Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search redirect


  • This topic is locked This topic is locked
6 replies to this topic

#1 TaraT

TaraT

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 22 March 2012 - 08:56 AM

I get a redirect from google searches, and Microsoft Security Essentials has removed DOS/Alureon.E, BlascoleRef.AL, Win32/Cleaman.G, and Win32/FakeRean.

Thanks for your help!
Tara

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Tara at 21:44:47 on 2012-03-21
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.7935.5752 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\ASUS\GPU Boost Driver\GpuBoostServer.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\vVX3000.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\MultiScreen\MultiScreen.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Users\Tara\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\ASUS\EPU\EPU.exe
C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: WeCareReminder Class: {d824f0de-3d60-4f57-9eb1-66033ecd8abb} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [MultiScreen] C:\Program Files (x86)\MultiScreen\MultiScreen.exe
uRun: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [Six Engine] "C:\Program Files (x86)\ASUS\EPU\EPU.exe" -b
mRun: [BCU] "C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe"
mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [StartNowToolbarHelper] "C:\Program Files (x86)\StartNow Toolbar\ToolbarHelper.exe"
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [rsscs] C:\ProgramData\rsscs.exe
mRun: [Adaptermob] C:\Windows\system32\config\systemprofile\AppData\Roaming\Adaptermob.exe
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [Cobian Backup 11 interface] "C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe" -service
dRun: [dplaysvr] C:\Windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe
dRun: [rsscs] C:\ProgramData\rsscs.exe
dRun: [Adaptermob] C:\Windows\system32\config\systemprofile\AppData\Roaming\Adaptermob.exe
dRun: [Update] rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Microsoft\klzgc.dll",DllRegisterServer
StartupFolder: C:\Users\Tara\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Tara\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\Tara\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\VPNGUI~1.LNK - C:\Windows\Installer\{5FDC06BF-3D3D-4367-8FFB-4FAFCB61972D}\Icon09DB8A851.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{BD7273DA-48AD-4CC9-A1FE-0FA0B5DFAA5B}\035324430323138353938383 : DhcpNameServer = 192.168.1.1 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO-X64: WeCareReminder Class: {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll
BHO-X64: WeCareReminder - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [Six Engine] "C:\Program Files (x86)\ASUS\EPU\EPU.exe" -b
mRun-x64: [BCU] "C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe"
mRun-x64: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [StartNowToolbarHelper] "C:\Program Files (x86)\StartNow Toolbar\ToolbarHelper.exe"
mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [rsscs] C:\ProgramData\rsscs.exe
mRun-x64: [Adaptermob] C:\Windows\system32\config\systemprofile\AppData\Roaming\Adaptermob.exe
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [Cobian Backup 11 interface] "C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe" -service
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
Hosts: 94.63.147.17
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z128&form=ZGAADF&install_date=20111201&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 54040
FF - prefs.js: network.proxy.type - 4
FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\coFFPlgn_2010_9_0_6\components\coFFPlgn.dll
FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin3.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin4.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin5.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin6.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin7.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 BCUService;Browser Configuration Utility Service;C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [2010-3-5 235752]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-3-20 652360]
R2 RtNdPt60;Realtek NDIS Protocol Driver;C:\Windows\system32\DRIVERS\RtNdPt60.sys --> C:\Windows\system32\DRIVERS\RtNdPt60.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atipmdag.sys --> C:\Windows\system32\DRIVERS\atipmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AODDriver;AODDriver;C:\Program Files\ASUS\GPU Boost Driver\amd64\aoddriver.sys [2010-12-8 52280]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;C:\Windows\system32\DRIVERS\RTL8192su.sys --> C:\Windows\system32\DRIVERS\RTL8192su.sys [?]
R3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]
R3 WSDScan;WSD Scan Support via UMB;C:\Windows\system32\DRIVERS\WSDScan.sys --> C:\Windows\system32\DRIVERS\WSDScan.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc --> C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [?]
S2 Updater Service for StartNow Toolbar;Updater Service for StartNow Toolbar;C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe --> C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe [?]
S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]
S3 gupdatem;Google Update Service (gupdatem);"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc --> C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [?]
S3 ivusb;Initio Driver for USB Default Controller;C:\Windows\system32\DRIVERS\ivusb.sys --> C:\Windows\system32\DRIVERS\ivusb.sys [?]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S3 RTTEAMPT;Realtek Teaming Protocol Driver (NDIS 6.2);C:\Windows\system32\DRIVERS\RtTeam60.sys --> C:\Windows\system32\DRIVERS\RtTeam60.sys [?]
S3 RTVLANPT;Realtek Vlan Protocol Driver (NDIS 6.2);C:\Windows\system32\DRIVERS\RtVlan60.sys --> C:\Windows\system32\DRIVERS\RtVlan60.sys [?]
S3 TEAM;Realtek Virtual Miniport Driver for Teaming (NDIS 6.2);C:\Windows\system32\DRIVERS\RtTeam60.sys --> C:\Windows\system32\DRIVERS\RtTeam60.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
3/22/2012 4:24
3/22/2012 4:18
3/22/2012 3:26
3/22/2012 1:30
3/21/2012 1:48
3/21/2012 1:45
3/21/2012 1:36
3/21/2012 1:36
3/21/2012 1:36
3/21/2012 1:36
3/14/2012 17:19
3/14/2012 17:19
3/10/2012 21:03
3/10/2012 21:03
3/10/2012 21:03
3/6/2012 2:35
3/6/2012 2:35
.
==================== Find3M ====================
.
2/15/2012 19:01
2/15/2012 19:01
1/29/2012 13:10
1/14/2012 4:06
1/5/2012 22:57
1/4/2012 10:44
1/4/2012 8:58
12/30/2011 6:26
12/30/2011 5:27
12/28/2011 3:59
.
============= FINISH: 21:45:53.80 ===============


