Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32/Gataka.B trojan horse


  • Please log in to reply
5 replies to this topic

#1 Atomdesign

Atomdesign

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 13 May 2012 - 09:15 AM

I have ESET Smart Security (current version - 5.0.93.10) reporting that a variant of Trojan horse Win32/Gataka.B has infected the files dwm.exe, taskhost.exe and explorer.exe
ESET is unable to remove the infection.

I've tried running Malwarebytes (full scan) and Trend Micro Housecall to remove the infection, but neither could find it.

DDS:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by User at 15:19:31 on 2012-05-13
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.31.1043.18.2038.727 [GMT 2:00]
.
AV: ESET Smart Security 5.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: ESET Smart Security 5.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ESET Persoonlijke firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Windows\system32\IoctlSvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\Explorer.EXE
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\WUDFHost.exe
C:\Users\User\AppData\Roaming\Spotify\spotify.exe
C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Microsoft\BingBar\7.1.361.0\SeaPort.exe
C:\Program Files\TeamViewer\Version5\TeamViewer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil11f_ActiveX.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\notepad.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.startpagina.nl/
uWindow Title = Windows Internet Explorer wordt aangeboden door MSN and Bing
uURLSearchHooks: uTorrentBar_NL Toolbar: {87775fdb-6972-41f9-ae51-8326e38cb206} - c:\program files\utorrentbar_nl\prxtbuTor.dll
mURLSearchHooks: uTorrentBar_NL Toolbar: {87775fdb-6972-41f9-ae51-8326e38cb206} - c:\program files\utorrentbar_nl\prxtbuTor.dll
mURLSearchHooks: H - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: uTorrentBar_NL Toolbar: {87775fdb-6972-41f9-ae51-8326e38cb206} - c:\program files\utorrentbar_nl\prxtbuTor.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\microsoft\bingbar\7.1.361.0\BingExt.dll
BHO: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
TB: uTorrentBar_NL Toolbar: {87775fdb-6972-41f9-ae51-8326e38cb206} - c:\program files\utorrentbar_nl\prxtbuTor.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\7.1.361.0\BingExt.dll"
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {22E03916-85C5-44B0-8DC9-1830C11238D9} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED
uRun: [Spotify] "c:\users\user\appdata\roaming\spotify\Spotify.exe" /uri spotify:autostart
uRun: [LicenseValidator] c:\users\user\appdata\roaming\google inc.\{fc9dea09-9f84-4e41-9102-489a84d52117}\LicenseValidator.exe
uRun: [Spotify Web Helper] "c:\users\user\appdata\roaming\spotify\data\SpotifyWebHelper.exe"
uRun: [Google Update] "c:\users\user\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\mutike~1.lnk - c:\program files\multikeyboard driver\KbdDrv.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mif5ba~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://cache.hyves-static.net/statics/Aurigma/ImageUploader4.cab
TCP: DhcpNameServer = 212.54.40.25 212.54.35.25
TCP: Interfaces\{EAA681DA-69A3-426A-9C43-A69538E27A11} : DhcpNameServer = 212.54.40.25 212.54.35.25
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2011-8-4 50624]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 299984]
R1 EpfwLWF;Epfw NDIS LightWeight Filter;c:\windows\system32\drivers\EpfwLWF.sys [2011-8-4 33656]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2011-8-9 163424]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2011-9-9 974944]
R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-1-12 185640]
R3 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\7.1.361.0\SeaPort.EXE [2012-2-10 240408]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-2 139776]
S2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
S2 BBSvc;BingBar Service;c:\program files\microsoft\bingbar\7.1.361.0\BBSvc.EXE [2012-2-10 193816]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Updateservice (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-3 135664]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 21072]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2012-4-3 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2012-3-8 1492840]
S3 gupdatem;Google Update-service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-8-3 135664]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2010-4-10 266544]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-10 52224]
S3 Usbfilt;Usbfilt;c:\windows\system32\drivers\usbfilt.sys [2010-2-6 26166]
S3 WatAdminSvc;Windows Activation Technologies-service;c:\windows\system32\wat\WatAdminSvc.exe [2010-8-5 1343400]
S4 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\toolbarbroker.exe --> c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [?]
S4 AVGIDSAgent;AVGIDSAgent;"c:\program files\avg\avg10\identity protection\agent\bin\avgidsagent.exe" --> c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2012-05-13 12:34:09 -------- d-----w- c:\users\user\appdata\local\{D40AB1A3-B9F6-41B5-8713-E88450BA4867}
2012-05-13 12:33:56 -------- d-----w- c:\users\user\appdata\local\{125597DB-AC6C-4B1E-96D3-3A1C29D2D7BE}
2012-05-12 12:25:13 -------- d-----w- c:\users\user\appdata\local\{125DE674-AAB1-4F12-8687-30E034C3156B}
2012-05-12 12:24:53 -------- d-----w- c:\users\user\appdata\local\{768E2E74-88AC-4D35-8FF5-DB8EAF125159}
2012-05-11 19:52:27 -------- d-----w- c:\users\user\appdata\roaming\FreeFixer
2012-05-11 19:52:27 -------- d-----w- c:\users\user\appdata\local\FreeFixer
2012-05-11 19:52:23 -------- d-----w- c:\program files\FreeFixer
2012-05-11 17:42:15 -------- d-----w- c:\windows\pss
2012-05-11 11:48:50 -------- d-----w- c:\users\user\appdata\local\{FECD638A-353E-4153-B7D3-A8EC4D7552C4}
2012-05-11 11:48:37 -------- d-----w- c:\users\user\appdata\local\{D5F4BAF7-1D29-48EA-82E4-C61517212FE8}
2012-05-10 13:26:43 -------- d-----w- c:\users\user\appdata\local\{3121FD3F-7A5E-405E-A082-5FD89DDC4A9E}
2012-05-10 13:26:27 -------- d-----w- c:\users\user\appdata\local\{3098185A-15AB-42D4-B3BE-C4D24B915A95}
2012-05-09 12:21:12 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-09 12:21:11 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-09 12:21:11 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-05-09 12:21:07 936960 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll
2012-05-09 12:21:06 1221632 ----a-w- c:\program files\windows journal\NBDoc.DLL
2012-05-09 12:21:05 989184 ----a-w- c:\program files\windows journal\JNTFiltr.dll
2012-05-09 12:21:04 969216 ----a-w- c:\program files\windows journal\JNWDRV.dll
