Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Easy A-Z redirect, redirects some google searches


  • This topic is locked This topic is locked
5 replies to this topic

#1 incasub

incasub

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 10 May 2012 - 01:19 PM

I've got some sort of redirect going on. Every so often, but not all the time, a google search from within Chrome gets redirected to Easy A-Z I started noticing this yesterday.
Every so often my Microsoft security essentials found something in ProgramData and deleted it, I then went in and deleted the folder c:\DrogramData\randomfoldername. It says it's successful, but the redirects keep happening.


Running Windows 7 Ultimate 64 bit version.


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by dan at 19:04:34 on 2012-05-10
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.3837.1071 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SysWOW64\svchost.exe -k Akamai
C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe
C:\Program Files\Windows Home Server\esClient.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe
C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe
C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe
C:\Program Files\Common Files\Microsoft Shared\Microsoft Online Services\MSOIDSVC.EXE
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe
C:\Windows\SysWOW64\NLSSRV32.EXE
C:\Program Files\Palm, Inc\novacomd\amd64\novacomd.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Microsoft Shared\Microsoft Online Services\MSOIDSvcm.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Windows Home Server\WHSConnector.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
C:\Users\dan\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\Windows Live\Mesh\WLSync.exe
C:\Users\dan\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\Eye-Fi\Helper\EyeFiHelper.exe
C:\Program Files\Windows Home Server\WHSTrayApp.exe
C:\Windows\system32\SearchIndexer.exe
C:\Users\dan\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\BrillKids\Startup Agent\Startup Agent.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Windows Live\Mesh\MOE.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Users\dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\dan\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Users\dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskmgr.exe
C:\Users\dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Users\dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Users\dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\regedit.exe
C:\Users\dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\dan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://retail.santander.co.uk/LOGSUK_NS_ENS/BtoChannelDriver.ssobto?dse_operationName=LOGON
uSearch Bar = hxxp://www.google.com/ie
mStart Page = about:blank
uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Lync Browser Helper: {31d09ba0-12f5-4cce-be8a-2923e76605da} - C:\Program Files (x86)\Microsoft Lync\OCHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
{555d4d79-4bd2-4094-a395-cfc534424a05}
uRun: [Google Update] "C:\Users\dan\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [OfficeSyncProcess] "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE"
uRun: [Akamai NetSession Interface] "C:\Users\dan\AppData\Local\Akamai\netsession_win.exe"
uRun: [WLSync] "C:\Program Files (x86)\Windows Live\Mesh\WLSync.exe" /background
