Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Many infections, google redirects, and possible msiexec.exe hijack


  • This topic is locked This topic is locked
17 replies to this topic

#1 IDMWMYG

IDMWMYG

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 31 May 2012 - 09:43 PM

Hi, my old Windows XP laptop has not been doing too well lately. It has a number of google and bing redirects, whether I use firefox or chrome. The antivirus ran out of its trial period, and as it had become a family computer around the same time, I forgot to keep up on that sort of basic maintenance.

Installing AVG and running a full system scan gave me these results - the worst virus scan I've ever seen on one of my machines:

"";"C:\WINDOWS\system32\rundll32.exe (2476)";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"";"C:\WINDOWS\system32\rundll32.exe (2464)";"Trojan horse Generic27.BVAW";"Moved to Virus Vault"
"";"C:\Program Files\Battlefront\Theatre of War\rts.dll";"Virus found Win32/Heur";"Moved to Virus Vault"
"";"C:\Program Files\Battlefront\Theatre of War\core.dll";"Virus found Win32/Heur";"Moved to Virus Vault"
"";"C:\DOCUME~1\Dave\LOCALS~1\Temp\uipce.dll";"Virus found Win32/Cryptor";"Reboot is required to finish the action"
"";"C:\DOCUME~1\Dave\LOCALS~1\Temp\uipce.dll";"Virus found Win32/Cryptor";"Reboot is required to finish the action"
"";"C:\DOCUME~1\Dave\LOCALS~1\Temp\idmig.dll";"Trojan horse Generic27.BVAW";"Reboot is required to finish the action"
"";"C:\DOCUME~1\Dave\LOCALS~1\Temp\idmig.dll";"Trojan horse Generic27.BVAW";"Reboot is required to finish the action"
"";"C:\Documents and Settings\Dave\My Documents\Downloads\6651.pdf";"Virus found Script/PDF.Exploit";"Moved to Virus Vault"
"";"C:\Documents and Settings\Dave\Local Settings\Temp\uipce.dll";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"";"C:\Documents and Settings\Dave\Local Settings\Temp\idmig.dll";"Trojan horse Generic27.BVAW";"Moved to Virus Vault"
"";"C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\0Y0QMV30\AQCCwAAAL-YlEzhEWR9rLhtgiZvmW8BAD_JWEB7WxFj2P9OnZIhFptyEc0BHk7JNgmBPgBFY3lpgW5ibjA9ODYxAgMEBQYBAjRW&rt=yAAAAAAAAAAAAHYAAAAAAAAAAAAAADB1AAAAAAAAAAAAAAAAAAAAAAAA[1].htm";"Virus found Win32/Cryptor";"Moved to Virus Vault"

Since then I reinstalled Firefox from scratch, but the search redirects continue.

I have also noticed lately that msiexec.exe comes on and hogs 99% of the cpu while nothing is being installed or removed or edited. All I was doing at the time was typing in OpenOffice. I had a few Windows updates on hold at the time. Could it have been that?

Below is my DDS log,
Looking forward to your reply, Dave


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.4.1
Run by Dave at 21:55:54 on 2012-05-29
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1095 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Everything\Everything.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\vVX6000.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\NetMeter\NetMeter114beta_4.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.vzam.net/download/download.aspx?productid=478&upd=t
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [i8kfangui] c:\program files\i8kfangui\I8kfanGUI.exe /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Everything] "c:\program files\everything\Everything.exe" -startup
mRun: [VX6000] c:\windows\vVX6000.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVXV1UtV0JEWEMtVllGTjMtUURKTUgtNDJBT0EtSzZIVTk"&"inst=NzctNzI2MzMwNzQxLVNUMTJGT0krMS1ERFQrMC1FVUxBKzEtU1QxMkZBUFArMQ"&"prod=90"&"ver=2012.0.1808"&"mid=7e4b5aded0d147d1a55dd15a88c2c6c8-5a33b1dd7f98c5fe7ed775e71b7a2f2a46f554e2
StartupFolder: c:\docume~1\dave\startm~1\programs\startup\vzacce~1.lnk - c:\program files\verizon wireless\vzaccess manager\VZAccess Manager.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: Interfaces\{C4CA7A7F-0016-415F-9224-D9A7A4EE3DC2} : NameServer = 66.174.92.14 66.174.95.44
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\dave\application data\mozilla\firefox\profiles\ou5mjx69.default\
FF - plugin: c:\documents and settings\dave\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-1-31 31952]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-6-23 13496]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-2-22 235216]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-12-23 41040]
R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2010-2-27 14464]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2010-4-25 2560]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 NWUSBModem_000;Novatel Wireless USB Modem Driver (vGEN);c:\windows\system32\drivers\nwusbmdm_000.sys [2010-7-8 176384]
R3 NWUSBPort_000;Novatel Wireless USB Status Port Driver (vGEN);c:\windows\system32\drivers\nwusbser_000.sys [2010-7-8 176384]
R3 NWUSBPort2_000;Novatel Wireless USB Status2 Port Driver (vGEN);c:\windows\system32\drivers\nwusbser2_000.sys [2010-7-8 176384]
R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2010-4-14 32408]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-16 257696]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2010-7-8 20480]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2010-5-1 114704]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2010-2-28 2385896]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-05-21 19:47:44 -------- d--h--w- C:\$AVG
2012-05-21 19:47:43 -------- d-----w- c:\windows\system32\drivers\AVG
2012-05-21 19:36:18 -------- d-----w- C:\downloads
2012-05-16 18:18:19 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-16 13:42:54 -------- d-----w- c:\documents and settings\dave\local settings\application data\Sun
2012-05-16 13:17:41 -------- d-----w- c:\program files\Oracle
2012-05-16 13:16:55 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
.
==================== Find3M ====================
.
2012-05-29 23:03:48 2001 --sha-w- c:\windows\system32\mmf.sys
2012-05-16 18:26:12 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-19 11:50:26 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 13:10:58 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 12:35:52 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-05 01:47:36 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-05 01:47:02 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-22 19:12:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-05-08 21:06:30 704282 ----a-w- c:\program files\unins000.exe
.
============= FINISH: 21:57:56.00 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:01 PM