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-21 23:39:17
Windows 6.1.7601 Service Pack 1
Running: gmer.exe


---- Files - GMER 1.0.15 ----

File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B115SPFT\younghollywood[1].htm 565 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B115SPFT\icon_googleplus[1].png 1820 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B115SPFT\fetch_jquery_video[2].htm 9209 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B115SPFT\fetch_jquery_video[3].htm 13061 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B115SPFT\FiveminCookieCache[2].js 60 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B115SPFT\search[1].htm 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B115SPFT\ab[1].htm 855 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B115SPFT\typography[2].css 6656 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FTLCK2Y3\younghollywood[1].htm 1217 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P7F42HH3\icon_twitter[1].png 1756 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P7F42HH3\icon_youtube[1].png 2286 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P7F42HH3\fetch_jquery_video[1].htm 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P7F42HH3\ui-bg_highlight-hard_15_888888_1x100[1].png 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P7F42HH3\ui-bg_inset-soft_15_121212_1x100[1].png 103 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P7F42HH3\womenshealthbase_com[1].htm 102070 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P7F42HH3\younghollywood_logo_255[1].png 59293 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\0B1NA0ZU.txt 161 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\13RCHVLN.txt 1628 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\31O6CLDT.txt 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\48HASGPS.txt 1066 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\9SJ2LVBS.txt 1198 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\B7HA5OKJ.txt 1283 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\BCEM0J5T.txt 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\EBSVKRE1.txt 1049 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\KO2DWHZT.txt 657 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\LOJK7W90.txt 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\SNYQ7RZC.txt 685 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\TY8G04CF.txt 0 bytes

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:46 AM

Posted 23 March 2012 - 12:15 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

1.Do not run any other tool untill instructed to do so!
doing so will only at best cause you unneeded worry as it finds our backups and may even list our tools
and at worst can cause conficts with our tools and lead to unforseen things to happen2.Please Do not Attach logs or put in code boxes.
besides the time it takes me to open the reports it makes it harder to find something if I need to go back to do more research and putting them in code boxes just makes them so hard to read3. After each step give me a little feedback
It does not need to be long but just something so I know how things are going it can be something like
I am still getting redirected
The computer is running as it should
Don't put things like - it is the same as before or still the same this just makes me go back and look for you last feedback as to how things are4. read every post completely before doing anything
Pay special attention to the Notes** I have put in
These are things I have found that happen allot and can be taken care of easily just by reading the Notes**

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


Backup any files that cannot be replaced

If you have not done it yet spend a few minutes to backup any files that cannot be replaced. Removing malware can be unpredictable and this may save you and me allot of grief later.