2012-05-09 12:21:02 56176 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-09 12:21:00 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-05-09 12:20:57 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-09 12:13:20 -------- d-----w- c:\users\user\appdata\local\{94B2DD7C-E687-4323-8616-56DD96739146}
2012-05-09 12:13:06 -------- d-----w- c:\users\user\appdata\local\{E6A8C35D-B1EC-4A7F-ACC8-ECCB0F7A4F3F}
2012-05-08 16:36:48 -------- d-----w- c:\users\user\appdata\roaming\Google Inc
2012-05-08 12:25:45 -------- d-----w- c:\users\user\appdata\local\{9FCAEAAB-3964-48DC-9EB8-47E4BC4DE342}
2012-05-08 12:25:30 -------- d-----w- c:\users\user\appdata\local\{3B22BF9A-97AE-4C48-AF7B-701A1C64052D}
2012-05-07 07:06:24 -------- d-----w- c:\users\user\appdata\local\{06A06F40-8DBD-43DA-9583-49721D7154DE}
2012-05-07 07:06:12 -------- d-----w- c:\users\user\appdata\local\{9EA274ED-5BF9-4F11-9B1C-680BA6DB6800}
2012-05-06 13:31:08 -------- d-----w- c:\users\user\appdata\local\{01B3DD69-98B0-4CFC-AB2E-B01D2AFE49F3}
2012-05-06 13:30:55 -------- d-----w- c:\users\user\appdata\local\{BB6AAB03-FB72-4120-8AEA-1EFACC106E9D}
2012-05-05 13:01:19 -------- d-----w- c:\users\user\appdata\local\{EE8FF331-54A3-4ABE-8AC2-4D1F2D393416}
2012-05-05 13:01:07 -------- d-----w- c:\users\user\appdata\local\{89FA92B4-C78A-4B0C-8C9D-8D039E9C022E}
2012-05-04 11:17:22 -------- d-----w- c:\users\user\appdata\local\{448F0C96-F6FA-4138-86EE-0D7C0416D130}
2012-05-04 11:17:09 -------- d-----w- c:\users\user\appdata\local\{3956AAFD-A9F1-4CBF-9096-723AE10647B8}
2012-05-03 12:37:58 -------- d-----w- c:\users\user\appdata\local\{400C6AED-78E3-4623-BF75-7A83D03922A7}
2012-05-03 12:37:46 -------- d-----w- c:\users\user\appdata\local\{BD653782-4DB3-4E33-9C69-2F1A0267B82A}
2012-05-02 12:33:18 -------- d-----w- c:\users\user\appdata\local\{B9733680-33B9-481A-A53B-C23FC75AE52A}
2012-05-02 12:33:06 -------- d-----w- c:\users\user\appdata\local\{88890D72-3D48-4CBE-8295-9DD60DC17962}
2012-05-01 13:20:00 -------- d-----w- c:\users\user\appdata\local\{595DA1BA-2D25-4811-86BA-B5581CB145FA}
2012-05-01 13:19:46 -------- d-----w- c:\users\user\appdata\local\{B2E182F8-44B4-4B30-86E8-93FC6FBCDCCE}
2012-04-30 13:24:01 -------- d-----w- c:\users\user\appdata\local\{C79BB2A4-C06A-4A2F-B303-88D819EF0191}
2012-04-30 13:23:44 -------- d-----w- c:\users\user\appdata\local\{37283D35-97B7-43E8-B9B5-F9409D087F0C}
2012-04-30 13:23:27 -------- d-----w- c:\users\user\appdata\local\{C4326696-0CD5-4163-8874-1251E5794FA6}
2012-04-29 14:05:43 -------- d-----w- c:\users\user\appdata\local\{E5DA7670-1BB4-4652-9FD5-FA3FB072916E}
2012-04-29 14:05:31 -------- d-----w- c:\users\user\appdata\local\{16269464-F8BC-4D3E-A3B7-1EF7906C0952}
2012-04-28 12:26:12 -------- d-----w- c:\users\user\appdata\local\{21764B39-3067-49E7-967F-784DB4D1C7C3}
2012-04-28 12:25:57 -------- d-----w- c:\users\user\appdata\local\{25261FAE-8633-4837-BA98-91771EE245B9}
2012-04-27 12:24:38 -------- d-----w- c:\users\user\appdata\local\{5519C298-6C90-4F43-9AD9-FBF28D618E32}
2012-04-27 12:24:25 -------- d-----w- c:\users\user\appdata\local\{F944BEEB-9EB1-4C26-A9E5-E0A6F3624B98}
2012-04-26 12:19:26 -------- d-----w- c:\users\user\appdata\local\{C692BF1F-3C09-4768-9569-D21EE2134B11}
2012-04-26 12:19:13 -------- d-----w- c:\users\user\appdata\local\{9C73EA8F-A4BA-487B-A014-2C0601E2EAD8}
2012-04-25 12:44:20 -------- d-----w- c:\users\user\appdata\local\{006BDFB0-E3E3-436C-9915-25E2B5085686}
2012-04-25 12:44:07 -------- d-----w- c:\users\user\appdata\local\{F13D8791-FAD7-443B-803D-601C9286CF5C}
2012-04-24 17:56:19 -------- d-----w- c:\users\user\appdata\local\{85C6AFAE-1A83-4355-8029-ADB4A378AE40}
2012-04-24 17:55:56 -------- d-----w- c:\users\user\appdata\local\{251BF148-3C9E-468A-B137-5B7B30836CD7}
2012-04-24 05:55:28 -------- d-----w- c:\users\user\appdata\local\{380C928E-DC48-4A2F-B332-C2E26E9B4982}
2012-04-24 05:55:16 -------- d-----w- c:\users\user\appdata\local\{1E3C5D5F-C6C8-4CBA-9976-CE775880E644}
2012-04-23 13:19:14 -------- d-----w- c:\users\user\appdata\local\{67E73050-5819-4D94-89F2-FC074F78A007}
2012-04-23 13:19:02 -------- d-----w- c:\users\user\appdata\local\{B77331BC-5F61-4673-B264-A4FEFEC8DA7B}
2012-04-22 12:25:30 -------- d-----w- c:\users\user\appdata\local\{1817472D-B73D-46DA-963F-1B9D7A12EAB7}
2012-04-22 12:25:18 -------- d-----w- c:\users\user\appdata\local\{2D939358-38F7-4453-9ABE-0DE4559D1104}
2012-04-21 12:01:58 -------- d-----w- c:\users\user\appdata\local\{F1CEDC10-CB01-4D03-B534-10FA4BD2FBFD}
2012-04-21 12:01:45 -------- d-----w- c:\users\user\appdata\local\{7B58B880-5693-493B-B90A-82BB794266E9}
2012-04-20 11:35:35 -------- d-----w- c:\users\user\appdata\local\{8F654278-FD71-4DB2-8709-8C380B9AEC98}
2012-04-20 11:35:23 -------- d-----w- c:\users\user\appdata\local\{9C5922E0-567C-424B-92AE-2384886AFA5D}
2012-04-19 11:17:44 -------- d-----w- c:\users\user\appdata\local\{0500077D-B83D-4DDC-94F2-C69B5C64A7AE}
2012-04-19 11:17:32 -------- d-----w- c:\users\user\appdata\local\{4F733EA7-AD55-4EEB-84A9-A4A1FE5BB8B2}
2012-04-18 13:52:16 -------- d-----w- c:\users\user\appdata\local\{E9AA0810-4360-44F1-B9B9-5EA697C11B21}
2012-04-18 13:52:03 -------- d-----w- c:\users\user\appdata\local\{6B307E93-D894-4AC6-AC44-E2BC5D9AD871}
2012-04-17 13:29:46 -------- d-----w- c:\users\user\appdata\local\{86529E02-9675-41EA-8178-E4C8FAA5A30D}
2012-04-17 13:29:34 -------- d-----w- c:\users\user\appdata\local\{4ED6E2A2-33AB-453D-A5F1-6A5E94B3BE84}
2012-04-16 06:55:23 -------- d-----w- c:\users\user\appdata\local\{5A6D3209-3D7F-4C81-9775-F78B3573F85D}
2012-04-16 06:55:11 -------- d-----w- c:\users\user\appdata\local\{A65D764F-3794-4017-8AD1-95A588FF63C7}
2012-04-15 12:12:50 -------- d-----w- c:\users\user\appdata\local\{C3CFB505-C862-4798-B085-B6E54AB4B3FC}
2012-04-15 12:12:37 -------- d-----w- c:\users\user\appdata\local\{3CEBFBB1-AC88-4828-AA78-24D262267CA7}
2012-04-14 14:43:37 -------- d-----w- c:\users\user\appdata\local\{94D28EFE-8EE7-44E7-94A9-964FB738DA9A}
2012-04-14 14:43:22 -------- d-----w- c:\users\user\appdata\local\{C3DC0191-4377-4B71-B5BA-44EA013099AB}
.
==================== Find3M ====================
.
2012-03-08 16:50:28 49016 ----a-w- c:\windows\system32\sirenacm.dll
2012-03-08 16:37:20 302448 ----a-w- c:\windows\WLXPGSS.SCR
2012-03-08 16:32:24 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2012-03-03 14:47:41 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-01 05:46:57 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-03-01 05:37:41 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-03-01 05:33:23 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-03-01 05:29:16 5120 ----a-w- c:\windows\system32\wmi.dll
2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-17 05:34:22 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 04:14:08 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13:22 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
.
============= FINISH: 15:20:44,41 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Gammo

