Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Scour (63.209.69.107) Google Redirect Virus


  • This topic is locked This topic is locked
20 replies to this topic

#1 Malroux

Malroux

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 29 October 2012 - 07:34 PM

Hello. I am another victim of the Scour Google Redirect virus. I am running Windows Vista Home Professional. I have attempted to use various software products to find and destroy this virus, but none of them have located it. However, aswMBR did find a trojan, and I removed it. This trojan was installed on 10/18/2012, so I suspect the google redirect was installed at the same time. Firefox is affected, but Internet Explorer does not seem to be. Firefox is my typically-used browser. I note that your people have been working on many similar google redirect problems, so I hope that you will be able to zero in on mine, so that this virus can be destroyed. I am providing below the DDS.txt log that I ran, and attaching the DDS Attach.txt log. In addition, I have copied the GMER ark.txt log that resulted from running GMER.

Thank you in advance for your assistance.

DDS.txt:

DDS (Ver_2012-10-19.01) - NTFS_x86
Internet Explorer: 9.0.8112.16421
Run by tmadxxx at 17:37:31 on 2012-10-29
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1398 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\HitmanPro\hmpsched.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Microsoft Online Services\Sign In\SignIn.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\Explorer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k secsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6750
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Ad-Aware Security Add-on: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - <orphaned>
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - <orphaned>
TB: &Google: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
TB: &Google: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
TB: Ad-Aware Security Add-on: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [AROReminder] c:\program files\aro 2012\ARO.exe -rem
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SignIn] "c:\program files\microsoft online services\sign in\SignIn.exe" /autorun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Aware Browsing Protection] "c:\programdata\ad-aware browsing protection\adawarebp.exe"
mRunOnce: [Launcher] c:\windows\sminst\launcher.exe
dRunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f
dRunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Free YouTube Download - c:\users\tmadxxx\appdata\roaming\dvdvideosoftiehelpers\freeyoutubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\users\tmadxxx\appdata\roaming\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://redvector.webex.com/client/T27LB/training/ieatgpc1.cab
TCP: NameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{ADF67151-6190-40DF-9538-0890B562DCC8} : DHCPNameServer = 209.18.47.61 209.18.47.62
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\tmadxxx\appdata\roaming\mozilla\firefox\profiles\wk25kv16.default-1341699211259\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://safesearchr.lavasoft.com/?source=3336ca5f&tbp=url&toolbarid=adawaretb&u=9202AA627752E0778EDB415085A463DB&q=
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\tmadxxx\appdata\local\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_287.dll
FF - ExtSQL: 2012-10-22 15:54; {87934c42-161d-45bc-8cef-ef18abe2a30c}; c:\users\tmadxxx\appdata\roaming\mozilla\firefox\profiles\wk25kv16.default-1341699211259\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}
FF - ExtSQL: 2012-10-22 15:54; jid1-yZwVFzbsyfMrqQ@jetpack; c:\users\tmadxxx\appdata\roaming\mozilla\firefox\profiles\wk25kv16.default-1341699211259\extensions\jid1-yZwVFzbsyfMrqQ@jetpack
.
============= SERVICES / DRIVERS ===============
.
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-21 21504]
R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\hitmanpro\hmpsched.exe [2012-10-26 105832]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2012-7-7 1153368]
R3 MRVW147;Marvell TOPDOG ™ 802.11bgn Driver for Vista Native WIFI (CB8x/EC8x);c:\windows\system32\drivers\MRVW147.sys [2007-8-17 526848]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-6 250808]
S3 DniVapCo;Deterministic Networks CoWAN Miniport (Virtual);c:\windows\system32\drivers\vapco.sys [2010-7-21 27408]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-11-20 30192]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-25 115168]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-10-28 17:38:25 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{c6df632a-8796-4477-b73e-ebe562f2db36}\offreg.dll
2012-10-27 14:39:13 -------- d-----w- c:\program files\ESET
2012-10-27 02:34:45 -------- d-----w- c:\users\tmadxxx\appdata\local\temp
2012-10-27 02:34:05 -------- d-sh--w- C:\$RECYCLE.BIN
2012-10-26 21:10:12 6918632 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{c6df632a-8796-4477-b73e-ebe562f2db36}\mpengine.dll
2012-10-26 15:12:00 -------- d-----w- c:\users\tmadxxx\appdata\roaming\Sammsoft
2012-10-26 15:11:40 -------- d-----w- c:\program files\ARO 2012
2012-10-26 14:57:32 -------- d-----w- c:\program files\HitmanPro
2012-10-26 14:56:35 -------- d-----w- c:\programdata\HitmanPro
2012-10-25 15:32:20 98816 ----a-w- c:\windows\sed.exe
2012-10-25 15:32:20 256000 ----a-w- c:\windows\PEV.exe
2012-10-25 15:32:20 208896 ----a-w- c:\windows\MBR.exe
2012-10-24 22:37:45 -------- d-----w- c:\program files\CCleaner
2012-10-22 19:58:07 -------- d-----w- c:\program files\Ad-Aware Antivirus
2012-10-22 19:55:43 -------- d-----w- c:\users\tmadxxx\appdata\local\Downloaded Installations
2012-10-22 19:54:55 -------- d-----w- c:\users\tmadxxx\appdata\local\adawarebp
2012-10-22 19:54:54 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection
2012-10-22 19:53:55 -------- d-----w- c:\program files\adawaretb
2012-10-22 19:36:42 -------- d-----w- c:\users\tmadxxx\appdata\roaming\LavasoftStatistics
2012-10-22 19:36:01 -------- d-----w- c:\users\tmadxxx\appdata\roaming\Ad-Aware Antivirus
2012-10-17 16:38:06 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-10-17 16:36:21 -------- d-----w- c:\program files\iPod
2012-10-17 16:36:11 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-10-17 16:36:11 -------- d-----w- c:\program files\iTunes
2012-10-10 04:32:48 985088 ----a-w- c:\windows\system32\crypt32.dll
2012-10-10 04:32:47 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-10-10 04:32:47 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-10-10 04:32:40 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-10-10 04:32:37 2048 ----a-w- c:\windows\system32\tzres.dll
2012-10-10 04:32:30 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-10-10 04:32:30 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
.
==================== Find3M ====================
.
2012-10-09 03:21:17 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-09 03:21:17 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-24 06:59:17 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 06:51:27 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 06:51:02 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 06:47:26 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 06:47:12 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 06:43:58 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-08-21 17:01:22 106928 ----a-w- c:\windows\system32\GEARAspi.dll
.
============= FINISH: 17:37:50.64 ===============