uRun: [Eye-Fi] "C:\Program Files (x86)\Eye-Fi\Helper\EyeFiHelper.exe"
uRun: [Startup Agent] C:\Program Files (x86)\BrillKids\Startup Agent\SALauncher.exe
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [Google Desktop Search] "C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe" /startup
mRun: [Communicator] "C:\Program Files (x86)\Microsoft Lync\communicator.exe" /fromrunkey
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [IJNetworkScannerSelectorEX] C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe /FORCE
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload
StartupFolder: C:\Users\dan\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\dan\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\dan\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\WINDOW~1.LNK - C:\Windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~2\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Lync\OCHelper.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Trusted Zone: sharepoint.com\mediascience
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/UK/TechConsole/x86/RescueControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=724
TCP: DhcpNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{0FDB2589-8B8F-4F3B-8667-054B49AB687C} : DhcpNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{756EE200-DD23-4929-A0AC-5DD79AC49923} : DhcpNameServer = 8.8.8.8 8.8.4.4
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs: C:\PROGRA~2\COMMON~1\Dell\KONTAI~1\AviLdr.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Lync\OCHelper.dll
BHO-X64: Lync add-on BHO - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun-x64: [Google Desktop Search] "C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe" /startup
mRun-x64: [Communicator] "C:\Program Files (x86)\Microsoft Lync\communicator.exe" /fromrunkey
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [IJNetworkScannerSelectorEX] C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe /FORCE
mRun-x64: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun-x64: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload
AppInit_DLLs-X64: C:\PROGRA~2\COMMON~1\Dell\KONTAI~1\AviLdr.DLL
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe -k Akamai [2009-7-14 20992]
R2 arXfrSvc;Windows Media Center TV Archive Transfer Service;C:\Program Files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe [2011-1-10 231280]
R2 esClient;Windows Media Center Client Service;C:\Program Files\Windows Home Server\esClient.exe [2011-1-10 109936]
R2 HPMSSConnectorSvc;HPMSSConnectorService;C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe [2009-10-5 20992]
R2 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2012-1-31 375176]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files (x86)\LogMeIn\x64\rainfo.sys [2011-9-16 15928]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\Windows\system32\drivers\LMIRfsDriver.sys --> C:\Windows\system32\drivers\LMIRfsDriver.sys [?]
R2 MediaCollectorService;MediaCollectorService;C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe [2009-10-5 81920]
R2 msoidsvc;Microsoft Online Services Sign-in Assistant;C:\Program Files\Common Files\Microsoft Shared\Microsoft Online Services\MSOIDSVC.EXE [2011-9-28 2078112]
R2 NitroDriverReadSpool2;NitroPDFDriverCreatorReadSpool2;C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe [2012-4-12 204296]
R2 nlsX86cc;Nalpeiron Licensing Service;C:\Windows\SysWOW64\NLSSRV32.EXE [2012-4-12 69640]
