

Michael Barrera
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 11 February 2012 - 12:34 PM

GMER Logs:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-11 12:32:58
Windows 6.1.7600
Running: hortsi91.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792

---- EOF - GMER 1.0.15 ----





Combo Fix Log:


ComboFix 12-02-08.02 - Administrator 02/09/2012 0:49.1.2 - x64
Microsoft Black 7 VIII 6.1.7600.0.1252.1.1033.18.4096.2357 [GMT -5:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\directory\CyberGate
c:\programdata\wscntfy.exe
c:\users\Administrator\AppData\Roaming\Administratorlog.dat
c:\users\Administrator\AppData\Roaming\WINSYS32
c:\users\Administrator\g2mdlhlpx.exe
c:\windows\system32\consrv.dll
c:\windows\System64
c:\windows\XSxS
.
.
((((((((((((((((((((((((( Files Created from 2012-01-09 to 2012-02-09 )))))))))))))))))))))))))))))))
.
.
2012-02-08 00:33 . 2012-02-09 05:57 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-01-24 22:52 . 2012-01-24 22:53 263120394 ----a-w- C:\RegBackup.reg
2012-01-24 21:33 . 2012-01-24 21:33 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-24 20:50 . 2012-01-24 20:50 -------- d-----r- C:\comment.htt
2012-01-24 19:22 . 2012-01-07 04:38 30720 ---h--w- c:\program files (x86)\Common Files\lsmass.exe
2012-01-24 16:56 . 2012-01-24 17:44 39192 ----a-w- c:\windows\system32\Partizan.exe
2012-01-24 16:50 . 2012-01-24 16:50 2 --shatr- c:\windows\winstart.bat
2012-01-24 16:49 . 2012-01-23 22:01 12800 ----a-w- c:\windows\SysWow64\drivers\UnHackMeDrv.sys
2012-01-24 16:49 . 2012-02-07 03:53 -------- d-----w- c:\program files (x86)\UnHackMe
2012-01-24 16:09 . 2012-01-24 16:09 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-01-19 21:22 . 2012-02-07 03:55 -------- d-----w- c:\program files (x86)\Application Updater
2012-01-19 21:09 . 2012-01-19 21:09 -------- d-----w- c:\programdata\IObit
2012-01-19 03:46 . 2012-01-19 03:46 -------- d-----w- c:\users\Administrator\AppData\Roaming\IObit
2012-01-19 03:46 . 2012-01-24 18:17 -------- d-----w- c:\program files (x86)\IObit
2012-01-19 03:38 . 2006-06-19 17:01 69632 ----a-w- c:\windows\SysWow64\ztvcabinet.dll
2012-01-19 03:38 . 2006-05-25 19:52 162304 ----a-w- c:\windows\SysWow64\ztvunrar36.dll
2012-01-19 03:38 . 2005-08-26 05:50 77312 ----a-w- c:\windows\SysWow64\ztvunace26.dll
2012-01-19 03:38 . 2003-02-03 00:06 153088 ----a-w- c:\windows\SysWow64\unrar3.dll
2012-01-19 03:38 . 2002-03-06 05:00 75264 ----a-w- c:\windows\SysWow64\unacev2.dll
2012-01-19 03:38 . 2012-01-19 03:38 -------- d-----w- c:\users\Administrator\AppData\Roaming\Simply Super Software
2012-01-19 03:38 . 2012-01-19 03:38 -------- d-----w- c:\programdata\Simply Super Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-20 04:13 . 2011-07-06 12:16 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-01-25 . E0ABC4E94E734604A2244273784FD4CB . 2870784 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16457_none_adcc0af793535168\explorer.exe
[7] 2010-01-25 . 90BD96C123F672C49CB5E1C7854FDFC0 . 2870784 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20570_none_ae3905e4ac8777b3\explorer.exe
[7] 2010-01-25 . 9AAAEC8DAC27AA17B053E6352AD233AE . 2870272 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_adc508f19359a007\explorer.exe
[7] 2010-01-25 . B8EC4BD49CE8F6FC457721BFC210B67F . 2870272 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_ae46d6aeac7ca7c7\explorer.exe
[7] 2010-01-25 . 6D4F9E4B640B413C6F73414327484C80 . 2868736 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16434_none_addea9f19345cd81\explorer.exe
[7] 2010-01-25 . CA17F8620815267DC838E30B68CB5052 . 2868736 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20542_none_ae5b763cac6d568e\explorer.exe
[7] 2010-01-25 . F170B4A061C9E026437B193B4D571799 . 2868224 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_adff19b5932d79ae\explorer.exe
[7] 2010-01-25 . 700073016DAC1C3D2E7E2CE4223334B6 . 2868224 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_ae84b558ac4eb41c\explorer.exe
[-] 2010-01-24 . ABC407B213AF7EB5A8EB886CC0298423 . 2870784 . . [6.1.7600.16385] .. c:\windows\explorer.exe
[-] 2009-12-08 . F01061D5F4E76C5238EDEF3220B11B70 . 2868224 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_ada998b9936d7566\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MusicManager"="c:\users\Administrator\AppData\Local\Programs\Google\MusicManager\MusicManager.exe" [2012-01-11 13224448]
"GoToMeeting"="c:\program files (x86)\Citrix\GoToMeeting\799\g2mstart.exe" [2012-01-11 39816]
"Sidebar"="c:\program files (x86)\Windows Sidebar\Sidebar.exe" [2009-07-14 1173504]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AdobeCS6ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" [2011-09-28 1039872]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"ClamWin"="c:\program files (x86)\ClamWin\bin\ClamTray.exe" [2011-10-22 86016]
"EaseUs Tray"="c:\program files (x86)\EASEUS\Todo Backup\bin\TrayNotify.exe" [2011-04-26 733576]
"EaseUs Watch"="c:\program files (x86)\EASEUS\Todo Backup\bin\EuWatch.exe" [2011-04-22 69000]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]
"NVMixerTray"="c:\program files (x86)\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2009-11-11 417792]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNTg5NzUxNjQxLUZQOSs1LUJBUjlPKzEtRkwrOS1RSVgxKzQtWDIwMTArMi1MSUMrMjItU1AxKzEtU1VEKzEtUzFJKzEtU1UzKzEtRkwxMCsxLVRVRyszLUREVCswLUxTRCsy&prod=90&ver=10.0.1392" [?]
.
c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
R3 c2wts;Claims to Windows Token Service;c:\program files\Windows Identity Foundation\v3.5\c2wtshost.exe [2010-01-25 13080]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
S0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [x]
S0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [x]
S0 EUFS;EUFS;c:\windows\system32\drivers\eufs.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [x]
S1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [x]
S2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-10-09 169312]
S2 EASEUS Agent;EASEUS Agent;c:\program files (x86)\EASEUS\Todo Backup\bin\Agent.exe [2011-04-22 56200]
S2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [2011-05-30 301720]
S3 EUDISK;EASEUS Disk Enumerator;c:\windows\system32\drivers\eudisk.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1950702314-4000070732-820005752-500Core.job
- c:\users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2010-07-01 00:53]
.
2012-02-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1950702314-4000070732-820005752-500UA.job
- c:\users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2010-07-01 00:53]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2011-11-11 08:36 405504 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2011-11-11 08:36 405504 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{A759AFF6-5851-457D-A540-F4ECED148351}"
[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
2011-11-11 08:36 405504 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2011-11-11 08:36 405504 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-09-03 444856]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 2114376]
"SoundMan"="SOUNDMAN.EXE" [2009-03-10 604704]
"combofix"="c:\combofix\CF20731.3XE" [2009-07-14 344576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
penclass
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: LastPass - file://c:\program files (x86)\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files (x86)\LastPass\context.html?cmd=fillforms
LSP: mswsock.dll
TCP: DhcpNameServer = 10.1.1.1
DPF: {E87A4CD6-BA5F-4552-BC4F-8EC240A2755C} - hxxp://216.199.215.243/webrec.cab
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{2be15141-5d7c-44e4-a3bf-3196d5c46d60} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Wow6432Node-HKLM-Run-Windows-Audio Driver - c:\programdata\wscntfy.exe
HKLM_Wow6432Node-ActiveSetup-{8202FC64-5140-6A19-829F-282C0C14D35D} - c:\programdata\wscntfy.exe
WebBrowser-{2BE15141-5D7C-44E4-A3BF-3196D5C46D60} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-NVIDIA Drivers - c:\windows\system32\NVUNINST.EXE
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,51,1f,97,98,5c,00,f4,41,a5,f6,67,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,51,1f,97,98,5c,00,f4,41,a5,f6,67,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d7,f6,90,24,4e,59,84,49,bc,1f,87,\