GMER ark.txt log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-10-29 19:35:09
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD25 rev.01.0
Running: gmer.exe; Driver: C:\Users\tmadxxx\AppData\Local\Temp\uxdirfob.sys


---- Kernel code sections - GMER 1.0.15 ----

? C:\Windows\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
? C:\Users\tmadxxx\AppData\Local\Temp\catchme.sys The system cannot find the file specified. !
? C:\Users\tmadxxx\AppData\Local\Temp\aswMBR.sys The system cannot find the file specified. !
? C:\Users\tmadxxx\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[1716] ntdll.dll!LdrLoadDll 77919378 5 Bytes JMP 61CF5B00 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[1716] kernel32.dll!HeapSetInformation + 26 760AA8C0 7 Bytes JMP 61CFEF12 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[1716] kernel32.dll!LockResource + C 760C6B0B 7 Bytes JMP 61F37B35 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[1716] kernel32.dll!VirtualAllocEx + 54 760CAF70 7 Bytes JMP 61F37B58 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[1716] GDI32.dll!SetStretchBltMode + 256 77AB745C 7 Bytes JMP 61F37AB6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:30 PM

Posted 29 October 2012 - 08:11 PM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Malroux

Malroux
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 29 October 2012 - 11:07 PM

Hello, Gringo, and thanks for the very rapid response. I ran the software you requested, and the results are copied below. Google searches are still being redirected to the Scour and associated sites.

Security Check:

Results of screen317's Security Check version 0.99.53
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Ad-Aware
Spybot - Search & Destroy
CCleaner
Java™ SE Runtime Environment 6 Update 1
Java version out of Date!
Adobe Flash Player 11.4.402.287
Adobe Reader 8 Adobe Reader out of Date!
Mozilla Firefox (16.0.2)
````````Process Check: objlist.exe by Laurent````````
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
Microsoft Online Services Sign In SignIn.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0 %
````````````````````End of Log``````````````````````


AdwCleaner:

# AdwCleaner v2.005 - Logfile created 10/29/2012 at 23:15:28
# Updated 14/10/2012 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : tmadxxx - TMADXXX-PC
# Boot Mode : Normal
# Running from : C:\Users\tmadxxx\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.2 (en-US)

Profile name : default
File : C:\Users\tmadxxx\AppData\Roaming\Mozilla\Firefox\Profiles\5hdljzf5.default\prefs.js

[OK] File is clean.

Profile name : default-1341699211259 [Profil par défaut]
File : C:\Users\tmadxxx\AppData\Roaming\Mozilla\Firefox\Profiles\wk25kv16.default-1341699211259\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [6750 octets] - [26/10/2012 17:19:53]
AdwCleaner[S2].txt - [6472 octets] - [26/10/2012 17:20:57]
AdwCleaner[S3].txt - [1020 octets] - [29/10/2012 23:15:28]

########## EOF - C:\AdwCleaner[S3].txt - [1080 octets] ##########


RogueKiller:

Scan Log:

RogueKiller V8.2.0 [10/22/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : tmadxxx [Admin rights]
Mode : Scan -- Date : 10/29/2012 23:26:11

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\Users\Default\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2500BEVS-22UST0 +++++
--- User ---
[MBR] 7c39b898f2133d3035985d2fad525f73
[BSP] dc5ff7c3309cf2f70b2c1651d271bc20 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 11350 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 23246055 | Size: 227122 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>


Delete Log:

RogueKiller V8.2.0 [10/22/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : tmadxxx [Admin rights]
Mode : Remove -- Date : 10/29/2012 23:27:09

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\Users\Default\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2500BEVS-22UST0 +++++
--- User ---
[MBR] 7c39b898f2133d3035985d2fad525f73
[BSP] dc5ff7c3309cf2f70b2c1651d271bc20 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 11350 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 23246055 | Size: 227122 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2].txt >>

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:30 PM

Posted 30 October 2012 - 12:21 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Malroux

Malroux
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 30 October 2012 - 12:02 PM

Hello again, Gringo. Combofix ran without any problems. The Combofix log is provided below. Google continues to have redirect problems. Sometimes it goes to the correct site; other times it goes to 63.209.69.107, or Scour.com, or one of the similar sites.