You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

you may want to backup the whole harddrive there is some good info in the Preparation Guide on how to make full backups and how to restore it back if something goes wrong. Read the tutorial and print it out so you will know what to do in case the unforeseen happens.

When you have the files backed up you may do the following.


Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 TaraT

TaraT
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 23 March 2012 - 11:42 AM

Hi Gringo- Thanks for your help.

While running ComboFix my computer bluescreened. I restarted in safemode with networking, but it bluescreen again. I restarted in safemode (this time without networking) and that time ComboFix was able to finish running. After the restart I was getting the error "Illegal operation attempted on a registery key that has been marked for deletion."- I restarted and I am no longer having that problem. I am still getting redirected on link when I do google searches. Thanks!

Tara


ComboFix 12-03-22.01 - Tara 03/23/2012 9:12.2.2 - x64 MINIMAL
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.7935.7150 [GMT -7:00]
Running from: c:\users\Tara\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Norton Internet Security *Enabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\LP
c:\program files (x86)\LP\2967\3A80.tmp
c:\program files (x86)\LP\2967\6D93.tmp
c:\program files (x86)\LP\2967\BA3.tmp
c:\program files (x86)\LP\2967\D54B.tmp
c:\program files (x86)\LP\2967\E6C6.tmp
c:\programdata\~sZutUqjd6mbR6l
c:\programdata\~sZutUqjd6mbR6lr
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\vpngui.exe.lnk
c:\programdata\sZutUqjd6mbR6l
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome.manifest
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\bar.js
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\bar.xul
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\buttons.js
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\constants.js
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\events.js
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\globals.js
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\htmldialog.js
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\htmldialog.xul
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\htmldropdown.xul
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\init.js
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\engine_images.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\engine_maps.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\engine_news.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\engine_videos.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\engine_web.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_amazon.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_ebay.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_facebook.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_games.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_msn.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_shopping.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_travel.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_twitter.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\startnow_logo.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\installer.xml
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\protect\index.html
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\protect\NotIE6.css
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\protect\OnlyIE6.css
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\protect\SearchProtectIcon.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\protect\Web.config
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\protect\window.css
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\protect\window.js
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\reactivate\index.html
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\reactivate\LeftImage.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\reactivate\NotIE6.css
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\reactivate\OnlyIE6.css
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\reactivate\window.css
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\reactivate\window.js
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\chevron_button.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_button_hover.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_button_normal.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_dropdown_button_normal.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_input_background.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_input_left.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_input_middle.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\separator.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\splitter.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ff_hover_c.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_hover_c.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_hover_l.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_hover_r.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_normal_c.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_normal_l.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_normal_r.png
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\toolbar.xml
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\locale\en-US\{5911488E-9D1E-40ec-8CBB-06B231CC153F}.dtd
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\skin\overlay.css
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\install.rdf
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{f974bc40-478e-4541-9326-99c95d77b0f0}
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{f974bc40-478e-4541-9326-99c95d77b0f0}\chrome\xulcache.jar