Posted 01 June 2012 - 11:52 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

  • Once the Microsoft Windows Recovery Console is installed click on Yes[/b], to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 IDMWMYG

IDMWMYG
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 07 June 2012 - 11:35 AM

I had to install the recovery console from my XP disc, I think because it is a media center edition. Everything went smoothly after that.

ComboFix 12-06-07.03 - Dave 06/07/2012 8:34.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1566 [GMT -7:00]
Running from: c:\documents and settings\Dave\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
.
.
((((((((((((((((((((((((( Files Created from 2012-05-07 to 2012-06-07 )))))))))))))))))))))))))))))))
.
.
2012-06-05 03:36 . 2012-06-05 06:35 -------- d-----w- c:\program files\coe3
2012-06-01 02:47 . 2012-06-01 02:48 -------- d-----w- c:\documents and settings\Mom
2012-05-21 19:47 . 2012-05-21 19:47 -------- d-----w- C:\$AVG
2012-05-21 19:47 . 2012-06-07 01:22 -------- d-----w- c:\windows\system32\drivers\AVG
2012-05-21 19:36 . 2012-05-21 19:36 -------- d-----w- C:\downloads
2012-05-16 18:18 . 2012-05-16 18:26 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-16 13:42 . 2012-05-16 13:42 -------- d-----w- c:\documents and settings\Dave\Local Settings\Application Data\Sun
2012-05-16 13:38 . 2012-05-16 13:38 -------- d-----w- c:\program files\Common Files\Java
2012-05-16 13:17 . 2012-05-16 13:17 -------- d-----w- c:\program files\Oracle
2012-05-16 13:17 . 2012-05-16 13:17 -------- d-----w- c:\documents and settings\Dave\Application Data\Oracle
2012-05-16 13:16 . 2012-04-05 01:47 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-31 13:22 . 2004-08-10 11:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 18:26 . 2011-06-05 03:04 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-19 11:50 . 2012-04-19 11:50 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-04-11 13:12 . 2004-08-10 11:00 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 13:10 . 2004-08-10 11:00 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 12:35 . 2004-08-03 22:59 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-05 01:47 . 2011-10-24 03:28 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-05 01:47 . 2010-10-17 07:24 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2010-05-08 21:06 . 2010-05-08 21:06 704282 ----a-w- c:\program files\unins000.exe
2012-04-21 01:19 . 2012-05-17 17:00 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Dave\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Dave\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Dave\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Dave\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"i8kfangui"="c:\program files\I8kfanGUI\I8kfanGUI.exe" [2007-02-16 856064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-10-10 7286784]
"nwiz"="nwiz.exe" [2005-10-10 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-10-10 86016]
"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]
"VX6000"="c:\windows\vVX6000.exe" [2007-04-10 996712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVXV1UtV0JEWEMtVllGTjMtUURKTUgtNDJBT0EtSzZIVTk&inst=NzctNzI2MzMwNzQxLVNUMTJGT0krMS1ERFQrMC1FVUxBKzEtU1QxMkZBUFArMQ&prod=90&ver=2012.0.1808&mid=7e4b5aded0d147d1a55dd15a88c2c6c8-5a33b1dd7f98c5fe7ed775e71b7a2f2a46f554e2" [?]
.
c:\documents and settings\Dave\Start Menu\Programs\Startup\
VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2010-12-9 3826968]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDTray]
2004-09-03 08:58 65536 ------w- c:\program files\Ahead\ODD Toolkit\dvdtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-12 07:12 49152 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-09-12 09:58 229952 -c--a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2007-05-17 21:45 279912 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 19:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2011-12-15 22:43 1242448 ----a-w- c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 18:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Civilization4.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Documents and Settings\\Dave\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [1/31/2012 4:46 AM 31952]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [6/23/2011 2:05 PM 13496]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2/22/2012 5:25 AM 235216]
R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2/27/2010 10:21 AM 14464]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2/14/2012 4:53 AM 193288]
R3 NWUSBModem_000;Novatel Wireless USB Modem Driver (vGEN);c:\windows\system32\drivers\nwusbmdm_000.sys [7/8/2010 10:52 AM 176384]