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3fr\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Google.PhotoViewer.3.0"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.3G2"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.3GP"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.3G2"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.3GP"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AAC\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ADTS"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ac3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="KLCP64.WMP.ac3"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADT\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ADTS"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADTS\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ADTS"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arw\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Google.PhotoViewer.3.0"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AVI"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Google.PhotoViewer.3.0"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.CDA"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Google.PhotoViewer.3.0"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Google.PhotoViewer.3.0"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcr\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Google.PhotoViewer.3.0"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.divx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="KLCP64.WMP.divx"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dng\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Google.PhotoViewer.3.0"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="KLCP64.WMP.dts"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.epub\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\Photoshop.exe"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="KLCP64.WMP.flv"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Google.PhotoViewer.3.0"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hdmov\UserChoice]
@Denied: (2) (Administrator)
"Progid"="KLCP64.WMP.hdmov"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hol\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Outlook.File.hol"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ibc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Outlook.File.ibc"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ica\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\wfica32.exe"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ics\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Outlook.File.ics"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Google.PhotoViewer.3.0"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Google.PhotoViewer.3.0"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Google.PhotoViewer.3.0"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kdc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Google.PhotoViewer.3.0"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2T\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M2TS"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2TS\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M2TS"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2V\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.m3u"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M4A"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP4"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mka\UserChoice]
@Denied: (2) (Administrator)
"Progid"="KLCP64.WMP.mka"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mkv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="KLCP64.WMP.mkv"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MOV"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP3"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP3"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP4"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP4"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpls\UserChoice]
@Denied: (2) (Administrator)
"Progid"="KLCP64.WMP.mpls"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv4\UserChoice]
@Denied: (2) (Administrator)
"Progid"="KLCP64.WMP.mpv4"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mrw\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Google.PhotoViewer.3.0"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Outlook.File.msg"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MTS\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M2TS"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nef\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Google.PhotoViewer.3.0"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nfo\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\notepad.exe"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nrw\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Google.PhotoViewer.3.0"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.oga\UserChoice]
@Denied: (2) (Administrator)
"Progid"="KLCP64.WMP.oga"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="KLCP64.WMP.ogg"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="KLCP64.WMP.ogm"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="KLCP64.WMP.ogv"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.old\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\notepad.exe"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.orf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Google.PhotoViewer.3.0"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pef\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Google.PhotoViewer.3.0"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Google.PhotoViewer.3.0"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ra\UserChoice]
@Denied: (2) (Administrator)
"Progid"="KLCP64.WMP.ra"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Google.PhotoViewer.3.0"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Google.PhotoViewer.3.0"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="KLCP64.WMP.rm"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmvb\UserChoice]
@Denied: (2) (Administrator)
"Progid"="KLCP64.WMP.rmvb"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rw2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Google.PhotoViewer.3.0"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sr2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Google.PhotoViewer.3.0"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Google.PhotoViewer.3.0"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tga\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Google.PhotoViewer.3.0"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Google.PhotoViewer.3.0"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Google.PhotoViewer.3.0"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TS\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.TTS"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TTS\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.TTS"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Outlook.File.vcf"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcs\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Outlook.File.vcs"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAV"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAX"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMA"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMD"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMS"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMV"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMZ"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WPL"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WVX"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.x3f\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Google.PhotoViewer.3.0"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML"
.
[HKEY_USERS\S-1-5-21-1950702314-4000070732-820005752-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Canon\IJPLM\IJPLMSVC.EXE
c:\program files (x86)\Common Files\Motive\McciCMService.exe
c:\windows\SOUNDMAN.EXE
c:\program files (x86)\OpenOffice.org 3\program\soffice.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.bin
c:\program files (x86)\Citrix\ICA Client\wfcrun32.exe
c:\program files (x86)\Citrix\GoToMeeting\799\g2mcomm.exe
c:\program files (x86)\Citrix\GoToMeeting\799\g2mlauncher.exe
.
**************************************************************************
.
Completion time: 2012-02-09 01:01:14 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-09 06:01
.
Pre-Run: 35,475,927,040 bytes free
Post-Run: 35,318,312,960 bytes free
.
- - End Of File - - D3394777DC2829F5859F2953387DEF3C