Malroux

Combofix Log:

ComboFix 12-10-25.01 - tmadxxx 10/30/2012 12:19:21.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1592 [GMT -4:00]
Running from: c:\users\tmadxxx\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-09-28 to 2012-10-30 )))))))))))))))))))))))))))))))
.
.
2012-10-30 16:26 . 2012-10-30 16:26 -------- d-----w- c:\users\tmadxxx\AppData\Local\temp
2012-10-30 16:26 . 2012-10-30 16:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-10-27 14:39 . 2012-10-27 14:39 -------- d-----w- c:\program files\ESET
2012-10-26 21:10 . 2012-10-17 06:32 6918632 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C6DF632A-8796-4477-B73E-EBE562F2DB36}\mpengine.dll
2012-10-26 15:12 . 2012-10-26 15:12 -------- d-----w- c:\users\tmadxxx\AppData\Roaming\Sammsoft
2012-10-26 15:11 . 2012-10-26 15:11 -------- d-----w- c:\program files\ARO 2012
2012-10-26 14:57 . 2012-10-26 14:57 -------- d-----w- c:\program files\HitmanPro
2012-10-26 14:56 . 2012-10-26 14:57 -------- d-----w- c:\programdata\HitmanPro
2012-10-24 22:37 . 2012-10-24 22:37 -------- d-----w- c:\program files\CCleaner
2012-10-22 19:58 . 2012-10-25 15:31 -------- d-----w- c:\program files\Ad-Aware Antivirus
2012-10-22 19:55 . 2012-10-22 19:55 -------- d-----w- c:\users\tmadxxx\AppData\Local\Downloaded Installations
2012-10-22 19:54 . 2012-10-22 19:59 -------- d-----w- c:\users\tmadxxx\AppData\Local\adawarebp
2012-10-22 19:54 . 2012-10-30 03:17 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection
2012-10-22 19:53 . 2012-10-22 19:54 -------- d-----w- c:\program files\adawaretb
2012-10-22 19:36 . 2012-10-22 19:36 -------- d-----w- c:\users\tmadxxx\AppData\Roaming\LavasoftStatistics
2012-10-22 19:36 . 2012-10-23 14:30 -------- d-----w- c:\users\tmadxxx\AppData\Roaming\Ad-Aware Antivirus
2012-10-17 16:38 . 2012-08-21 17:01 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-10-17 16:36 . 2012-10-17 16:36 -------- d-----w- c:\program files\iPod
2012-10-17 16:36 . 2012-10-17 16:38 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-10-17 16:36 . 2012-10-17 16:38 -------- d-----w- c:\program files\iTunes
2012-10-10 04:32 . 2012-06-02 00:02 985088 ----a-w- c:\windows\system32\crypt32.dll
2012-10-10 04:32 . 2012-06-02 00:02 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-10-10 04:32 . 2012-06-02 00:02 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-10-10 04:32 . 2012-08-24 15:53 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-10-10 04:32 . 2012-09-13 13:28 2048 ----a-w- c:\windows\system32\tzres.dll
2012-10-10 04:32 . 2012-08-29 11:27 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-10-10 04:32 . 2012-08-29 11:27 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-09 03:21 . 2012-04-06 22:55 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 03:21 . 2011-06-22 01:01 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-24 06:59 . 2012-09-23 07:01 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 06:51 . 2012-09-23 07:01 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 06:51 . 2012-09-23 07:01 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 06:47 . 2012-09-23 07:01 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 06:47 . 2012-09-23 07:01 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 06:43 . 2012-09-23 07:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-08-21 17:01 . 2011-09-21 21:13 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2012-10-27 02:15 . 2012-10-27 02:15 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2009-12-01 04:07 . 2012-10-27 02:15 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
2012-09-20 20:06 87448 ----a-w- c:\program files\adawaretb\adawareDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2012-09-20 87448]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"AROReminder"="c:\program files\ARO 2012\ARO.exe" [2012-07-27 2553752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-13 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-26 865840]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-01 30192]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"SignIn"="c:\program files\Microsoft Online Services\Sign In\SignIn.exe" [2010-03-10 1734512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]
"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2012-08-08 540056]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-07-13 40072]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"adaware"="reg.exe delete HKCU\Software\AppDataLow\Software\adaware" [X]
"adaware_XP"="reg.exe delete HKCU\Software\adaware" [X]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - TrueSight
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 03:21]
.
2012-10-29 c:\windows\Tasks\ReclaimerUpdateFiles_tmadxxx.job
- c:\users\tmadxxx\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.20\agent\rnupgagent.exe [2012-09-26 04:43]
.
2012-10-30 c:\windows\Tasks\ReclaimerUpdateXML_tmadxxx.job
- c:\users\tmadxxx\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.20\agent\rnupgagent.exe [2012-09-26 04:43]
.
2012-10-30 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_tmadxxx.job
- c:\users\tmadxxx\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.20\agent\rnupgagent.exe [2012-09-26 04:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6750
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Free YouTube Download - c:\users\tmadxxx\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\users\tmadxxx\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\tmadxxx\AppData\Roaming\Mozilla\Firefox\Profiles\wk25kv16.default-1341699211259\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://safesearchr.lavasoft.com/?source=3336ca5f&tbp=url&toolbarid=adawaretb&u=9202AA627752E0778EDB415085A463DB&q=
FF - ExtSQL: 2012-10-22 15:54; {87934c42-161d-45bc-8cef-ef18abe2a30c}; c:\users\tmadxxx\AppData\Roaming\Mozilla\Firefox\Profiles\wk25kv16.default-1341699211259\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}
FF - ExtSQL: 2012-10-22 15:54; jid1-yZwVFzbsyfMrqQ@jetpack; c:\users\tmadxxx\AppData\Roaming\Mozilla\Firefox\Profiles\wk25kv16.default-1341699211259\extensions\jid1-yZwVFzbsyfMrqQ@jetpack
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-30 12:26
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-10-30 12:29:04
ComboFix-quarantined-files.txt 2012-10-30 16:28
.
Pre-Run: 46,139,854,848 bytes free
Post-Run: 46,131,511,296 bytes free
.
- - End Of File - - A6B54A1466CC96FC5DF778C496D24048

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:30 PM

Posted 30 October 2012 - 12:09 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Malroux

Malroux
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 30 October 2012 - 04:16 PM

Hello, Gringo. I ran both TDSSKiller and aswMBR with no problems. Their logs are presented below. However, the Google redirect problems continue to exist.