R3 NWUSBPort_000;Novatel Wireless USB Status Port Driver (vGEN);c:\windows\system32\drivers\nwusbser_000.sys [7/8/2010 10:52 AM 176384]
R3 NWUSBPort2_000;Novatel Wireless USB Status2 Port Driver (vGEN);c:\windows\system32\drivers\nwusbser2_000.sys [7/8/2010 10:52 AM 176384]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [4/25/2010 9:03 PM 2560]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [5/16/2012 11:18 AM 257696]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [7/8/2010 10:52 AM 20480]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [5/1/2010 9:36 PM 114704]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [4/14/2010 8:29 PM 32408]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2/28/2010 3:29 AM 2385896]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-16 18:26]
.
2011-10-29 c:\windows\Tasks\Microsoft_Hardware_Launch_vVX6000_exe.job
- c:\windows\vVX6000.exe [2010-02-28 21:46]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.vzam.net/download/download.aspx?productid=478&upd=t
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Dave\Application Data\Mozilla\Firefox\Profiles\ou5mjx69.default\
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Desura - c:\program files\Desura\Desura_Uninstaller.exe
AddRemove-EZ FX v6.0 - c:\program files\Irrational Games\Freedom Force vs The 3rd Reich\ffx3\AFF_EZFXv60.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-07 08:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1004336348-1547161642-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:59,9f,99,e9,a5,53,6f,af,60,b1,7b,39,5e,3e,10,18,e4,ad,1a,59,0d,
7c,10,94,90,79,ea,4e,e5,db,e7,d4,17,5a,9a,e2,03,f4,ce,8e,3c,1e,66,a7,f7,a9,\
"rkeysecu"=hex:e2,d4,4d,65,42,2f,07,12,ea,63,25,cd,c1,0f,d8,ce
.
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347]
"1"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,60,bf,2f,c2,35,91,ae,
25
"2"=hex:fb,e6,50,7f,41,f4,51,a7,7f,ec,2d,f9,42,45,3a,02,3a,b7,45,15,3f,9d,8b,
c3
"3"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,5d,f5,58,d1,21,e0,48,
8b,38,57,44,9c,4e,8d,78,88,fd,f1,01,9d,86,d8,b5,cb,d9,bf,23,55,4a,bb,31,1f
.
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\B3E62936FE1487AF4E0CC9BD2A26433C]
"1"=hex:df,c7,3a,96,ab,66,13,d2,35,84,aa,2e,3b,c4,59,82
"2"=hex:a5,2d,b1,39,25,57,b6,7c,bd,55,f5,f4,85,30,c7,12
"3"=hex:a6,af,e5,d5,a7,af,4a,78,6d,23,0f,d7,c4,6a,33,0d,4f,74,ea,76,dd,08,3c,
ff,fd,29,5c,dd,dd,8d,60,2e,2d,4a,64,e7,08,bd,b2,a4,a4,3c,09,56,c6,0b,3b,c1,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:df,c7,3a,96,ab,66,13,d2,0e,90,72,68,c4,63,c8,bb,00,5d,70,3b,08,36,97,
bd,ee,04,c1,4a,7c,6f,fd,5f,f7,67,d1,43,f2,ef,e6,1c,89,7c,fa,9f,4c,d6,39,08,\
"7"=hex:93,41,de,56,34,94,a7,b2,13,ca,26,2f,35,a5,e0,53,1e,d5,e7,20,4a,dd,09,
c9,2d,37,7b,a2,3c,71,f4,5e,ed,02,2a,97,fd,fb,2c,72,12,5f,23,ff,c4,2a,48,c4,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,2e,4e,96,8c,7e,a3,52,
64,c9,4f,a5,f8,51,27,e9,29,77,5c,86,6d,0a,20,f9,c7,a8,b0,f3,43,29,71,da,42,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:d0,71,12,cb,08,b7,a7,d6
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:ea,b0,80,a5,8c,07,0d,e7,b2,da,c8,8b,e4,54,5e,e5,a2,09,ad,d1,d6,21,a9,
e2,83,f6,59,f8,de,ea,f7,71,a9,45,f7,04,08,d7,fe,21,a2,de,5b,32,c7,97,61,df,\
"13"=hex:10,57,45,cb,75,0c,00,19,88,35,b8,d6,87,0e,6d,cd,2c,09,07,60,41,5c,90,
64,a6,7b,82,94,bb,0d,90,77,72,8c,13,2f,f2,5c,95,3f
"14"=hex:d2,08,a4,82,f1,1a,a0,b4,f5,1f,60,13,49,13,4c,d5
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:d1,e6,18,27,c4,95,95,22,6e,63,d9,96,22,80,1a,23
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:3a,28,dc,4a,77,f4,70,bb,7e,9b,41,db,ba,38,13,21,d3,68,db,4a,5a,72,58,
0e,3f,8d,35,c2,d6,d3,fe,a8,0a,89,d2,03,53,88,74,f5,bd,d5,57,75,d2,dc,b9,60,\
.
Completion time: 2012-06-07 08:51:23
ComboFix-quarantined-files.txt 2012-06-07 15:51
.
Pre-Run: 2,820,907,008 bytes free
Post-Run: 4,025,249,792 bytes free
.
- - End Of File - - F912DF90DB6E7CD41AC957E2DC095617

Attached Files


Edited by RPMcMurphy, 07 June 2012 - 03:57 PM.
Added log


#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:01 PM

Posted 07 June 2012 - 04:03 PM

Are your searches still being redirected? Please do this next:

Posted Image Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Be sure that everything else is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post the results.
Please include the following in your next post:
  • Are your searches still being redirected?
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 IDMWMYG

IDMWMYG
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 09 June 2012 - 04:08 PM

Redirects continue. Now they all seem to go to scour dot com which loads as a blank page. Previously they were routing me all over, mostly to shopping sites loosely related to the search.