R2 NovacomD;Palm Novacom;C:\Program Files\Palm, Inc\novacomd\amd64\novacomd.exe [2011-3-15 71168]
R2 WHSConnector;Windows Home Server Connector Service;C:\Program Files\Windows Home Server\WHSConnector.exe [2011-1-10 489840]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 nskbfltr;nskbfltr;\??\C:\Windows\system32\drivers\nskbfltr.sys --> C:\Windows\system32\drivers\nskbfltr.sys [?]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-8-24 136176]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-2-29 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-24 257696]
S3 CH341SER_A64;CH341SER_A64;C:\Windows\system32\Drivers\CH341S64.SYS --> C:\Windows\system32\Drivers\CH341S64.SYS [?]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe [2011-2-14 30192]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-8-24 136176]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-6-12 31125880]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]
S3 WSDScan;WSD Scan Support via UMB;C:\Windows\system32\DRIVERS\WSDScan.sys --> C:\Windows\system32\DRIVERS\WSDScan.sys [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== File Associations ===============
.
.scr=DWGTrueViewScriptFile
.
=============== Created Last 30 ================
.
2012-05-10 17:40:56 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0DA21F0A-232D-4146-82C5-E362708E4582}\offreg.dll
2012-05-10 17:26:31 388096 ----a-r- C:\Users\dan\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-05-10 17:26:28 -------- d-----w- C:\Program Files (x86)\Trend Micro
2012-05-10 08:17:35 -------- d-----w- C:\Users\dan\AppData\Local\{F5FAA306-A80D-4085-8087-E979CF756828}
2012-05-10 08:17:09 -------- d-----w- C:\Users\dan\AppData\Local\{043CE08E-3975-44FD-9791-7955BE6C01A1}
2012-05-09 15:07:04 8917360 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0DA21F0A-232D-4146-82C5-E362708E4582}\mpengine.dll
2012-05-09 14:59:00 -------- d-----w- C:\Users\dan\AppData\Local\{270C5F0F-290D-4282-B9D0-0D5BAB3B24D8}
2012-05-09 14:58:46 -------- d-----w- C:\Users\dan\AppData\Local\{C9756CF1-58A1-45D9-927E-971795AA829B}
2012-05-08 09:21:46 -------- d-----w- C:\Users\dan\AppData\Local\{24C5CA73-3867-49EC-8FE5-8CDD5F1649CD}
2012-05-08 09:21:32 -------- d-----w- C:\Users\dan\AppData\Local\{155DA6AD-CF68-4BEA-881B-CBD30EFD58E7}
2012-05-07 18:14:14 -------- d-----w- C:\Users\dan\AppData\Local\{36E46024-2924-4BDC-906B-ECF88E320A9E}
2012-05-04 11:08:06 -------- d-----w- C:\Users\dan\AppData\Local\{AC968896-2931-4B9F-8E4D-D0582178D6A8}
2012-05-04 11:07:42 -------- d-----w- C:\Users\dan\AppData\Local\{667B4140-FE00-48F5-A4B4-56D92DAF9F09}
2012-05-03 16:37:30 -------- d-----w- C:\Users\dan\AppData\Local\{C19D7E6F-1ED3-4B32-A9EB-AC3E4428B16C}
2012-05-03 16:37:15 -------- d-----w- C:\Users\dan\AppData\Local\{769038A0-D093-4A61-BAFA-54637F7FE496}
2012-05-02 20:00:03 -------- d-----w- C:\Users\dan\AppData\Local\{8CB8AF6A-B802-4314-99C6-7CC4887E0014}
2012-05-02 19:59:49 -------- d-----w- C:\Users\dan\AppData\Local\{34A01806-A667-4384-8809-CA974B3A51C8}
2012-04-30 21:14:21 -------- d-----w- C:\Users\dan\AppData\Local\{8511E0F0-9303-11E1-826D-B8AC6F996F26}
2012-04-30 20:32:05 -------- d-----w- C:\Users\dan\AppData\Local\{57B83F31-F9BA-4E34-8502-47838578702D}
2012-04-30 20:31:36 -------- d-----w- C:\Users\dan\AppData\Local\{FAFDA31E-6418-4F12-9DBA-6745CC65FAA9}
2012-04-30 07:39:54 -------- d-----w- C:\Users\dan\AppData\Local\{C814243B-E69B-45C5-A15B-8670854FC1C6}