Gammo

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:53 PM

Posted 13 May 2012 - 10:41 AM

We need to create an OTL Report
Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Check the box that says Scan All Users.
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.

unite_blue.png

Please post the final results, good or bad. We like to know!


#3 Atomdesign

Atomdesign
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 14 May 2012 - 01:01 PM

We need to create an OTL Report
Download OTL to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Check the box that says Scan All Users.
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.


OTL report is attached! Extras.txt was not generated. Is that a problem?

OTL logfile created on: 14-5-2012 19:43:27 - Run 2
OTL by OldTimer - Version 3.2.43.0 Folder = C:\Users\User\Downloads
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000413 | Country: Nederland | Language: NLD | Date Format: d-M-yyyy

1,99 Gb Total Physical Memory | 0,66 Gb Available Physical Memory | 32,99% Memory free
3,98 Gb Paging File | 2,47 Gb Available in Paging File | 62,06% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 234,28 Gb Total Space | 134,79 Gb Free Space | 57,54% Space Free | Partition Type: NTFS
Drive D: | 231,39 Gb Total Space | 230,89 Gb Free Space | 99,78% Space Free | Partition Type: NTFS

Computer Name: USER-PC | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012-05-14 19:42:19 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Users\User\Downloads\OTL.exe
PRC - [2012-05-04 20:13:46 | 009,478,320 | ---- | M] (Spotify Ltd) -- C:\Users\User\AppData\Roaming\Spotify\spotify.exe
PRC - [2012-05-04 20:13:46 | 000,932,528 | ---- | M] () -- C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
PRC - [2012-03-03 16:47:41 | 000,250,016 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\System32\Macromed\Flash\FlashUtil11f_ActiveX.exe
PRC - [2012-02-23 13:33:57 | 000,307,824 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
PRC - [2012-02-10 11:28:06 | 000,193,816 | ---- | M] (Microsoft Corporation.) -- C:\Program Files\Microsoft\BingBar\7.1.361.0\BBSvc.EXE
PRC - [2011-09-09 13:43:22 | 000,974,944 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe
PRC - [2011-09-09 13:43:10 | 003,080,264 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\egui.exe
PRC - [2011-06-06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011-02-25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010-11-20 14:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010-01-12 17:21:50 | 004,994,856 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version5\TeamViewer.exe
PRC - [2010-01-12 16:57:44 | 000,185,640 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
PRC - [2009-11-12 14:48:56 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe


========== Modules (No Company Name) ==========

MOD - [2012-05-04 20:13:46 | 020,101,120 | ---- | M] () -- C:\Users\User\AppData\Roaming\Spotify\Data\libcef.dll
MOD - [2012-05-04 20:13:46 | 000,932,528 | ---- | M] () -- C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - File not found [Disabled | Stopped] -- C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2012-02-10 11:28:06 | 000,240,408 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files\Microsoft\BingBar\7.1.361.0\SeaPort.EXE -- (BBUpdate)
SRV - [2012-02-10 11:28:06 | 000,193,816 | ---- | M] (Microsoft Corporation.) [Auto | Running] -- C:\Program Files\Microsoft\BingBar\7.1.361.0\BBSvc.EXE -- (BBSvc)
SRV - [2011-09-09 13:43:22 | 000,974,944 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe -- (ekrn)
SRV - [2011-06-06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2010-10-22 05:58:18 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG10\avgwdsvc.exe -- (avgwd)
SRV - [2010-08-05 16:37:06 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010-04-10 17:05:58 | 000,266,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Fix it Center\Matsvc.exe -- (MatSvc)
SRV - [2010-01-12 16:57:44 | 000,185,640 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe -- (TeamViewer5)
SRV - [2009-11-12 14:48:56 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU)
SRV - [2009-07-14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009-07-14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - [2011-08-09 13:57:10 | 000,163,424 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\Windows\System32\drivers\eamonm.sys -- (eamonm)
DRV - [2011-08-04 09:20:38 | 000,147,480 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\epfw.sys -- (epfw)
DRV - [2011-08-04 09:20:38 | 000,050,624 | ---- | M] (ESET) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\epfwwfp.sys -- (epfwwfp)
DRV - [2011-08-04 09:20:38 | 000,033,656 | ---- | M] (ESET) [Kernel | System | Running] -- C:\Windows\System32\drivers\EpfwLWF.sys -- (EpfwLWF)
DRV - [2011-08-04 09:20:36 | 000,118,104 | ---- | M] (ESET) [Kernel | System | Running] -- C:\Windows\System32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2010-11-20 12:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010-11-09 23:20:58 | 000,299,984 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2010-09-13 17:27:54 | 000,025,680 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\AVGIDSEH.sys -- (AVGIDSEH)
DRV - [2010-09-07 04:48:56 | 000,034,384 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2010-09-07 04:48:54 | 000,249,424 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2010-09-07 04:48:50 | 000,026,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\System32\drivers\avgrkx86.sys -- (Avgrkx86)
DRV - [2010-08-19 22:42:38 | 000,123,472 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2010-08-19 22:42:38 | 000,030,288 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2010-08-19 22:42:36 | 000,021,072 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2010-08-05 16:35:31 | 000,032,256 | ---- | M] () [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009-11-12 14:48:56 | 000,007,168 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2009-07-14 01:45:33 | 000,083,456 | ---- | M] (Brother Industries Ltd.) [Kernel | System | Running] -- C:\Windows\System32\drivers\serial.sys -- (Serial)
DRV - [2004-08-13 10:56:20 | 000,005,810 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004-02-01 06:53:20 | 000,026,166 | ---- | M] (Compuware Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbfilt.sys -- (Usbfilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\URLSearchHook: {87775fdb-6972-41f9-ae51-8326e38cb206} - C:\Program Files\uTorrentBar_NL\prxtbuTor.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2405280