While running MWBAM, AVG picked up two Win32/Heur

here's the MWBAM log:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.08.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Dave :: HAL-9300 [administrator]

6/8/2012 7:50:24 PM
mbam-log-2012-06-08 (19-50-24).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 346411
Time elapsed: 3 hour(s), 45 minute(s), 59 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\Dave\My Documents\Gigadon\Computer Help\unlocker1.8.7.exe (Adware.Clicker) -> Quarantined and deleted successfully.

(end)

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:01 PM

Posted 09 June 2012 - 07:37 PM

OK, thanks Please do this next:

Posted Image Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in:
    etsvcs
  • Click the Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of the OTL.txt log and paste them into your next post.
Please include the following in your next post:
  • OTL.txt log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 IDMWMYG

IDMWMYG
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 10 June 2012 - 10:29 PM

OTL logfile created on: 6/9/2012 10:09:28 PM - Run 2
OTL by OldTimer - Version 3.2.48.0 Folder = C:\Documents and Settings\Dave\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 0.55 Gb Available Physical Memory | 27.50% Memory free
3.85 Gb Paging File | 2.57 Gb Available in Paging File | 66.71% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 69.83 Gb Total Space | 2.97 Gb Free Space | 4.25% Space Free | Partition Type: NTFS
Drive D: | 2.63 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 483.50 Mb Total Space | 483.50 Mb Free Space | 100.00% Space Free | Partition Type: FAT
Drive F: | 42.34 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: HAL-9300 | User Name: Dave | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/06/09 22:07:47 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dave\Desktop\OTL.exe
PRC - [2012/04/20 18:18:58 | 000,924,600 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/04/05 05:12:34 | 002,587,008 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgtray.exe
PRC - [2012/04/04 18:47:32 | 000,161,664 | ---- | M] (Oracle Corporation) -- C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
PRC - [2012/02/14 04:53:38 | 000,193,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe
PRC - [2012/02/14 04:53:14 | 000,758,112 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgrsx.exe
PRC - [2012/02/14 04:52:38 | 000,338,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgcsrvx.exe
PRC - [2010/12/09 13:40:04 | 003,826,968 | ---- | M] (Smith Micro Software, Inc.) -- C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
PRC - [2010/04/25 21:03:35 | 000,002,560 | ---- | M] () -- C:\WINDOWS\Runservice.exe
PRC - [2009/03/12 18:18:48 | 000,602,624 | ---- | M] () -- C:\Program Files\Everything\Everything.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/05/17 14:45:33 | 000,271,720 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe
PRC - [2007/04/10 14:46:43 | 000,996,712 | ---- | M] (Microsoft Corporation
) -- C:\WINDOWS\vVX6000.exe
PRC - [2007/02/21 11:19:58 | 000,819,200 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2007/02/21 11:19:40 | 000,294,912 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
PRC - [2007/02/21 11:17:42 | 000,970,752 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
PRC - [2007/02/16 09:58:12 | 000,856,064 | ---- | M] (Christian Diefer) -- C:\Program Files\I8kfanGUI\I8kfanGUI.exe
PRC - [2006/06/29 13:13:32 | 001,032,192 | ---- | M] (Dell Inc) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2006/06/29 13:12:34 | 000,376,832 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
PRC - [2005/10/07 15:13:38 | 000,176,128 | R--- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2005/07/27 17:41:08 | 000,045,056 | R--- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
PRC - [2004/06/29 00:56:12 | 000,045,056 | R--- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\hidfind.exe