2012-04-29 19:39:07 -------- d-----w- C:\Users\dan\AppData\Local\{42E8A99A-EEF6-448F-A59E-B3FC7E3A7D00}
2012-04-29 07:38:22 -------- d-----w- C:\Users\dan\AppData\Local\{3E86CEEE-612E-4101-9817-EA4E64B99BD3}
2012-04-28 19:37:47 -------- d-----w- C:\Users\dan\AppData\Local\{D4568D4A-93F7-4204-BB32-4E4AA4197A31}
2012-04-28 08:27:29 98816 ----a-w- C:\Windows\System32\wudriver.dll
2012-04-28 08:27:17 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-04-28 08:27:17 185416 ----a-w- C:\Windows\System32\wuwebv.dll
2012-04-28 08:26:43 2621440 ----a-w- C:\Windows\System32\wucltux.dll
2012-04-28 08:25:43 -------- d-----w- C:\c21709a8d6fbb17ec1b5f4
2012-04-28 08:25:30 59776 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\LMIproc.dll
2012-04-28 08:25:30 34688 ----a-w- C:\Windows\System32\LMIport.dll
2012-04-28 08:25:29 87456 ----a-w- C:\Windows\System32\LMIRfsClientNP.dll
2012-04-28 08:25:29 72216 ----a-w- C:\Windows\System32\drivers\LMIRfsDriver.sys
2012-04-28 08:25:25 80768 ----a-w- C:\Windows\System32\LMIinit.dll
2012-04-28 08:25:04 -------- d-----w- C:\Program Files (x86)\LogMeIn
2012-04-28 07:37:10 -------- d-----w- C:\Users\dan\AppData\Local\{7D029536-2F39-486D-89AB-E52077F9F86C}
2012-04-28 07:36:47 -------- d-----w- C:\Users\dan\AppData\Local\{EFB63FA7-3FD3-4743-88EE-33232C92314C}
2012-04-28 02:39:05 -------- d-----w- C:\Program Files (x86)\GetData
2012-04-27 19:36:20 -------- d-----w- C:\Users\dan\AppData\Local\{49D30BDD-DC16-4264-8FC6-B19EC1316246}
2012-04-27 19:35:59 -------- d-----w- C:\Users\dan\AppData\Local\{070CD34A-C92E-4C50-A26B-0FFA3B0DC985}
2012-04-26 08:32:10 -------- d-----w- C:\Users\dan\AppData\Local\{C8C5EC24-0E6C-4DE6-9630-31D7BAAF50D5}
2012-04-26 08:31:47 -------- d-----w- C:\Users\dan\AppData\Local\{8B344699-4E11-4842-9564-4503B343B037}
2012-04-25 20:31:19 -------- d-----w- C:\Users\dan\AppData\Local\{21B924E4-0E96-4C54-A192-E34BC0E42839}
2012-04-25 08:30:40 -------- d-----w- C:\Users\dan\AppData\Local\{223DDE37-F70F-4092-AFE4-C91BB744FEF5}
2012-04-25 08:30:29 -------- d-----w- C:\Users\dan\AppData\Local\{5169BF6A-D694-4295-8AE4-DBC8C98B0CA6}
2012-04-24 07:53:08 8744608 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2012-04-24 07:16:19 419488 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-04-24 07:16:08 -------- d-----w- C:\Users\dan\AppData\Local\{4DF4FB10-5E9E-4450-85CC-98BF0A8392FE}
2012-04-24 07:15:20 -------- d-----w- C:\Users\dan\AppData\Local\{AAF9DF7F-4779-4AC4-BC66-447F0206F6FB}
2012-04-23 08:29:15 -------- d-----w- C:\Users\dan\AppData\Local\{301E0F88-13CB-4C3A-A016-3FD6B89E7B8C}
2012-04-23 08:29:02 -------- d-----w- C:\Users\dan\AppData\Local\{587C03C8-E5B1-49A3-A0A8-C163361AA5C1}
2012-04-20 08:09:29 -------- d-----w- C:\Users\dan\AppData\Local\{796FD0A4-8524-4AE2-8EE1-45C285BDC123}
2012-04-20 08:09:14 -------- d-----w- C:\Users\dan\AppData\Local\{E17E3372-AA3B-42D3-BD74-8FE6F351D7C5}
2012-04-19 10:54:48 -------- d-----w- C:\Users\dan\AppData\Local\{592B1D0D-4ACB-41FA-9E6F-8FFBDE843568}
2012-04-19 10:54:34 -------- d-----w- C:\Users\dan\AppData\Local\{4BDBC58F-913F-4457-998A-082F77CFBF42}
2012-04-16 10:06:28 -------- d-----w- C:\Users\dan\AppData\Local\{BB6FB6E4-6F6D-47E2-BF28-2E7FF0E4C36B}
2012-04-16 10:06:06 -------- d-----w- C:\Users\dan\AppData\Local\{030E61FD-C064-4377-A819-0C51D5B78BDB}
2012-04-15 22:33:54 29704 ----a-w- C:\Windows\System32\nitrolocalmon2.dll
2012-04-15 22:33:54 17928 ----a-w- C:\Windows\System32\nitrolocalui2.dll