Malroux


TDSSKiller Log:

16:47:44.0712 0460 TDSS rootkit removing tool 2.8.13.0 Oct 12 2012 17:26:47
16:47:44.0853 0460 ============================================================
16:47:44.0853 0460 Current date / time: 2012/10/30 16:47:44.0853
16:47:44.0853 0460 SystemInfo:
16:47:44.0853 0460
16:47:44.0853 0460 OS Version: 6.0.6002 ServicePack: 2.0
16:47:44.0853 0460 Product type: Workstation
16:47:44.0853 0460 ComputerName: TMADXXX-PC
16:47:44.0853 0460 UserName: tmadxxx
16:47:44.0853 0460 Windows directory: C:\Windows
16:47:44.0853 0460 System windows directory: C:\Windows
16:47:44.0853 0460 Processor architecture: Intel x86
16:47:44.0853 0460 Number of processors: 2
16:47:44.0853 0460 Page size: 0x1000
16:47:44.0853 0460 Boot type: Normal boot
16:47:44.0853 0460 ============================================================
16:47:45.0289 0460 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
16:47:45.0289 0460 ============================================================
16:47:45.0289 0460 \Device\Harddisk0\DR0:
16:47:45.0289 0460 MBR partitions:
16:47:45.0289 0460 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x162B4A8
16:47:45.0289 0460 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x162B4E7, BlocksNum 0x1BB9909A
16:47:45.0289 0460 ============================================================
16:47:45.0336 0460 C: <-> \Device\Harddisk0\DR0\Partition2
16:47:45.0336 0460 D: <-> \Device\Harddisk0\DR0\Partition1
16:47:45.0336 0460 ============================================================
16:47:45.0336 0460 Initialize success
16:47:45.0336 0460 ============================================================
16:47:51.0373 4000 ============================================================
16:47:51.0373 4000 Scan started
16:47:51.0373 4000 Mode: Manual;
16:47:51.0373 4000 ============================================================
16:47:51.0748 4000 ================ Scan system memory ========================
16:47:51.0748 4000 System memory - ok
16:47:51.0748 4000 ================ Scan services =============================
16:47:51.0966 4000 [ 4B56CAAFED0B0B996341D74CE0E76565 ] ac97intc C:\Windows\system32\drivers\ac97intc.sys
16:47:51.0966 4000 ac97intc - ok
16:47:52.0029 4000 [ 82B296AE1892FE3DBEE00C9CF92F8AC7 ] ACPI C:\Windows\system32\drivers\acpi.sys
16:47:52.0029 4000 ACPI - ok
16:47:52.0138 4000 [ 44C00A385CA9DBC1D5CF3781F8C26AEA ] AdobeFlashPlayerUpdateSvc C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
16:47:52.0138 4000 AdobeFlashPlayerUpdateSvc - ok
16:47:52.0200 4000 [ 2EDC5BBAC6C651ECE337BDE8ED97C9FB ] adp94xx C:\Windows\system32\drivers\adp94xx.sys
16:47:52.0216 4000 adp94xx - ok
16:47:52.0231 4000 [ B84088CA3CDCA97DA44A984C6CE1CCAD ] adpahci C:\Windows\system32\drivers\adpahci.sys
16:47:52.0231 4000 adpahci - ok
16:47:52.0263 4000 [ 7880C67BCCC27C86FD05AA2AFB5EA469 ] adpu160m C:\Windows\system32\drivers\adpu160m.sys
16:47:52.0263 4000 adpu160m - ok
16:47:52.0278 4000 [ 9AE713F8E30EFC2ABCCD84904333DF4D ] adpu320 C:\Windows\system32\drivers\adpu320.sys
16:47:52.0278 4000 adpu320 - ok
16:47:52.0341 4000 [ 9D1FDA9E086BA64E3C93C9DE32461BCF ] AeLookupSvc C:\Windows\System32\aelupsvc.dll
16:47:52.0341 4000 AeLookupSvc - ok
16:47:52.0419 4000 [ 3911B972B55FEA0478476B2E777B29FA ] AFD C:\Windows\system32\drivers\afd.sys
16:47:52.0419 4000 AFD - ok
16:47:52.0497 4000 [ 39E435C90C9C4F780FA0ED05CA3C3A1B ] AgereModemAudio C:\Windows\system32\agrsmsvc.exe
16:47:52.0497 4000 AgereModemAudio - ok
16:47:52.0590 4000 [ A19871AE65A769C65034B4DC44C29023 ] AgereSoftModem C:\Windows\system32\DRIVERS\AGRSM.sys
16:47:52.0606 4000 AgereSoftModem - ok
16:47:52.0684 4000 [ EF23439CDD587F64C2C1B8825CEAD7D8 ] agp440 C:\Windows\system32\drivers\agp440.sys
16:47:52.0684 4000 agp440 - ok