========== Modules (No Company Name) ==========

MOD - [2012/05/16 11:18:18 | 008,797,856 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll
MOD - [2012/04/20 18:19:01 | 001,952,696 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/11/03 08:28:36 | 001,292,288 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
MOD - [2011/02/04 17:48:30 | 000,291,840 | ---- | M] () -- C:\WINDOWS\system32\sbe.dll
MOD - [2010/05/30 00:42:54 | 000,043,520 | ---- | M] () -- C:\WINDOWS\system32\CmdLineExt03.dll
MOD - [2010/04/25 21:03:39 | 000,126,976 | ---- | M] () -- C:\WINDOWS\lcmmfu.cpl
MOD - [2010/04/25 21:03:35 | 000,048,640 | ---- | M] () -- C:\WINDOWS\mmfs.dll
MOD - [2010/04/25 21:03:35 | 000,002,560 | ---- | M] () -- C:\WINDOWS\Runservice.exe
MOD - [2009/11/03 17:14:04 | 000,054,272 | ---- | M] () -- C:\Program Files\Notepad++\NppShell_01.dll
MOD - [2009/03/12 18:18:48 | 000,602,624 | ---- | M] () -- C:\Program Files\Everything\Everything.exe
MOD - [2008/04/13 17:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/13 17:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2007/02/21 11:13:02 | 000,118,784 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\iWMSProv.dll
MOD - [2006/06/29 13:13:50 | 000,073,728 | ---- | M] () -- C:\Program Files\Dell\QuickSet\dadkeyb.dll
MOD - [2005/10/10 01:49:00 | 000,466,944 | ---- | M] () -- C:\WINDOWS\system32\nvshell.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2012/05/16 11:26:18 | 000,257,696 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/04/04 18:47:32 | 000,161,664 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2012/02/14 04:53:38 | 000,193,288 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)
SRV - [2010/04/25 21:03:35 | 000,002,560 | ---- | M] () [Auto | Running] -- C:\WINDOWS\Runservice.exe -- (LicCtrlService)
SRV - [2007/05/17 14:45:33 | 000,271,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)
SRV - [2007/02/21 11:19:40 | 000,294,912 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER) Intel®
SRV - [2006/06/29 13:12:34 | 000,376,832 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\UIUSys.sys -- (UIUSys)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\pxfhserd.sys -- (pxfhserd) PANTECH PC Card Diagnostic Serial Port (WDM)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\pxfhmdm.sys -- (pxfhmdm)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\pxfhmdfl.sys -- (pxfhmdfl)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\pxfhbus.sys -- (pxfhbus) PANTECH PC Card Composite Device driver (WDM)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Dave\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2012/04/19 04:50:26 | 000,024,896 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\avgidshx.sys -- (AVGIDSHX)
DRV - [2012/02/22 05:25:32 | 000,235,216 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2012/01/31 04:46:50 | 000,031,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/12/23 13:32:14 | 000,041,040 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/02/23 17:04:32 | 000,013,496 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SmartDefragDriver.sys -- (SmartDefragDriver)
DRV - [2010/07/08 10:52:32 | 000,231,424 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NWADIenum.sys -- (NWADI)
DRV - [2010/07/08 10:52:32 | 000,176,384 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nwusbser2_000.sys -- (NWUSBPort2_000) Novatel Wireless USB Status2 Port Driver (vGEN)
DRV - [2010/07/08 10:52:32 | 000,176,384 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nwusbser_000.sys -- (NWUSBPort_000) Novatel Wireless USB Status Port Driver (vGEN)
DRV - [2010/07/08 10:52:32 | 000,176,384 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nwusbmdm_000.sys -- (NWUSBModem_000) Novatel Wireless USB Modem Driver (vGEN)
DRV - [2010/07/08 10:52:32 | 000,020,480 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NwUsbCdFil.sys -- (NWUSBCDFIL)
DRV - [2010/04/14 20:29:22 | 000,032,408 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand | Running] -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMSIVZAM5.sys -- (SMSIVZAM5)
DRV - [2009/09/21 18:52:40 | 000,114,704 | ---- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTDCWWAN.sys -- (PTDCWWAN)
DRV - [2009/09/21 18:52:22 | 000,160,400 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTDCVsp.sys -- (PTDCVsp) PANTECH PC Card Diagnostic Serial Port (UDP)
DRV - [2009/09/21 18:52:22 | 000,160,400 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTDCMdm.sys -- (PTDCMdm) PANTECH PC Card Drivers (UDP)
DRV - [2009/09/21 18:52:20 | 000,054,032 | ---- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTDCBus.sys -- (PTDCBus) PANTECH PC Card Composite Device Driver (UDP)
DRV - [2007/04/10 14:46:44 | 002,385,896 | ---- | M] (Microsoft Corporation
) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\VX6000Xp.sys -- (VX6000)
DRV - [2007/02/21 11:16:12 | 000,012,416 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2007/02/16 02:05:48 | 000,014,464 | ---- | M] (Christian Diefer) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fanio.sys -- (fanio)
DRV - [2007/02/08 13:51:16 | 002,209,408 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2005/09/28 21:57:18 | 000,113,847 | R--- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2005/08/12 18:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\APPDRV.SYS -- (APPDRV)
DRV - [2005/05/03 15:09:28 | 001,033,728 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.SYS -- (HSF_DPV)
DRV - [2005/05/03 15:08:50 | 000,208,384 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2005/05/03 15:08:44 | 000,705,408 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/03/10 17:56:06 | 000,273,168 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)
DRV - [2004/05/26 15:18:18 | 000,044,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\..\SearchScopes,DefaultScope = {7446A7D2-9B44-4796-9174-0F69D54B4BE4}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKCU\..\SearchScopes\{54F9E96A-8FA3-4DCF-888F-B3EE2C3EAE85}: "URL" = http://rover.ebay.com/rover/1/711-43047-14818-1/4?satitle={searchTerms}
IE - HKCU\..\SearchScopes\{7446A7D2-9B44-4796-9174-0F69D54B4BE4}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
IE - HKCU\..\SearchScopes\{B77861B1-FCD8-4766-BD23-23935AFB7145}: "URL" = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
IE - HKCU\..\SearchScopes\{CD44ECD6-5CD1-4CB3-8155-2817725BEDE6}: "URL" = http://www.bing.com/search?q={searchTerms}&form=IE8SRC&src=IE-SearchBox
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll ()
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.4.1: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.4.1: C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Documents and Settings\Dave\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{F53C93F1-07D5-430c-86D4-C9531B27DFAF}: C:\Program Files\AVG\AVG2012\Firefox\DoNotTrack\ [2012/05/21 12:48:07 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/05/17 10:00:50 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 3.0.2\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/03/02 02:16:02 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 3.0.2\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2011/09/14 23:45:38 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{8976AB8A-7D65-11E1-826D-B8AC6F996F26}: C:\Documents and Settings\Dave\Local Settings\Application Data\{8976AB8A-7D65-11E1-826D-B8AC6F996F26}\ [2012/04/03 01:18:10 | 000,000,000 | ---D | M]