2012-04-15 22:33:18 -------- d-----w- C:\Program Files\Common Files\Nitro PDF
2012-04-15 22:33:16 -------- d-----w- C:\Program Files (x86)\Nitro PDF
2012-04-15 22:33:16 -------- d-----w- C:\Program Files (x86)\Common Files\Nitro PDF
2012-04-15 22:32:17 -------- d-----w- C:\Users\dan\AppData\Roaming\Downloaded Installations
2012-04-15 22:05:32 -------- d-----w- C:\Users\dan\AppData\Local\{0BD7F2B5-009E-46E2-91D6-881499C83C25}
2012-04-15 22:05:18 -------- d-----w- C:\Users\dan\AppData\Local\{07DEE810-B033-4208-A10D-B6AADE7D149A}
2012-04-14 09:40:25 -------- d-----w- C:\Users\dan\AppData\Local\{800127A8-F1F1-4610-993E-E7AFDCA78575}
2012-04-14 09:40:11 -------- d-----w- C:\Users\dan\AppData\Local\{4AAB3DDD-3BBA-47C4-9254-B9CABEFE925C}
2012-04-13 08:20:40 -------- d-----w- C:\Users\dan\AppData\Local\{D14CD2F1-7525-445F-842A-61662D3B5CDD}
2012-04-13 08:20:11 -------- d-----w- C:\Users\dan\AppData\Local\{51A0E56F-8D6C-466C-A70F-7A8E51A08C3B}
2012-04-12 08:27:19 -------- d-----w- C:\Users\dan\AppData\Local\{7E3ED28A-D946-4631-927C-76520C1BA2DE}
2012-04-12 08:26:47 -------- d-----w- C:\Users\dan\AppData\Local\{35565F17-BD6C-41E8-A606-606C6BF142F7}
2012-04-12 04:27:08 69640 ----a-w- C:\Windows\SysWow64\NLSSRV32.EXE
2012-04-11 22:32:44 5504880 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-04-11 22:32:43 3958128 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-04-11 22:32:42 3902320 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-04-11 22:29:17 80896 ----a-w- C:\Windows\System32\imagehlp.dll
2012-04-11 22:29:17 22896 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-04-11 22:29:17 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-04-11 22:29:17 158720 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-04-11 22:29:11 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-04-11 22:29:10 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-04-11 22:29:10 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-04-11 20:07:52 -------- d-----w- C:\Users\dan\AppData\Local\{1E990421-0DB5-40F9-BD26-35CC184F35E3}
2012-04-11 20:07:27 -------- d-----w- C:\Users\dan\AppData\Local\{73813545-363A-4555-852B-6878017ED04C}
2012-04-11 08:06:50 -------- d-----w- C:\Users\dan\AppData\Local\{7DB9E7AB-F6AB-4EC7-B42C-110F4201296B}
2012-04-11 08:06:35 -------- d-----w- C:\Users\dan\AppData\Local\{B04B9023-B93C-4E0D-9089-3D5750718DA7}
.
==================== Find3M ====================
.
2012-05-07 19:54:00 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-04 14:56:40 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-03-22 19:12:12 4435968 ----a-w- C:\Windows\SysWow64\GPhotos.scr
2012-03-08 17:37:20 302448 ----a-w- C:\Windows\WLXPGSS.SCR
2012-02-28 06:56:48 2311168 ----a-w- C:\Windows\System32\jscript9.dll
2012-02-28 06:49:56 1390080 ----a-w- C:\Windows\System32\wininet.dll
2012-02-28 06:48:57 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-02-28 06:42:55 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-02-28 01:18:55 1799168 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-02-15 06:27:54 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-02-15 05:44:57 826368 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-02-15 04:47:21 204800 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-02-15 04:46:59 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-02-14 11:09:44 1070352 ----a-w- C:\Windows\SysWow64\MSCOMCTL.OCX
.
============= FINISH: 19:05:39.08 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:01 PM