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\extensions\{f974bc40-478e-4541-9326-99c95d77b0f0}\install.rdf
c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\searchplugins\bing-zugo.xml
c:\windows\svchost.exe
c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Microsoft\klzgc.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
#NAME?
.
.
((((((((((((((((((((((((( Files Created from 2012-02-23 to 2012-03-23 )))))))))))))))))))))))))))))))
.
.
2012-03-23 16:19 . 2012-03-23 16:19
2012-03-23 14:38 . 2012-03-23 14:38
2012-03-23 14:00 . 2012-03-23 14:00
2012-03-23 14:00 . 2012-03-23 14:00
2012-03-23 02:47 . 2012-03-23 07:41
2012-03-23 02:40 . 2012-03-14 03:27
2012-03-22 04:24 . 2012-03-22 04:24
2012-03-21 01:48 . 2012-03-21 01:48
2012-03-21 01:45 . 2012-03-21 01:48
2012-03-21 01:36 . 2012-03-21 01:36
2012-03-21 01:36 . 2012-03-21 01:36
2012-03-21 01:36 . 2012-03-21 01:36
2012-03-21 01:36 . 2011-12-10 22:24
2012-03-14 17:19 . 2012-02-10 06:36
2012-03-14 17:19 . 2012-02-17 05:34
2012-03-10 21:03 . 2012-03-19 17:07
2012-03-10 21:03 . 2012-03-19 17:07
2012-03-10 21:03 . 2012-03-19 17:07
2012-03-06 02:35 . 2012-03-06 02:35
2012-03-06 02:35 . 2012-03-06 02:35
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-14 03:27 . 2010-12-17 15:25
2012-02-15 19:01 . 2012-02-15 19:01
2012-02-15 19:01 . 2012-02-15 19:01
2012-02-14 15:17 . 2012-02-14 15:18
2012-02-09 05:00 . 2012-02-09 05:00
2012-02-09 05:00 . 2012-02-09 05:00
2012-01-29 13:10 . 2010-12-16 15:10
2012-01-14 04:06 . 2012-02-16 04:46
2012-01-05 22:57 . 2012-01-05 22:57
2012-01-04 10:44 . 2012-02-16 04:46
2012-01-04 08:58 . 2012-02-16 04:46
2011-12-30 06:26 . 2012-02-16 04:46
2011-12-30 05:27 . 2012-02-16 04:46
2011-12-28 03:59 . 2012-02-16 04:46
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2/18/2011 5:12
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2/18/2011 5:12
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2/18/2011 5:12
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Sidebar="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
MultiScreen="c:\program files (x86)\MultiScreen\MultiScreen.exe" [2009-08-11 303104]
MobileDocuments="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
SUPERAntiSpyware="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-03-07 4785536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
Six Engine="c:\program files (x86)\ASUS\EPU\EPU.exe" [2010-06-14 5309056]
BCU="c:\program files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe" [2010-03-05 411864]
NUSB3MON="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]
StartCCC="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 98304]
GrooveMonitor="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
AdobeCS5ServiceManager="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
SunJavaUpdateSched="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
RIMBBLaunchAgent.exe="c:\program files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
Adobe ARM="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
APSDaemon="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
QuickTime Task="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
DivXUpdate="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
iTunesHelper="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-07 421736]
Malwarebytes' Anti-Malware="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
Cobian Backup 11 interface="c:\program files (x86)\Cobian Backup 11\cbInterface.exe" [2012-03-21 4414976]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
Update="c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Microsoft\klzgc.dll" [2012-03-12 312832]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
FlashPlayerUpdate="c:\windows\SysWOW64\Macromed\Flash\FlashUtil10l_ActiveX.exe" [2010-12-28 233936]
.
c:\users\Tara\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Tara\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
ConsentPromptBehaviorAdmin= 5 (0x5)
ConsentPromptBehaviorUser= 3 (0x3)
EnableUIADesktopToggle= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [x]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [x]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-28 288272]
R3 RTTEAMPT;Realtek Teaming Protocol Driver (NDIS 6.2);c:\windows\system32\DRIVERS\RtTeam60.sys [x]
R3 RTVLANPT;Realtek Vlan Protocol Driver (NDIS 6.2);c:\windows\system32\DRIVERS\RtVlan60.sys [x]
R3 TEAM;Realtek Virtual Miniport Driver for Teaming (NDIS 6.2);c:\windows\system32\DRIVERS\RtTeam60.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 BCUService;Browser Configuration Utility Service;c:\program files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [2010-03-05 235752]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\DRIVERS\RtNdPt60.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AODDriver;AODDriver;c:\program files\ASUS\GPU Boost Driver\amd64\AODDriver.sys [2010-03-12 52280]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192su.sys [x]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-23 c:\windows\Tasks\At10.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At12.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At14.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At16.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At18.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At2.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At20.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At22.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At24.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At26.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At28.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At30.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At32.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At34.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At36.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At38.