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nl.msn.com/?ocid=OIE9HP
IE - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
IE - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://nl.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = nl
IE - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\..\URLSearchHook: {87775fdb-6972-41f9-ae51-8326e38cb206} - C:\Program Files\uTorrentBar_NL\prxtbuTor.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\..\SearchScopes\{05DB0B55-8AE0-4CD5-AA71-FA6F1CDD685A}: "URL" = http://nl.wikipedia.org/w/index.php?title=Speciaal:Zoeken&search={searchTerms}
IE - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?FORM=WLETDF&PC=WLEM&q={searchTerms}&src=IE-SearchBox
IE - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/web/{searchTerms}?babsrc=browsersearch
IE - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=BT5&o=&src=crm&q={searchTerms}&locale=
IE - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\..\SearchScopes\{620B0029-3370-4339-8EDF-EAD3A00FCE38}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2865317
IE - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7PCTC_nlNL391
IE - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\..\SearchScopes\{A11B9B5E-2614-4128-A04E-0C97E93F97C6}: "URL" = http://search.avg.com/route/?d=4cd97cfa&v=6.10.6.4&i=26&tp=chrome&q={searchTerms}&lng={language}&iy=&ychte=us
IE - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2405280
IE - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\..\SearchScopes\Bing: "URL" = http://www.bing.com/?scope=web&setmkt=nl-NL
IE - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3555.0308: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\User\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\User\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010-02-05 10:17:03 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG10\Firefox\
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2011-09-16 16:55:27 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010-02-05 10:17:03 | 000,000,000 | ---D | M]


========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\User\AppData\Local\Google\Chrome\Application\18.0.1025.168\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\User\AppData\Local\Google\Chrome\Application\18.0.1025.168\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\User\AppData\Local\Google\Chrome\Application\18.0.1025.168\gcswf32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.200.2 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U20 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll
CHR - plugin: Windows Live\u0099 Photo Gallery (Enabled) = C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: Windows Activation Technologies (Enabled) = C:\Windows\system32\Wat\npWatWeb.dll
CHR - Extension: YouTube = C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2_0\
CHR - Extension: Google Zoeken = C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.14_0\
CHR - Extension: Gmail = C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\6.1.3_0\