[2012/05/31 13:53:46 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Extensions
[2012/05/31 13:53:46 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2012/06/07 07:47:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\ou5mjx69.default\extensions
[2012/05/17 10:00:50 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/05/17 11:21:18 | 000,634,964 | ---- | M] () (No name found) -- C:\DOCUMENTS AND SETTINGS\DAVE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\OU5MJX69.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
[2012/05/22 21:05:00 | 000,368,105 | ---- | M] () (No name found) -- C:\DOCUMENTS AND SETTINGS\DAVE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\OU5MJX69.DEFAULT\EXTENSIONS\GOOGLE@HITACHI.COM.XPI
[2012/05/21 09:31:21 | 000,007,240 | ---- | M] () (No name found) -- C:\DOCUMENTS AND SETTINGS\DAVE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\OU5MJX69.DEFAULT\EXTENSIONS\YOUTUBE-COMMENT-SNOB@EFINKE.COM.XPI
[2012/04/03 01:18:10 | 000,000,000 | ---D | M] (Translate This!) -- C:\DOCUMENTS AND SETTINGS\DAVE\LOCAL SETTINGS\APPLICATION DATA\{8976AB8A-7D65-11E1-826D-B8AC6F996F26}
[2012/04/20 18:19:34 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/04/20 18:18:25 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/04/20 18:18:25 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/06/07 08:47:25 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No CLSID value found.
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc)
O4 - HKLM..\Run: [Everything] C:\Program Files\Everything\Everything.exe ()
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [VX6000] C:\WINDOWS\vVX6000.exe (Microsoft Corporation
)
O4 - HKCU..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe (Christian Diefer)
O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Dave\Start Menu\Programs\Startup\BreakTaker.appref-ms ()
O4 - Startup: C:\Documents and Settings\Dave\Start Menu\Programs\Startup\VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe (Smith Micro Software, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra Button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C4CA7A7F-0016-415F-9224-D9A7A4EE3DC2}: NameServer = 66.174.92.14 66.174.95.44
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/02/27 04:37:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/08/10 04:00:00 | 000,000,110 | R--- | M] () - D:\AUTORUN.INF -- [ CDFS ]
O32 - AutoRun File - [2008/08/21 00:39:48 | 000,000,074 | R--- | M] () - F:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/06/09 22:08:47 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dave\Desktop\OTL.exe
[2012/06/09 15:51:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Start Menu\Programs\BreakTaker
[2012/06/08 19:46:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Application Data\Malwarebytes
[2012/06/08 19:46:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/06/08 19:46:17 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/06/08 19:46:17 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/06/08 19:46:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/06/07 15:58:57 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/06/07 13:31:53 | 000,000,000 | ---D | C] -- C:\Program Files\LillyLookingThrough
[2012/06/07 13:18:29 | 000,000,000 | ---D | C] -- C:\Program Files\coe3
[2012/06/07 08:27:56 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/06/07 08:27:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\setup.pss
[2012/06/07 08:27:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\setupupd
[2012/06/07 07:54:47 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/06/07 07:54:47 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/06/07 07:54:47 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/06/07 07:54:47 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/06/07 07:54:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/06/07 07:54:25 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/06/07 07:50:20 | 004,538,022 | R--- | C] (Swearware) -- C:\Documents and Settings\Dave\Desktop\ComboFix.exe
[2012/06/04 20:38:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Start Menu\Programs\Conquest of Elysium 3
[2012/06/04 20:21:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Desktop\TweakMB
[2012/05/29 21:55:54 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
[2012/05/29 21:55:54 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Dave\Start Menu\Programs\Administrative Tools
[2012/05/29 21:54:44 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Dave\Desktop\dds.scr
[2012/05/29 18:18:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG
[2012/05/21 12:47:44 | 000,000,000 | ---D | C] -- C:\$AVG
[2012/05/21 12:47:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\AVG
[2012/05/21 12:36:18 | 000,000,000 | ---D | C] -- C:\downloads
[2012/05/21 12:06:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Desktop\Music
[2012/05/17 10:00:41 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2012/05/17 09:10:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Mozilla
[2012/05/16 11:18:19 | 000,419,488 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/05/16 06:42:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Local Settings\Application Data\Sun
[2012/05/16 06:38:38 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/05/16 06:17:41 | 000,000,000 | ---D | C] -- C:\Program Files\Oracle
[2012/05/16 06:17:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Application Data\Oracle
[2012/05/16 06:16:55 | 000,772,504 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\npDeployJava1.dll
[2012/05/16 06:16:55 | 000,227,720 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2012/05/16 06:16:33 | 000,174,024 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2012/05/16 06:16:33 | 000,174,024 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/06/09 22:07:47 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dave\Desktop\OTL.exe
[2012/06/09 21:25:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/06/09 18:32:31 | 100,120,371 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2012/06/09 15:51:13 | 000,000,340 | ---- | M] () -- C:\Documents and Settings\Dave\Start Menu\Programs\Startup\BreakTaker.appref-ms
[2012/06/09 15:51:13 | 000,000,340 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\BreakTaker.appref-ms
[2012/06/09 00:13:30 | 000,000,961 | ---- | M] () -- C:\Documents and Settings\Dave\Start Menu\Programs\Startup\VZAccess Manager.lnk