16:47:52.0715 4000 [ AE1FDF7BF7BB6C6A70F67699D880592A ] aic78xx C:\Windows\system32\drivers\djsvs.sys
16:47:52.0715 4000 aic78xx - ok
16:47:52.0746 4000 [ A1545B731579895D8CC44FC0481C1192 ] ALG C:\Windows\System32\alg.exe
16:47:52.0746 4000 ALG - ok
16:47:52.0777 4000 [ 90395B64600EBB4552E26E178C94B2E4 ] aliide C:\Windows\system32\drivers\aliide.sys
16:47:52.0777 4000 aliide - ok
16:47:52.0793 4000 [ 2B13E304C9DFDFA5EB582F6A149FA2C7 ] amdagp C:\Windows\system32\drivers\amdagp.sys
16:47:52.0793 4000 amdagp - ok
16:47:52.0824 4000 [ 0577DF1D323FE75A739C787893D300EA ] amdide C:\Windows\system32\drivers\amdide.sys
16:47:52.0824 4000 amdide - ok
16:47:52.0871 4000 [ DC487885BCEF9F28EECE6FAC0E5DDFC5 ] AmdK7 C:\Windows\system32\drivers\amdk7.sys
16:47:52.0871 4000 AmdK7 - ok
16:47:52.0902 4000 [ 0CA0071DA4315B00FC1328CA86B425DA ] AmdK8 C:\Windows\system32\drivers\amdk8.sys
16:47:52.0902 4000 AmdK8 - ok
16:47:52.0980 4000 [ C6D704C7F0434DC791AAC37CAC4B6E14 ] Appinfo C:\Windows\System32\appinfo.dll
16:47:52.0980 4000 Appinfo - ok
16:47:53.0152 4000 [ A5299D04ED225D64CF07A568A3E1BF8C ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
16:47:53.0152 4000 Apple Mobile Device - ok
16:47:53.0183 4000 [ 5F673180268BB1FDB69C99B6619FE379 ] arc C:\Windows\system32\drivers\arc.sys
16:47:53.0183 4000 arc - ok
16:47:53.0245 4000 [ 957F7540B5E7F602E44648C7DE5A1C05 ] arcsas C:\Windows\system32\drivers\arcsas.sys
16:47:53.0245 4000 arcsas - ok
16:47:53.0308 4000 [ 53B202ABEE6455406254444303E87BE1 ] AsyncMac C:\Windows\system32\DRIVERS\asyncmac.sys
16:47:53.0308 4000 AsyncMac - ok
16:47:53.0370 4000 [ 1F05B78AB91C9075565A9D8A4B880BC4 ] atapi C:\Windows\system32\drivers\atapi.sys
16:47:53.0370 4000 atapi - ok
16:47:53.0448 4000 [ 68E2A1A0407A66CF50DA0300852424AB ] AudioEndpointBuilder C:\Windows\System32\Audiosrv.dll
16:47:53.0464 4000 AudioEndpointBuilder - ok
16:47:53.0479 4000 [ 68E2A1A0407A66CF50DA0300852424AB ] Audiosrv C:\Windows\System32\Audiosrv.dll
16:47:53.0479 4000 Audiosrv - ok
16:47:53.0542 4000 [ 08015D34F6FDD0B355805BAD978497C3 ] bcm4sbxp C:\Windows\system32\DRIVERS\bcm4sbxp.sys
16:47:53.0542 4000 bcm4sbxp - ok
16:47:53.0573 4000 [ 67E506B75BD5326A3EC7B70BD014DFB6 ] Beep C:\Windows\system32\drivers\Beep.sys
16:47:53.0573 4000 Beep - ok
16:47:53.0651 4000 [ C789AF0F724FDA5852FB9A7D3A432381 ] BFE C:\Windows\System32\bfe.dll
16:47:53.0667 4000 BFE - ok
16:47:53.0745 4000 [ 93952506C6D67330367F7E7934B6A02F ] BITS C:\Windows\system32\qmgr.dll
16:47:53.0760 4000 BITS - ok
16:47:53.0760 4000 blbdrive - ok
16:47:53.0869 4000 [ DB5BEA73EDAF19AC68B2C0FAD0F92B1A ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
16:47:53.0869 4000 Bonjour Service - ok
16:47:53.0932 4000 [ 35F376253F687BDE63976CCB3F2108CA ] bowser C:\Windows\system32\DRIVERS\bowser.sys
16:47:53.0932 4000 bowser - ok
16:47:53.0994 4000 [ 9F9ACC7F7CCDE8A15C282D3F88B43309 ] BrFiltLo C:\Windows\system32\drivers\brfiltlo.sys
16:47:53.0994 4000 BrFiltLo - ok
16:47:54.0025 4000 [ 56801AD62213A41F6497F96DEE83755A ] BrFiltUp C:\Windows\system32\drivers\brfiltup.sys
16:47:54.0025 4000 BrFiltUp - ok
16:47:54.0057 4000 [ A3629A0C4226F9E9C72FAAEEBC3AD33C ] Browser C:\Windows\System32\browser.dll
16:47:54.0057 4000 Browser - ok
16:47:54.0103 4000 [ B304E75CFF293029EDDF094246747113 ] Brserid C:\Windows\system32\drivers\brserid.sys
16:47:54.0103 4000 Brserid - ok
16:47:54.0135 4000 [ 203F0B1E73ADADBBB7B7B1FABD901F6B ] BrSerWdm C:\Windows\system32\drivers\brserwdm.sys
16:47:54.0135 4000 BrSerWdm - ok
16:47:54.0150 4000 [ BD456606156BA17E60A04E18016AE54B ] BrUsbMdm C:\Windows\system32\drivers\brusbmdm.sys
16:47:54.0150 4000 BrUsbMdm - ok
16:47:54.0166 4000 [ AF72ED54503F717A43268B3CC5FAEC2E ] BrUsbSer C:\Windows\system32\drivers\brusbser.sys