O1 HOSTS File: ([2009-06-10 23:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
O2 - BHO: (uTorrentBar_NL Toolbar) - {87775fdb-6972-41f9-ae51-8326e38cb206} - C:\Program Files\uTorrentBar_NL\prxtbuTor.dll (Conduit Ltd.)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\7.1.361.0\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (uTorrentBar_NL Toolbar) - {87775fdb-6972-41f9-ae51-8326e38cb206} - C:\Program Files\uTorrentBar_NL\prxtbuTor.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\7.1.361.0\BingExt.dll (Microsoft Corporation.)
O3 - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\..\Toolbar\WebBrowser: (no name) - {22E03916-85C5-44B0-8DC9-1830C11238D9} - No CLSID value found.
O3 - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\..\Toolbar\WebBrowser: (uTorrentBar_NL Toolbar) - {87775FDB-6972-41F9-AE51-8326E38CB206} - C:\Program Files\uTorrentBar_NL\prxtbuTor.dll (Conduit Ltd.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000..\Run: [LicenseValidator] C:\Users\User\AppData\Roaming\Google Inc.\{FC9DEA09-9F84-4E41-9102-489A84D52117}\LicenseValidator.exe ()
O4 - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000..\Run: [Spotify] C:\Users\User\AppData\Roaming\Spotify\Spotify.exe (Spotify Ltd)
O4 - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000..\Run: [Spotify Web Helper] C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe ()
O4 - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" /MINIMIZED File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MutiKeyboard Driver.lnk = C:\Program Files\MultiKeyboard Driver\KbdDrv.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\..Trusted Domains: microsoft.com ([download.windowsupdate] http in Trusted sites)
O15 - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\..Trusted Domains: microsoft.com ([update] http in Trusted sites)
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} http://cache.hyves-static.net/statics/Aurigma/ImageUploader4.cab (Image Uploader Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 212.54.40.25 212.54.35.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EAA681DA-69A3-426A-9C43-A69538E27A11}: DhcpNameServer = 212.54.40.25 212.54.35.25
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009-06-10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2012-05-11 18:48:56 | 000,000,112 | ---- | M] () - D:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012-05-14 09:05:20 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{AB3CC619-0A9A-45F5-9ED9-423FB6F0E220}
[2012-05-14 09:05:02 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{30DAC840-45FA-4D64-B196-4F20CB0A93AA}
[2012-05-13 14:34:09 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{D40AB1A3-B9F6-41B5-8713-E88450BA4867}
[2012-05-13 14:33:56 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{125597DB-AC6C-4B1E-96D3-3A1C29D2D7BE}
[2012-05-12 14:25:13 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{125DE674-AAB1-4F12-8687-30E034C3156B}
[2012-05-12 14:24:53 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{768E2E74-88AC-4D35-8FF5-DB8EAF125159}
[2012-05-11 21:52:27 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\FreeFixer
[2012-05-11 21:52:27 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\FreeFixer
[2012-05-11 21:52:24 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FreeFixer
[2012-05-11 21:52:23 | 000,000,000 | ---D | C] -- C:\Program Files\FreeFixer
[2012-05-11 19:51:21 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
[2012-05-11 19:42:15 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2012-05-11 13:48:50 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{FECD638A-353E-4153-B7D3-A8EC4D7552C4}
[2012-05-11 13:48:37 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{D5F4BAF7-1D29-48EA-82E4-C61517212FE8}
[2012-05-10 15:26:43 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{3121FD3F-7A5E-405E-A082-5FD89DDC4A9E}
[2012-05-10 15:26:27 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{3098185A-15AB-42D4-B3BE-C4D24B915A95}
[2012-05-09 14:13:20 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{94B2DD7C-E687-4323-8616-56DD96739146}
[2012-05-09 14:13:06 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{E6A8C35D-B1EC-4A7F-ACC8-ECCB0F7A4F3F}
[2012-05-08 18:41:03 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\Help
[2012-05-08 18:36:48 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\Google Inc
[2012-05-08 14:25:45 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{9FCAEAAB-3964-48DC-9EB8-47E4BC4DE342}
[2012-05-08 14:25:30 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{3B22BF9A-97AE-4C48-AF7B-701A1C64052D}
[2012-05-07 09:06:24 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{06A06F40-8DBD-43DA-9583-49721D7154DE}
[2012-05-07 09:06:12 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{9EA274ED-5BF9-4F11-9B1C-680BA6DB6800}
[2012-05-06 15:31:08 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{01B3DD69-98B0-4CFC-AB2E-B01D2AFE49F3}
[2012-05-06 15:30:55 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{BB6AAB03-FB72-4120-8AEA-1EFACC106E9D}
[2012-05-05 15:01:19 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{EE8FF331-54A3-4ABE-8AC2-4D1F2D393416}
[2012-05-05 15:01:07 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{89FA92B4-C78A-4B0C-8C9D-8D039E9C022E}
[2012-05-04 13:17:22 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{448F0C96-F6FA-4138-86EE-0D7C0416D130}
[2012-05-04 13:17:09 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{3956AAFD-A9F1-4CBF-9096-723AE10647B8}
[2012-05-03 14:37:58 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{400C6AED-78E3-4623-BF75-7A83D03922A7}
[2012-05-03 14:37:46 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{BD653782-4DB3-4E33-9C69-2F1A0267B82A}
[2012-05-02 14:33:18 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{B9733680-33B9-481A-A53B-C23FC75AE52A}
[2012-05-02 14:33:06 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{88890D72-3D48-4CBE-8295-9DD60DC17962}
[2012-05-01 15:20:00 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{595DA1BA-2D25-4811-86BA-B5581CB145FA}
[2012-05-01 15:19:46 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{B2E182F8-44B4-4B30-86E8-93FC6FBCDCCE}
[2012-04-30 15:24:01 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{C79BB2A4-C06A-4A2F-B303-88D819EF0191}
[2012-04-30 15:23:44 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{37283D35-97B7-43E8-B9B5-F9409D087F0C}
[2012-04-30 15:23:27 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{C4326696-0CD5-4163-8874-1251E5794FA6}
[2012-04-29 16:05:43 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{E5DA7670-1BB4-4652-9FD5-FA3FB072916E}