[2012/06/09 00:13:08 | 000,039,287 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2012/06/09 00:07:32 | 000,002,001 | -HS- | M] () -- C:\WINDOWS\System32\mmf.sys
[2012/06/09 00:06:52 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/06/08 19:46:24 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/06/07 13:33:00 | 000,001,630 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Lilly.lnk
[2012/06/07 13:20:15 | 000,001,476 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\Conquest of Elysium 3.lnk
[2012/06/07 08:47:25 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/06/07 08:28:28 | 000,000,280 | RHS- | M] () -- C:\boot.ini
[2012/06/07 07:51:53 | 004,538,022 | R--- | M] (Swearware) -- C:\Documents and Settings\Dave\Desktop\ComboFix.exe
[2012/06/06 18:19:19 | 000,099,219 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2012/06/04 20:20:54 | 001,141,530 | R--- | M] () -- C:\Documents and Settings\Dave\Desktop\TweakMB.zip
[2012/05/31 06:22:09 | 000,599,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\crypt32.dll
[2012/05/29 21:55:06 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Dave\Desktop\dds.scr
[2012/05/29 21:19:58 | 000,362,959 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\dark day of the sun.jpg
[2012/05/29 19:34:34 | 000,202,908 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\night of the full moon.jpg
[2012/05/29 18:18:11 | 000,000,702 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 2012.lnk
[2012/05/27 20:08:41 | 000,042,371 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\letter to george fox may 27.odt
[2012/05/27 18:42:10 | 000,041,371 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\letter to george fox may 23.odt
[2012/05/26 16:29:57 | 000,503,360 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/05/26 16:29:57 | 000,088,718 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/05/26 16:19:36 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/05/26 16:19:14 | 000,034,814 | ---- | M] () -- C:\Documents and Settings\Dave\Local Settings\Application Data\dt.dat
[2012/05/26 15:56:41 | 000,023,854 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\gfu notes.odt
[2012/05/22 15:02:25 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/05/21 12:37:03 | 000,000,435 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.ics
[2012/05/19 15:28:20 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2012/05/17 11:22:40 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\Dave\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox (2).lnk
[2012/05/17 10:00:59 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Dave\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/05/16 11:26:12 | 000,419,488 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/05/16 11:26:12 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/05/16 09:30:46 | 000,131,688 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/05/16 06:15:39 | 000,174,024 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2012/05/16 06:15:39 | 000,174,024 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2012/05/15 16:07:45 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/06/09 18:32:31 | 100,120,371 | ---- | C] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2012/06/09 15:51:38 | 000,000,340 | ---- | C] () -- C:\Documents and Settings\Dave\Start Menu\Programs\Startup\BreakTaker.appref-ms
[2012/06/09 15:51:13 | 000,000,340 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\BreakTaker.appref-ms
[2012/06/08 19:46:24 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/06/07 13:33:00 | 000,001,630 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Lilly.lnk
[2012/06/07 13:33:00 | 000,000,746 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\LillyLookingThrough.lnk
[2012/06/07 13:20:15 | 000,001,476 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\Conquest of Elysium 3.lnk
[2012/06/07 08:28:27 | 000,000,209 | -HS- | C] () -- C:\BOOT.BAK
[2012/06/07 08:28:19 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/06/07 07:54:47 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/06/07 07:54:47 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/06/07 07:54:47 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/06/07 07:54:47 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/06/07 07:54:47 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/06/06 18:19:19 | 000,099,219 | ---- | C] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2012/06/04 20:19:59 | 001,141,530 | R--- | C] () -- C:\Documents and Settings\Dave\Desktop\TweakMB.zip
[2012/05/29 21:57:18 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\gmer.exe
[2012/05/29 21:22:54 | 000,362,959 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\dark day of the sun.jpg
[2012/05/29 21:22:54 | 000,202,908 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\night of the full moon.jpg
[2012/05/27 18:44:15 | 000,042,371 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\letter to george fox may 27.odt
[2012/05/26 16:19:14 | 000,034,814 | ---- | C] () -- C:\Documents and Settings\Dave\Local Settings\Application Data\dt.dat
[2012/05/24 18:09:54 | 000,023,854 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\gfu notes.odt
[2012/05/23 16:56:21 | 000,041,371 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\letter to george fox may 23.odt
[2012/05/21 12:49:11 | 000,000,702 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG 2012.lnk
[2012/05/17 11:22:40 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\Dave\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox (2).lnk
[2012/05/17 10:00:59 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\Dave\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/05/17 10:00:59 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2012/05/16 11:18:21 | 000,000,830 | ---- | C] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/03/24 14:19:49 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/12/17 01:13:30 | 000,715,038 | ---- | C] () -- C:\WINDOWS\unins001.exe
[2011/12/17 01:13:29 | 000,000,764 | ---- | C] () -- C:\WINDOWS\unins001.dat
[2011/06/26 15:09:39 | 000,000,024 | ---- | C] () -- C:\WINDOWS\AcdStitch.INI
[2011/06/23 14:06:03 | 000,029,520 | ---- | C] () -- C:\WINDOWS\System32\SmartDefragBootTime.exe
[2011/06/23 14:05:59 | 000,013,496 | ---- | C] () -- C:\WINDOWS\System32\drivers\SmartDefragDriver.sys
[2011/06/08 18:03:42 | 000,000,037 | ---- | C] () -- C:\WINDOWS\iltwain.ini
[2011/06/04 23:16:44 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/06/14 22:12:12 | 000,004,096 | ---- | C] () -- C:\WINDOWS\d3dx.dat