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At4.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At40.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At42.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At44.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At46.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At48.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At50.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At52.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At54.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At56.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At58.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At6.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At60.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At62.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At64.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At66.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At68.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At70.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At72.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At74.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At76.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At78.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At8.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At80.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At82.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At84.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At86.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At88.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At90.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At92.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At94.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
2012-03-23 c:\windows\Tasks\At96.job
- c:\windows\system32\GQ4A4.com_ [2012-03-23 07:41]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2/18/2011 5:12
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2/18/2011 5:12
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2/18/2011 5:12
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
RtHDVCpl="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-07-06 11057768]
AdobeAAMUpdater-1.0="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
MSC="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
VX3000="c:\windows\vVX3000.exe" [2010-05-20 762736]
combofix="c:\combofix\CF19849.3XE" [2010-11-20 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
LoadAppInit_DLLs=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Tara\AppData\Roaming\Mozilla\Firefox\Profiles\i1c9dntu.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z128&form=ZGAADF&install_date=20111201&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 54040
FF - prefs.js: network.proxy.type - 4
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-StartNowToolbarHelper - c:\program files (x86)\StartNow Toolbar\ToolbarHelper.exe
Wow6432Node-HKLM-Run-rsscs - c:\programdata\rsscs.exe
Wow6432Node-HKLM-Run-Adaptermob - c:\windows\system32\config\systemprofile\AppData\Roaming\Adaptermob.exe
Wow6432Node-HKU-Default-Run-dplaysvr - c:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe
Wow6432Node-HKU-Default-Run-rsscs - c:\programdata\rsscs.exe
Wow6432Node-HKU-Default-Run-Adaptermob - c:\windows\system32\config\systemprofile\AppData\Roaming\Adaptermob.exe
AddRemove-StartNow Toolbar - c:\program files (x86)\StartNow Toolbar\StartNowToolbarUninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
{326E768D-4182-46FD-9C16-1449A49795F4}=hex:51,66,7a,6c,4c,1d,38,12,e3,75,7d,
36,b0,0f,93,03,e3,00,57,09,a1,c9,d1,e0
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
{9030D464-4C02-4ABF-8ECC-5164760863C6}=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
{9FDDE16B-836F-4806-AB1F-1455CBEFF289}=hex:51,66,7a,6c,4c,1d,38,12,05,e2,ce,
9b,5d,cd,68,0d,d4,09,57,15,ce,b1,b6,9d
{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}=hex:51,66,7a,6c,4c,1d,38,12,b0,f3,37,
dc,52,73,39,0a,e1,a7,25,43,3b,93,ce,af
{DBC80044-A445-435B-BC74-9C25C1C588A9}=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
{FF059E31-CC5A-4E2E-BF3B-96E929D65503}=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
Timestamp=hex:55,35,cc,29,a0,08,cd,01
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
LocalizedString="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
Enabled=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
ThreadingModel="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
ThreadingModel="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
Version="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
BlindDial=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\ASUS\GPU Boost Driver\GpuBoostServer.exe
c:\program files (x86)\Cisco Systems\VPN Client\cvpnd.exe
c:\\.\globalroot\systemroot\svchost.exe
.
**************************************************************************
.
Completion time: 2012-03-23 09:29:04 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-23 16:29
.
Pre-Run: 676,902,842,368 bytes free
Post-Run: 681,290,551,296 bytes free
.
- - End Of File - - C9167BF1C3FA5DEFF6E76721E816CD8E

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:46 AM

Posted 23 March 2012 - 03:45 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::
KillAll::
AtJob::
File::
c:\windows\system32\GQ4A4.com_

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:46 AM

Posted 26 March 2012 - 08:55 AM

Hello


Just checking in on you as it has been a couple of days since I have heard from you.

Are you having any troubles or just need more time?




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:46 AM

Posted 28 March 2012 - 11:19 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:46 AM

Posted 31 March 2012 - 11:24 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users