[2012-04-29 16:05:31 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{16269464-F8BC-4D3E-A3B7-1EF7906C0952}
[2012-04-28 14:26:12 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{21764B39-3067-49E7-967F-784DB4D1C7C3}
[2012-04-28 14:25:57 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{25261FAE-8633-4837-BA98-91771EE245B9}
[2012-04-27 14:24:38 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{5519C298-6C90-4F43-9AD9-FBF28D618E32}
[2012-04-27 14:24:25 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{F944BEEB-9EB1-4C26-A9E5-E0A6F3624B98}
[2012-04-26 14:19:26 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{C692BF1F-3C09-4768-9569-D21EE2134B11}
[2012-04-26 14:19:13 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{9C73EA8F-A4BA-487B-A014-2C0601E2EAD8}
[2012-04-25 14:44:20 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{006BDFB0-E3E3-436C-9915-25E2B5085686}
[2012-04-25 14:44:07 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{F13D8791-FAD7-443B-803D-601C9286CF5C}
[2012-04-24 19:56:19 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{85C6AFAE-1A83-4355-8029-ADB4A378AE40}
[2012-04-24 19:55:56 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{251BF148-3C9E-468A-B137-5B7B30836CD7}
[2012-04-24 07:55:28 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{380C928E-DC48-4A2F-B332-C2E26E9B4982}
[2012-04-24 07:55:16 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{1E3C5D5F-C6C8-4CBA-9976-CE775880E644}
[2012-04-23 15:19:14 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{67E73050-5819-4D94-89F2-FC074F78A007}
[2012-04-23 15:19:02 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{B77331BC-5F61-4673-B264-A4FEFEC8DA7B}
[2012-04-22 14:25:30 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{1817472D-B73D-46DA-963F-1B9D7A12EAB7}
[2012-04-22 14:25:18 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{2D939358-38F7-4453-9ABE-0DE4559D1104}
[2012-04-21 14:01:58 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{F1CEDC10-CB01-4D03-B534-10FA4BD2FBFD}
[2012-04-21 14:01:45 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{7B58B880-5693-493B-B90A-82BB794266E9}
[2012-04-20 13:35:35 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{8F654278-FD71-4DB2-8709-8C380B9AEC98}
[2012-04-20 13:35:23 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{9C5922E0-567C-424B-92AE-2384886AFA5D}
[2012-04-19 13:17:44 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{0500077D-B83D-4DDC-94F2-C69B5C64A7AE}
[2012-04-19 13:17:32 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{4F733EA7-AD55-4EEB-84A9-A4A1FE5BB8B2}
[2012-04-18 15:52:16 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{E9AA0810-4360-44F1-B9B9-5EA697C11B21}
[2012-04-18 15:52:03 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{6B307E93-D894-4AC6-AC44-E2BC5D9AD871}
[2012-04-17 15:29:46 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{86529E02-9675-41EA-8178-E4C8FAA5A30D}
[2012-04-17 15:29:34 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{4ED6E2A2-33AB-453D-A5F1-6A5E94B3BE84}
[2012-04-16 08:55:23 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{5A6D3209-3D7F-4C81-9775-F78B3573F85D}
[2012-04-16 08:55:11 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{A65D764F-3794-4017-8AD1-95A588FF63C7}
[2012-04-15 14:12:50 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{C3CFB505-C862-4798-B085-B6E54AB4B3FC}
[2012-04-15 14:12:37 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{3CEBFBB1-AC88-4828-AA78-24D262267CA7}
[4 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012-05-14 19:47:34 | 000,016,176 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012-05-14 19:47:34 | 000,016,176 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012-05-14 19:40:00 | 000,001,036 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012-05-14 19:39:53 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\Registry Reviver-User-Startup.job
[2012-05-14 19:39:33 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012-05-14 19:39:27 | 1602,887,680 | -HS- | M] () -- C:\hiberfil.sys
[2012-05-14 09:38:05 | 000,001,040 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012-05-13 16:55:00 | 000,001,062 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3906167350-2576190715-1683851666-1000UA.job
[2012-05-11 19:55:09 | 000,001,010 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3906167350-2576190715-1683851666-1000Core.job
[2012-05-11 19:51:24 | 000,002,310 | ---- | M] () -- C:\Users\User\Desktop\Google Chrome.lnk
[2012-05-11 19:48:41 | 000,279,555 | ---- | M] () -- C:\Users\User\AppData\Local\census.cache
[2012-05-11 19:48:21 | 000,162,088 | ---- | M] () -- C:\Users\User\AppData\Local\ars.cache
[2012-05-11 19:40:22 | 000,000,036 | ---- | M] () -- C:\Users\User\AppData\Local\housecall.guid.cache
[2012-05-09 14:38:03 | 000,426,016 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012-05-09 14:30:40 | 000,703,942 | ---- | M] () -- C:\Windows\System32\perfh013.dat
[2012-05-09 14:30:40 | 000,618,426 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012-05-09 14:30:40 | 000,134,572 | ---- | M] () -- C:\Windows\System32\perfc013.dat
[2012-05-09 14:30:40 | 000,107,404 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[4 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012-05-11 19:51:24 | 000,002,310 | ---- | C] () -- C:\Users\User\Desktop\Google Chrome.lnk
[2012-05-11 19:50:51 | 000,001,062 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3906167350-2576190715-1683851666-1000UA.job
[2012-05-11 19:50:49 | 000,001,010 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3906167350-2576190715-1683851666-1000Core.job
[2012-05-11 19:48:41 | 000,279,555 | ---- | C] () -- C:\Users\User\AppData\Local\census.cache
[2012-05-11 19:48:21 | 000,162,088 | ---- | C] () -- C:\Users\User\AppData\Local\ars.cache
[2012-05-11 19:44:13 | 000,001,043 | ---- | C] () -- C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MutiKeyboard Driver.lnk
[2012-05-11 19:40:22 | 000,000,036 | ---- | C] () -- C:\Users\User\AppData\Local\housecall.guid.cache
[2012-02-08 16:41:56 | 000,177,231 | ---- | C] () -- C:\Windows\hpoins14.dat.temp
[2012-02-08 16:41:56 | 000,001,498 | ---- | C] () -- C:\Windows\hpomdl14.dat.temp
[2011-06-23 14:53:05 | 000,000,000 | ---- | C] () -- C:\Users\User\AppData\Local\{7473287A-11DD-4678-AB25-22A2643BE73A}
[2010-10-31 20:43:16 | 000,003,584 | ---- | C] () -- C:\Users\User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010-08-15 13:37:50 | 000,140,288 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll
[2010-06-14 22:26:13 | 000,000,000 | ---- | C] () -- C:\Windows\popcinfo.dat