#5 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:12:28 PM

Posted 11 February 2012 - 12:34 PM

Hi again, :)

First, I must warn you that running Combofix without the assistance of a trained helper is not recommended. Combofix is a very powerful tool and if used incorrectly could render your computer unbootable. Please read the forum rules at the top of this thread. Combofix logs are not to be posted in this forum.

It seems your redirect issue is being caused by a nasty rootkit.

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.


bloopie

Edited by bloopie, 11 February 2012 - 01:00 PM.


#6 Michael Barrera

Michael Barrera
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 12 February 2012 - 12:20 AM

Hi Bloopie,

SO i have tried your recommendation on installing Disable your CD Emulation Software, but when i do that and restart my PC Blue Screens with a stop code of c0000135, the program cannot start because %hr is missing from the computer. Try re-installing the program to fix the problem. At that point i have to go back to a System Recovery Point. Lets say I skip that step, when i try to download the DDS tool, it basically is not letting me do so. I have even tried same from other sites.

Please advise.

Thanks in advance,
Mike

#7 Michael Barrera

Michael Barrera
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 12 February 2012 - 12:56 AM

OK i was able to find the DDS.scr file else where and download it. I have posted logs you requested at http://www.bleepingcomputer.com/forums/topic442320.html/page__gopid__2594130#entry2594130

The BSOD has me somewhat worried.

#8 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:12:28 PM

Posted 12 February 2012 - 12:33 PM

Hi again,

Not to worry, you're in good hands! :thumbup2:

Good luck!

bloopie

#9 hamluis

hamluis

    Moderator


  • Moderator
  • 55,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:11:28 AM

Posted 12 February 2012 - 12:52 PM

Now that you have properly posted a malware log topic, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on, the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic.

Louis




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users