16:47:54.0166 4000 BrUsbSer - ok
16:47:54.0213 4000 [ AD07C1EC6665B8B35741AB91200C6B68 ] BTHMODEM C:\Windows\system32\drivers\bthmodem.sys
16:47:54.0213 4000 BTHMODEM - ok
16:47:54.0322 4000 catchme - ok
16:47:54.0384 4000 [ 7ADD03E75BEB9E6DD102C3081D29840A ] cdfs C:\Windows\system32\DRIVERS\cdfs.sys
16:47:54.0384 4000 cdfs - ok
16:47:54.0431 4000 [ 6B4BFFB9BECD728097024276430DB314 ] cdrom C:\Windows\system32\DRIVERS\cdrom.sys
16:47:54.0431 4000 cdrom - ok
16:47:54.0525 4000 [ 312EC3E37A0A1F2006534913E37B4423 ] CertPropSvc C:\Windows\System32\certprop.dll
16:47:54.0525 4000 CertPropSvc - ok
16:47:54.0556 4000 [ DA8E0AFC7BAA226C538EF53AC2F90897 ] circlass C:\Windows\system32\drivers\circlass.sys
16:47:54.0556 4000 circlass - ok
16:47:54.0618 4000 [ D7659D3B5B92C31E84E53C1431F35132 ] CLFS C:\Windows\system32\CLFS.sys
16:47:54.0618 4000 CLFS - ok
16:47:54.0681 4000 [ 8EE772032E2FE80A924F3B8DD5082194 ] clr_optimization_v2.0.50727_32 C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
16:47:54.0696 4000 clr_optimization_v2.0.50727_32 - ok
16:47:54.0821 4000 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
16:47:54.0821 4000 clr_optimization_v4.0.30319_32 - ok
16:47:54.0899 4000 [ 99AFC3795B58CC478FBBBCDC658FCB56 ] CmBatt C:\Windows\system32\DRIVERS\CmBatt.sys
16:47:54.0899 4000 CmBatt - ok
16:47:54.0930 4000 [ 45201046C776FFDAF3FC8A0029C581C8 ] cmdide C:\Windows\system32\drivers\cmdide.sys
16:47:54.0930 4000 cmdide - ok
16:47:54.0961 4000 [ 6AFEF0B60FA25DE07C0968983EE4F60A ] Compbatt C:\Windows\system32\DRIVERS\compbatt.sys
16:47:54.0961 4000 Compbatt - ok
16:47:54.0961 4000 COMSysApp - ok
16:47:54.0977 4000 [ 2A213AE086BBEC5E937553C7D9A2B22C ] crcdisk C:\Windows\system32\drivers\crcdisk.sys
16:47:54.0977 4000 crcdisk - ok
16:47:55.0008 4000 [ 22A7F883508176489F559EE745B5BF5D ] Crusoe C:\Windows\system32\drivers\crusoe.sys
16:47:55.0008 4000 Crusoe - ok
16:47:55.0086 4000 [ F1E8C34892336D33EDDCDFE44E474F64 ] CryptSvc C:\Windows\system32\cryptsvc.dll
16:47:55.0086 4000 CryptSvc - ok
16:47:55.0180 4000 [ 3B5B4D53FEC14F7476CA29A20CC31AC9 ] DcomLaunch C:\Windows\system32\rpcss.dll
16:47:55.0180 4000 DcomLaunch - ok
16:47:55.0242 4000 [ 622C41A07CA7E6DD91770F50D532CB6C ] DfsC C:\Windows\system32\Drivers\dfsc.sys
16:47:55.0242 4000 DfsC - ok
16:47:55.0367 4000 [ 2CC3DCFB533A1035B13DCAB6160AB38B ] DFSR C:\Windows\system32\DFSR.exe
16:47:55.0414 4000 DFSR - ok
16:47:55.0539 4000 [ 9028559C132146FB75EB7ACF384B086A ] Dhcp C:\Windows\System32\dhcpcsvc.dll
16:47:55.0554 4000 Dhcp - ok
16:47:55.0601 4000 [ 5D4AEFC3386920236A548271F8F1AF6A ] disk C:\Windows\system32\drivers\disk.sys
16:47:55.0601 4000 disk - ok
16:47:55.0679 4000 [ 3E8710943760F2054E56EED761D875CF ] DniVapCo C:\Windows\system32\DRIVERS\vapco.sys
16:47:55.0679 4000 DniVapCo - ok
16:47:55.0726 4000 [ 57D762F6F5974AF0DA2BE88A3349BAAA ] Dnscache C:\Windows\System32\dnsrslvr.dll
16:47:55.0741 4000 Dnscache - ok
16:47:55.0757 4000 [ 324FD74686B1EF5E7C19A8AF49E748F6 ] dot3svc C:\Windows\System32\dot3svc.dll
16:47:55.0757 4000 dot3svc - ok
16:47:55.0819 4000 [ A622E888F8AA2F6B49E9BC466F0E5DEF ] DPS C:\Windows\system32\dps.dll
16:47:55.0819 4000 DPS - ok
16:47:55.0882 4000 [ 97FEF831AB90BEE128C9AF390E243F80 ] drmkaud C:\Windows\system32\drivers\drmkaud.sys
16:47:55.0882 4000 drmkaud - ok
16:47:55.0960 4000 [ C68AC676B0EF30CFBB1080ADCE49EB1F ] DXGKrnl C:\Windows\System32\drivers\dxgkrnl.sys
16:47:55.0991 4000 DXGKrnl - ok
16:47:56.0069 4000 [ F88FB26547FD2CE6D0A5AF2985892C48 ] E1G60 C:\Windows\system32\DRIVERS\E1G60I32.sys
16:47:56.0069 4000 E1G60 - ok
16:47:56.0116 4000 [ C0B95E40D85CD807D614E264248A45B9 ] EapHost C:\Windows\System32\eapsvc.dll
16:47:56.0116 4000 EapHost - ok