========== LOP Check ==========

[2010-11-09 18:56:39 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\AVG10
[2011-10-26 18:36:22 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\BitTorrent
[2010-02-06 12:16:32 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Canneverbe Limited
[2010-04-17 20:26:29 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\CasinoOnNet
[2010-12-02 21:08:45 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\ESET
[2012-05-11 22:02:43 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\FreeFixer
[2010-02-05 18:17:47 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\NewsLeecher
[2010-01-29 17:14:03 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\OpenOffice.org
[2012-05-14 19:45:21 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Spotify
[2012-05-09 17:55:12 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\TeamViewer
[2010-05-31 22:30:01 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\URSoft
[2011-10-11 20:51:54 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\uTorrent
[2010-06-18 13:51:55 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Vso
[2010-10-24 15:40:15 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Windows Live Writer
[2012-05-14 19:39:53 | 000,000,376 | ---- | M] () -- C:\Windows\Tasks\Registry Reviver-User-Startup.job
[2012-04-14 16:42:44 | 000,032,602 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 725 bytes -> C:\Users\User\Documents\budget.eml:OECustomProperty
@Alternate Data Stream - 160 bytes -> C:\ProgramData\TEMP:1CE11B51
@Alternate Data Stream - 132 bytes -> C:\ProgramData\TEMP:ECF54A0E
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:A8ADE5D8
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:DFC5A2B2

< End of report >

Attached Files

  • Attached File  OTL.Txt   71.51KB   2 downloads

Edited by Gammo, 14 May 2012 - 01:09 PM.


#4 Gammo

Gammo

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:53 PM

Posted 14 May 2012 - 01:16 PM

You're currently using multi anti-virus programs (ESET and AVG). Please uninstall one of them. I recommend you to keep ESET.




Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    IE - HKLM\..\URLSearchHook: {87775fdb-6972-41f9-ae51-8326e38cb206} - C:\Program Files\uTorrentBar_NL\prxtbuTor.dll (Conduit Ltd.)
    IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2405280
    IE - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\..\URLSearchHook: {87775fdb-6972-41f9-ae51-8326e38cb206} - C:\Program Files\uTorrentBar_NL\prxtbuTor.dll (Conduit Ltd.)
    IE - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/web/{searchTerms}?babsrc=browsersearch
    IE - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=BT5&o=&src=crm&q={searchTerms}&locale=
    IE - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\..\SearchScopes\{620B0029-3370-4339-8EDF-EAD3A00FCE38}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2865317
    IE - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2405280
    O2 - BHO: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
    O2 - BHO: (uTorrentBar_NL Toolbar) - {87775fdb-6972-41f9-ae51-8326e38cb206} - C:\Program Files\uTorrentBar_NL\prxtbuTor.dll (Conduit Ltd.)
    O2 - BHO: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
    O3 - HKLM\..\Toolbar: (uTorrentBar_NL Toolbar) - {87775fdb-6972-41f9-ae51-8326e38cb206} - C:\Program Files\uTorrentBar_NL\prxtbuTor.dll (Conduit Ltd.)
    O3 - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\..\Toolbar\WebBrowser: (no name) - {22E03916-85C5-44B0-8DC9-1830C11238D9} - No CLSID value found.
    O3 - HKU\S-1-5-21-3906167350-2576190715-1683851666-1000\..\Toolbar\WebBrowser: (uTorrentBar_NL Toolbar) - {87775FDB-6972-41F9-AE51-8326E38CB206} - C:\Program Files\uTorrentBar_NL\prxtbuTor.dll (Conduit Ltd.)
    [4 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
    [2010-04-17 20:26:29 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\CasinoOnNet
    
    :Services
    
    :Reg
    
    :Files
    ipconfig /flushdns /c
    C:\Program Files\uTorrentBar_NL
    C:\Program Files\ConduitEngine
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [emptyflash]
    [createrestorepoint]
    [reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done





Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Edited by Gammo, 14 May 2012 - 01:16 PM.

unite_blue.png

Please post the final results, good or bad. We like to know!


#5 Atomdesign

Atomdesign
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 16 May 2012 - 07:07 AM

ESET is no longer finding the virus, and internet also appears to be working properly again.
This is even before running the OTL custom fix you've recommended and running Combofix. Regardless, I did do take last two steps and have attached the combofix log.

Everything appears to be working properly again.

Gammo, thank you very much for the assistance. I can usually find my away around this type of issue, but this was a tough one.

Attached Files



#6 Gammo

Gammo

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:53 PM

Posted 16 May 2012 - 07:51 AM

Your logs appear to be clean now. There is only a bit of cleanup that we will deal with in this post, as well as prevention from future infections. ^_^

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    Posted Image
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Download OTC to your desktop and run it
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Keep a backup of your important files
Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Make proper use of your anti-virus and firewall
You should keep your anti-virus and firewall guard enabled at all times, don't shut them off unless there's a specific reason to do so.

Also, regularly performing a full system scan with your anti-virus program is a good idea to make sure nothing has slipped through your protection. Once every two weeks works well for many people. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

Keep in mind that anti-virus programs are far from perfect. They don't protect you against every piece of malware that's out there, so don't trust them blindly. If an anti-virus reports a file as 'clean' then it's doesn't necessarily has to mean it is.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Keep all your software updated
It is important to keep up on system updates from Microsoft by regularly checking their website at: http://windowsupdate.microsoft.com/, as these patch critical security vulnerabilities and help to keep you safe.

It's also important to keep programs up to date so that malware doesn't exploit any old security flaws. FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Java and Adobe Reader are two of the main security vulnerabilities. You can find the latest version of Java here, you will want the Java SE Runtime Environment (JRE) one. You can find the latest version of Adobe Reader here.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Use a safer web browser
Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a couple good free alternatives: Google Chrome and Opera. Both are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these.

The WOT add-on will nicely help to enhance your security, no matter which web browser you use. This add-on tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Some other security programs

It is wise these days to have a few security programs installed and running on your machine except from just an anti-virus and a firewall. I will list some of them.
  • A good anti-spyware program installed on your pc is very important to help remove any spyware that may have gotten on your computer. I highly recommend Malwarebytes' Anti-Malware.
  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites in the future.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Be careful
Having security programs installed is very helpful to you, but none of them have the gift of human thought. The best way to make sure you don't get infected is to exercise common sense. Be careful of what websites you visit - if a site looks suspicious, trust your instincts and get out of there. Be careful of what attachments you open in emails and files you download from websites - check them over carefully to make sure that you know what you're getting.

Using peer-to-peer programs (eg: LimeWire, BitTorrent, uTorrent, Kazaa) or downloading cracks and keygens is something else to avoid. These are the most common way to get infected. Malware writers use these programs to spread infections as it is the easiest way for them. The majority of infections we see in the Malware Removal forum are due to people using p2p programs to download cracks/keygens/warez. These are not only illegal, but will always contain some form of malware. You have no way of verifying that the things you download are legitimate or that they don't contain malware. Even with an up to date anti-virus and firewall, some of these things will still infect you. It is highly recommend that you uninstall all peer-to-peer programs. It just isn't worth it.

Other common ways of getting infected are dis-reputable sites forcing you to download and install a codec. Or viruses using Instant Messaging programs (Windows Live Messenger, MSN Messenger, AIM) to send a file claiming it to be "photos" from a friend, only for it to turn out to be a virus.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Slow computer?
If your computer begins to slow down in the future for no particular reason, your first step should not be to come to the malware forum. As your computer ages and is used, it's parts wear, files and programs accumulate, and its performance can decrease. To restore your computer's performance to its best possible level, follow the steps in this page written by malware expert Miekiemoes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM. It's been a pleasure working with you, now best of luck!

Cheers,
Gammo :cool:

unite_blue.png

Please post the final results, good or bad. We like to know!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users