Posted 10 May 2012 - 03:22 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#3 incasub

incasub
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 10 May 2012 - 04:18 PM

here's my combofix log -will text machine tomorrow or over weekend.



ComboFix 12-05-10.04 - dan 10/05/2012 21:58:55.1.4 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.3837.2416 [GMT 1:00]
Running from: c:\users\dan\Desktop\CombiFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\1324585887.bdinstall.bin
c:\programdata\1324586907.bdinstall.bin
c:\users\dan\Desktop\Setup.exe
c:\windows\SysWow64\office.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-04-10 to 2012-05-10 )))))))))))))))))))))))))))))))
.
.
2012-05-10 21:05 . 2012-05-10 21:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-10 20:44 . 2012-05-10 20:44 -------- d-----w- C:\Windows Home Server Drivers for Restore
2012-05-10 17:26 . 2012-05-10 17:26 388096 ----a-r- c:\users\dan\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-05-10 17:26 . 2012-05-10 17:26 -------- d-----w- c:\program files (x86)\Trend Micro
2012-05-09 15:07 . 2012-04-13 08:46 8917360 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0DA21F0A-232D-4146-82C5-E362708E4582}\mpengine.dll
2012-04-30 21:14 . 2012-04-30 21:14 -------- d-----w- c:\users\dan\AppData\Local\{8511E0F0-9303-11E1-826D-B8AC6F996F26}
2012-04-28 08:27 . 2009-08-07 02:24 38112 ----a-w- c:\windows\system32\wups.dll
2012-04-28 08:27 . 2009-08-07 02:23 700640 ----a-w- c:\windows\system32\wuapi.dll
2012-04-28 08:27 . 2009-08-07 01:59 98816 ----a-w- c:\windows\system32\wudriver.dll
2012-04-28 08:27 . 2009-08-06 18:23 185416 ----a-w- c:\windows\system32\wuwebv.dll
2012-04-28 08:27 . 2009-08-06 17:59 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-04-28 08:26 . 2009-08-07 02:24 43744 ----a-w- c:\windows\system32\wups2.dll
2012-04-28 08:26 . 2009-08-07 02:24 57560 ----a-w- c:\windows\system32\wuauclt.exe
2012-04-28 08:26 . 2009-08-07 02:24 2424024 ----a-w- c:\windows\system32\wuaueng.dll
2012-04-28 08:26 . 2009-08-07 01:59 2621440 ----a-w- c:\windows\system32\wucltux.dll
2012-04-28 08:25 . 2012-04-28 08:28 -------- d-----w- C:\c21709a8d6fbb17ec1b5f4
2012-04-28 08:25 . 2012-01-31 20:31 59776 ----a-w- c:\windows\system32\Spool\prtprocs\x64\LMIproc.dll
2012-04-28 08:25 . 2012-01-31 20:30 34688 ----a-w- c:\windows\system32\LMIport.dll
2012-04-28 08:25 . 2012-01-31 20:31 87456 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-04-28 08:25 . 2011-09-16 13:10 72216 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
2012-04-28 08:25 . 2012-01-31 20:30 80768 ----a-w- c:\windows\system32\LMIinit.dll
2012-04-28 08:25 . 2012-04-28 08:25 -------- d-----w- c:\program files (x86)\LogMeIn
2012-04-28 02:39 . 2012-04-28 02:39 -------- d-----w- c:\program files (x86)\GetData
2012-04-25 10:11 . 2012-04-25 10:11 -------- d-----w- c:\program files (x86)\Common Files\Skype
2012-04-24 07:53 . 2012-05-07 19:53 8744608 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-04-24 07:16 . 2012-05-07 19:54 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-04-15 22:35 . 2012-04-23 10:41 -------- d-----w- c:\users\dan\AppData\Roaming\Nitro PDF
2012-04-15 22:33 . 2012-04-12 04:26 17928 ----a-w- c:\windows\system32\nitrolocalui2.dll
2012-04-15 22:33 . 2012-04-12 04:26 29704 ----a-w- c:\windows\system32\nitrolocalmon2.dll
2012-04-15 22:33 . 2012-04-15 22:33 -------- d-----w- c:\program files\Common Files\Nitro PDF
2012-04-15 22:33 . 2012-04-15 22:33 -------- d-----w- c:\programdata\Nitro PDF
2012-04-15 22:33 . 2012-04-15 22:33 -------- d-----w- c:\program files (x86)\Nitro PDF
2012-04-15 22:33 . 2012-04-15 22:33 -------- d-----w- c:\program files (x86)\Common Files\Nitro PDF
2012-04-15 22:32 . 2012-04-15 22:32 -------- d-----w- c:\users\dan\AppData\Roaming\Downloaded Installations
2012-04-12 04:27 . 2012-04-12 04:27 69640 ----a-w- c:\windows\SysWow64\NLSSRV32.EXE