16:47:56.0209 4000 [ 7F64EA048DCFAC7ACF8B4D7B4E6FE371 ] Ecache C:\Windows\system32\drivers\ecache.sys
16:47:56.0209 4000 Ecache - ok
16:47:56.0272 4000 [ 9BE3744D295A7701EB425332014F0797 ] ehRecvr C:\Windows\ehome\ehRecvr.exe
16:47:56.0287 4000 ehRecvr - ok
16:47:56.0303 4000 [ AD1870C8E5D6DD340C829E6074BF3C3F ] ehSched C:\Windows\ehome\ehsched.exe
16:47:56.0319 4000 ehSched - ok
16:47:56.0319 4000 [ C27C4EE8926E74AA72EFCAB24C5242C3 ] ehstart C:\Windows\ehome\ehstart.dll
16:47:56.0319 4000 ehstart - ok
16:47:56.0397 4000 [ E8F3F21A71720C84BCF423B80028359F ] elxstor C:\Windows\system32\drivers\elxstor.sys
16:47:56.0412 4000 elxstor - ok
16:47:56.0475 4000 [ 4E6B23DFC917EA39306B529B773950F4 ] EMDMgmt C:\Windows\system32\emdmgmt.dll
16:47:56.0490 4000 EMDMgmt - ok
16:47:56.0568 4000 [ 67058C46504BC12D821F38CF99B7B28F ] EventSystem C:\Windows\system32\es.dll
16:47:56.0568 4000 EventSystem - ok
16:47:56.0631 4000 [ 22B408651F9123527BCEE54B4F6C5CAE ] exfat C:\Windows\system32\drivers\exfat.sys
16:47:56.0631 4000 exfat - ok
16:47:56.0693 4000 [ 1E9B9A70D332103C52995E957DC09EF8 ] fastfat C:\Windows\system32\drivers\fastfat.sys
16:47:56.0693 4000 fastfat - ok
16:47:56.0755 4000 [ 63BDADA84951B9C03E641800E176898A ] fdc C:\Windows\system32\DRIVERS\fdc.sys
16:47:56.0755 4000 fdc - ok
16:47:56.0787 4000 [ 6629B5F0E98151F4AFDD87567EA32BA3 ] fdPHost C:\Windows\system32\fdPHost.dll
16:47:56.0802 4000 fdPHost - ok
16:47:56.0818 4000 [ 89ED56DCE8E47AF40892778A5BD31FD2 ] FDResPub C:\Windows\system32\fdrespub.dll
16:47:56.0818 4000 FDResPub - ok
16:47:56.0896 4000 [ A8C0139A884861E3AAE9CFE73B208A9F ] FileInfo C:\Windows\system32\drivers\fileinfo.sys
16:47:56.0896 4000 FileInfo - ok
16:47:56.0911 4000 [ 0AE429A696AECBC5970E3CF2C62635AE ] Filetrace C:\Windows\system32\drivers\filetrace.sys
16:47:56.0911 4000 Filetrace - ok
16:47:56.0943 4000 [ 6603957EFF5EC62D25075EA8AC27DE68 ] flpydisk C:\Windows\system32\DRIVERS\flpydisk.sys
16:47:56.0943 4000 flpydisk - ok
16:47:56.0974 4000 [ 01334F9EA68E6877C4EF05D3EA8ABB05 ] FltMgr C:\Windows\system32\drivers\fltmgr.sys
16:47:56.0974 4000 FltMgr - ok
16:47:57.0083 4000 [ 8CE364388C8ECA59B14B539179276D44 ] FontCache C:\Windows\system32\FntCache.dll
16:47:57.0114 4000 FontCache - ok
16:47:57.0192 4000 [ C7FBDD1ED42F82BFA35167A5C9803EA3 ] FontCache3.0.0.0 C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
16:47:57.0192 4000 FontCache3.0.0.0 - ok
16:47:57.0239 4000 [ B972A66758577E0BFD1DE0F91AAA27B5 ] Fs_Rec C:\Windows\system32\drivers\Fs_Rec.sys
16:47:57.0239 4000 Fs_Rec - ok
16:47:57.0286 4000 [ 4E1CD0A45C50A8882616CAE5BF82F3C5 ] gagp30kx C:\Windows\system32\drivers\gagp30kx.sys
16:47:57.0286 4000 gagp30kx - ok
16:47:57.0395 4000 [ 18D33BF4E02A6C243613357D1719D913 ] GameConsoleService C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe
16:47:57.0395 4000 GameConsoleService - ok
16:47:57.0473 4000 [ 185ADA973B5020655CEE342059A86CBB ] GEARAspiWDM C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
16:47:57.0473 4000 GEARAspiWDM - ok
16:47:57.0598 4000 [ F0187E45268E86AAAA932CBD9087BEA8 ] GoogleDesktopManager-110309-193829 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
16:47:57.0598 4000 GoogleDesktopManager-110309-193829 - ok
16:47:57.0676 4000 [ CD5D0AEEE35DFD4E986A5AA1500A6E66 ] gpsvc C:\Windows\System32\gpsvc.dll
16:47:57.0691 4000 gpsvc - ok
16:47:57.0769 4000 [ 751C1D2CA2ABF4A9F5A6B8D7D45B907C ] gusvc C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
16:47:57.0769 4000 gusvc - ok
16:47:57.0816 4000 [ 3F90E001369A07243763BD5A523D8722 ] HdAudAddService C:\Windows\system32\drivers\HdAudio.sys
16:47:57.0816 4000 HdAudAddService - ok
16:47:57.0879 4000 [ 062452B7FFD68C8C042A6261FE8DFF4A ] HDAudBus C:\Windows\system32\DRIVERS\HDAudBus.sys
16:47:57.0894 4000 HDAudBus - ok