========== Custom Scans ==========

< etsvcs >

< End of report >

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:01 PM

Posted 11 June 2012 - 07:30 AM

Are the redirects happening in Firefox only or all browsers? Please run this for me:

Posted Image Go to thisLINK to run an online scannner from ESET.
  • Note: For browsers other than Internet Explorer, you will need to download and install esetsmartinstaller_enu.exe. Click on it and save the file to a convenient location. Double click on it to install and a new window will open.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If you are using Internet Explorer, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 IDMWMYG

IDMWMYG
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 12 June 2012 - 09:31 AM

Seems to be only in Firefox now. It was definitely in Chrome and Firefox before. I was not using IE at the time. I've done ~20 successful searches in Chrome and IE. ESET found something.



ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=c8694a7d6173c94985829eac7c15d4c3
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-06-12 11:01:41
# local_time=2012-06-12 04:01:41 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777215 100 0 71036693 71036693 0 0
# compatibility_mode=1024 16777191 100 0 22552819 22552819 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=149107
# found=2
# cleaned=0
# scan_time=18857
C:\Documents and Settings\Dave\Application Data\Sun\Java\Deployment\cache\6.0\24\68c134d8-37a05473 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Dave\Local Settings\Application Data\{8976AB8A-7D65-11E1-826D-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan (unable to clean) 00000000000000000000000000000000 I

Edited by IDMWMYG, 12 June 2012 - 11:50 AM.


#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:01 PM

Posted 12 June 2012 - 05:24 PM

Please do this now:

Posted Image Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :OTL
    FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{8976AB8A-7D65-11E1-826D-B8AC6F996F26}: C:\Documents and Settings\Dave\Local Settings\Application Data\{8976AB8A-7D65-11E1-826D-B8AC6F996F26}\ [2012/04/03 01:18:10 | 000,000,000 | ---D | M]
    [2012/04/03 01:18:10 | 000,000,000 | ---D | M] (Translate This!) -- C:\DOCUMENTS AND SETTINGS\DAVE\LOCAL SETTINGS\APPLICATION DATA\{8976AB8A-7D65-11E1-826D-B8AC6F996F26}
    :Files
    C:\Documents and Settings\Dave\Local Settings\Application Data\{8976AB8A-7D65-11E1-826D-B8AC6F996F26}\chrome\content\browser.xul
    :Commands
    [EmptyTemp]
    [ResetHosts]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, it will reboot when it is done and produce a log
Please include the following in your next post:
  • OTL Fix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 IDMWMYG

IDMWMYG
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 13 June 2012 - 08:52 PM

All processes killed
========== OTL ==========
File HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{8976AB8A-7D65-11E1-826D-B8AC6F996F26}: C:\Documents and Settings\Dave\Local Settings\Application Data\{8976AB8A-7D65-11E1-826D-B8AC6F996F26}\ not found.
C:\DOCUMENTS AND SETTINGS\DAVE\LOCAL SETTINGS\APPLICATION DATA\{8976AB8A-7D65-11E1-826D-B8AC6F996F26}\chrome\content folder moved successfully.
C:\DOCUMENTS AND SETTINGS\DAVE\LOCAL SETTINGS\APPLICATION DATA\{8976AB8A-7D65-11E1-826D-B8AC6F996F26}\chrome folder moved successfully.
C:\DOCUMENTS AND SETTINGS\DAVE\LOCAL SETTINGS\APPLICATION DATA\{8976AB8A-7D65-11E1-826D-B8AC6F996F26} folder moved successfully.
========== FILES ==========
File\Folder C:\Documents and Settings\Dave\Local Settings\Application Data\{8976AB8A-7D65-11E1-826D-B8AC6F996F26}\chrome\content\browser.xul not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Dave
->Temp folder emptied: 35292818 bytes
->Temporary Internet Files folder emptied: 65912904 bytes
->Java cache emptied: 20173640 bytes
->FireFox cache emptied: 334158687 bytes
->Google Chrome cache emptied: 104325123 bytes
->Flash cache emptied: 5090356 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Mom
->Temp folder emptied: 214 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 117206932 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1225527 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 13667 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 67 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 652.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.48.0 log created on 06132012_175423

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:01 PM

Posted 13 June 2012 - 10:59 PM

Are you still having redirects?

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 IDMWMYG

IDMWMYG
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 14 June 2012 - 12:13 PM

It seems to be cured. Thanks.

#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:01 PM

Posted 14 June 2012 - 10:07 PM

OK, thanks. Your system looks clean and I will have some important cleanup measures for you to take shortly. For now please do not remove any of the tools we used. I'll post some instructions for you soon.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:01 PM

Posted 15 June 2012 - 08:47 AM

Thanks for your patience. Now I have some very important cleanup for you to take care of:

Posted Image Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall
Posted Image

Posted Image Clean up with OTL:
  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.
  • Manually delete any remaining logs or tools.
Posted Image Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Please read this post for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users