2012-04-11 22:32 . 2012-03-06 06:43 5504880 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 22:32 . 2012-03-06 05:59 3958128 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-04-11 22:32 . 2012-03-06 05:59 3902320 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-04-11 22:29 . 2012-03-01 06:54 22896 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-11 22:29 . 2012-03-01 06:40 80896 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-11 22:29 . 2012-03-01 05:49 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-04-11 22:29 . 2012-03-01 05:45 158720 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-04-11 22:29 . 2012-03-01 06:45 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-04-11 22:29 . 2012-03-01 06:35 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-11 22:29 . 2012-03-01 05:40 5120 ----a-w- c:\windows\SysWow64\wmi.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-07 19:54 . 2011-06-01 21:14 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-13 08:46 . 2011-01-21 19:19 8917360 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-04-04 14:56 . 2011-12-22 21:02 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\SysWow64\GPhotos.scr
2012-03-08 17:37 . 2012-03-08 17:37 302448 ----a-w- c:\windows\WLXPGSS.SCR
2012-02-15 06:27 . 2012-03-14 09:34 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-15 05:44 . 2012-03-14 09:34 826368 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-02-15 04:47 . 2012-03-14 09:34 204800 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-15 04:46 . 2012-03-14 09:34 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-14 11:09 . 2012-02-14 11:09 1070352 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2012-02-13 16:01 . 2012-02-13 16:02 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D20E63C6-FD95-4827-81D0-C9F84EED3FA0}\gapaengine.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\dan\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\dan\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\dan\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeSyncProcess"="c:\program files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [2011-07-21 718720]
"Akamai NetSession Interface"="c:\users\dan\AppData\Local\Akamai\netsession_win.exe" [2012-03-13 3331872]
"WLSync"="c:\program files (x86)\Windows Live\Mesh\WLSync.exe" [2012-03-08 1449824]
"Eye-Fi"="c:\program files (x86)\Eye-Fi\Helper\EyeFiHelper.exe" [2011-12-21 3961464]
"Startup Agent"="c:\program files (x86)\BrillKids\Startup Agent\SALauncher.exe" [2011-12-26 219136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Google Desktop Search"="c:\program files (x86)\Google\Google Desktop Search\GoogleDesktop.exe" [2011-02-14 30192]
"Communicator"="c:\program files (x86)\Microsoft Lync\communicator.exe" [2012-03-24 12071200]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"IJNetworkScannerSelectorEX"="c:\program files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe" [2010-09-09 452016]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"KeePass 2 PreLoad"="c:\program files (x86)\KeePass Password Safe 2\KeePass.exe" [2011-10-19 1807360]
.
c:\users\dan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\dan\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-15 24246216]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Windows Home Server.lnk - c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [2011-11-14 666992]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp msoidssp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-03 136176]
R2 HPMSSConnectorSvc;HPMSSConnectorService;c:\program files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe [2009-10-05 20992]
R2 MediaCollectorService;MediaCollectorService;c:\program files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe [2009-10-05 81920]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-29 158856]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-07 257696]
R3 CH341SER_A64;CH341SER_A64;c:\windows\system32\Drivers\CH341S64.SYS [x]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files (x86)\Google\Google Desktop Search\GoogleDesktop.exe [2011-02-14 30192]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-03 136176]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 arXfrSvc;Windows Media Center TV Archive Transfer Service;c:\program files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe [2011-01-10 231280]
S2 esClient;Windows Media Center Client Service;c:\program files\Windows Home Server\esClient.exe [2011-01-10 109936]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2012-01-31 375176]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [2011-09-16 15928]
S2 msoidsvc;Microsoft Online Services Sign-in Assistant;c:\program files\Common Files\Microsoft Shared\Microsoft Online Services\MSOIDSVC.EXE [2011-09-28 2078112]
S2 NitroDriverReadSpool2;NitroPDFDriverCreatorReadSpool2;c:\program files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe [2012-04-12 204296]
S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\SysWOW64\NLSSRV32.EXE [2012-04-12 69640]
S2 NovacomD;Palm Novacom;c:\program files\Palm, Inc\novacomd\amd64\novacomd.exe [2011-03-15 71168]
S2 WHSConnector;Windows Home Server Connector Service;c:\program files\Windows Home Server\WHSConnector.exe [2011-01-10 489840]
S3 nskbfltr;nskbfltr;c:\windows\system32\drivers\nskbfltr.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-24 19:54]
.
2012-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-24 09:08]
.
2012-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-24 09:08]
.
2012-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3561266746-369238869-1800256326-1001Core.job
- c:\users\dan\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-26 16:00]
.
2012-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3561266746-369238869-1800256326-1001UA.job
- c:\users\dan\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-26 16:00]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\dan\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\dan\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\dan\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\dan\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-01-18 11775592]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-07-25 2782096]
"LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2011-09-16 57928]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://retail.santander.co.uk/LOGSUK_NS_ENS/BtoChannelDriver.ssobto?dse_operationName=LOGON
mStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: sharepoint.com\mediascience
TCP: DhcpNameServer = 8.8.8.8 8.8.4.4
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_6c825ce.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Nf4bb6cfd]
@Denied: (4) (Everyone)
@Denied: (4) (Administrators)
@Allowed: (A B C D Full GENERIC_EXECUTE GENERIC_WRITE Read 1 2 3 4 5 6) (LocalSystem)
"a"="M"
"InternetCode"="GAHN5XNVXTCCQOIFTJHKUNFRDZ4JTAIRTUQPVMQ8"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\NetSupport\NetSupport Manager\client32.exe
c:\program files (x86)\NetSupport\NetSupport Manager\client32.exe
c:\program files (x86)\Windows Live\Mesh\MOE.exe
c:\program files (x86)\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Completion time: 2012-05-10 22:14:35 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-10 21:14
.
Pre-Run: 885,755,195,392 bytes free
Post-Run: 885,907,705,856 bytes free
.
- - End Of File - - 8E0A4348D0B60D6C269DCCCF2668DD27

#4 incasub

incasub
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 15 May 2012 - 03:51 AM

Hi, Sorry for the delay in getting back to you. thanks for the help so far, I've used my computer for a couple of days now, I thought it was ok, but today I've just had another redirect from a google search.
From the search results, I clicked on a link for microsoft.com/SBS and it redirected me to a a sight called become.co.uk with links to buying software.

#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:01 PM

Posted 15 May 2012 - 02:25 PM

Good evening. :)

Do the redirects occur in any other browsers, Internet Explorer for example, or just Chrome?

So long, and thanks for all the fish.

 

 


#6 incasub

incasub
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 16 May 2012 - 06:48 AM

Hi,

It's difficult to say if it happens in another browser. I will try using IE on Friday (I'm out and about tomorrow) to see if it happens.

Today I've only had it happen once, I searched for a bar in ibiza, and in the google search results I clicked the bar's url, I got a redirect to firstchoice.co.uk (with listings for ibiza as a destination)!

When I go back, and try the same search again, it doesn't repeat it self.

So most of the time, every thing works normally, then about once a day I get a redirect. If I press back immediately, to get back to the results, and then click the link again, it works as normal. Annoying!

Wish it was repeatable, it would make it easier to diagnose!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users