16:47:57.0957 4000 [ 1338520E78D90154ED6BE8F84DE5FCEB ] HidBth C:\Windows\system32\drivers\hidbth.sys
16:47:57.0957 4000 HidBth - ok
16:47:57.0972 4000 [ FF3160C3A2445128C5A6D9B076DA519E ] HidIr C:\Windows\system32\drivers\hidir.sys
16:47:57.0972 4000 HidIr - ok
16:47:58.0003 4000 [ 84067081F3318162797385E11A8F0582 ] hidserv C:\Windows\System32\hidserv.dll
16:47:58.0003 4000 hidserv - ok
16:47:58.0066 4000 [ CCA4B519B17E23A00B826C55716809CC ] HidUsb C:\Windows\system32\DRIVERS\hidusb.sys
16:47:58.0066 4000 HidUsb - ok
16:47:58.0144 4000 [ FB0F4848E5E7978F24CAF6851F5F45EE ] HitmanProScheduler C:\Program Files\HitmanPro\hmpsched.exe
16:47:58.0144 4000 HitmanProScheduler - ok
16:47:58.0191 4000 [ D8AD255B37DA92434C26E4876DB7D418 ] hkmsvc C:\Windows\system32\kmsvc.dll
16:47:58.0191 4000 hkmsvc - ok
16:47:58.0222 4000 [ DF353B401001246853763C4B7AAA6F50 ] HpCISSs C:\Windows\system32\drivers\hpcisss.sys
16:47:58.0222 4000 HpCISSs - ok
16:47:58.0269 4000 [ F870AA3E254628EBEAFE754108D664DE ] HTTP C:\Windows\system32\drivers\HTTP.sys
16:47:58.0284 4000 HTTP - ok
16:47:58.0300 4000 [ 324C2152FF2C61ABAE92D09F3CCA4D63 ] i2omp C:\Windows\system32\drivers\i2omp.sys
16:47:58.0300 4000 i2omp - ok
16:47:58.0378 4000 [ 22D56C8184586B7A1F6FA60BE5F5A2BD ] i8042prt C:\Windows\system32\DRIVERS\i8042prt.sys
16:47:58.0378 4000 i8042prt - ok
16:47:58.0487 4000 [ 204A73A56751C68C6031E9D5D611EC98 ] IAANTMON C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
16:47:58.0487 4000 IAANTMON - ok
16:47:58.0565 4000 [ 8318E04A6455CED1020BCC5039B62CFA ] ialm C:\Windows\system32\DRIVERS\ialmnt5.sys
16:47:58.0581 4000 ialm - ok
16:47:58.0612 4000 [ 2358C53F30CB9DCD1D3843C4E2F299B2 ] iaStor C:\Windows\system32\DRIVERS\iaStor.sys
16:47:58.0612 4000 iaStor - ok
16:47:58.0643 4000 [ C957BF4B5D80B46C5017BF0101E6C906 ] iaStorV C:\Windows\system32\drivers\iastorv.sys
16:47:58.0643 4000 iaStorV - ok
16:47:58.0721 4000 [ 98477B08E61945F974ED9FDC4CB6BDAB ] idsvc C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
16:47:58.0768 4000 idsvc - ok
16:47:58.0924 4000 [ C134E69CE901422D1F2D7EA8D69098FE ] igfx C:\Windows\system32\DRIVERS\igdkmd32.sys
16:47:58.0924 4000 igfx - ok
16:47:58.0986 4000 [ 2D077BF86E843F901D8DB709C95B49A5 ] iirsp C:\Windows\system32\drivers\iirsp.sys
16:47:58.0986 4000 iirsp - ok
16:47:59.0049 4000 [ 9908D8A397B76CD8D31D0D383C5773C9 ] IKEEXT C:\Windows\System32\ikeext.dll
16:47:59.0064 4000 IKEEXT - ok
16:47:59.0127 4000 [ 83AA759F3189E6370C30DE5DC5590718 ] intelide C:\Windows\system32\drivers\intelide.sys
16:47:59.0127 4000 intelide - ok
16:47:59.0173 4000 [ 224191001E78C89DFA78924C3EA595FF ] intelppm C:\Windows\system32\DRIVERS\intelppm.sys
16:47:59.0173 4000 intelppm - ok
16:47:59.0205 4000 [ 9AC218C6E6105477484C6FDBE7D409A4 ] IPBusEnum C:\Windows\system32\ipbusenum.dll
16:47:59.0205 4000 IPBusEnum - ok
16:47:59.0251 4000 [ 62C265C38769B864CB25B4BCF62DF6C3 ] IpFilterDriver C:\Windows\system32\DRIVERS\ipfltdrv.sys
16:47:59.0251 4000 IpFilterDriver - ok
16:47:59.0298 4000 [ 1998BD97F950680BB55F55A7244679C2 ] iphlpsvc C:\Windows\System32\iphlpsvc.dll
16:47:59.0298 4000 iphlpsvc - ok
16:47:59.0314 4000 IpInIp - ok
16:47:59.0345 4000 [ 40F34F8ABA2A015D780E4B09138B6C17 ] IPMIDRV C:\Windows\system32\drivers\ipmidrv.sys
16:47:59.0345 4000 IPMIDRV - ok
16:47:59.0392 4000 [ 8793643A67B42CEC66490B2A0CF92D68 ] IPNAT C:\Windows\system32\DRIVERS\ipnat.sys
16:47:59.0392 4000 IPNAT - ok
16:47:59.0470 4000 [ BC0EA61246F8D940FBC5F652D337D6BD ] iPod Service C:\Program Files\iPod\bin\iPodService.exe
16:47:59.0470 4000 iPod Service - ok
16:47:59.0548 4000 [ 109C0DFB82C3632FBD11949B73AEEAC9 ] IRENUM C:\Windows\system32\drivers\irenum.sys
16:47:59.0548 4000 IRENUM - ok
16:47:59.0595 4000 [ 350FCA7E73CF65BCEF43FAE1E4E91293 ] isapnp C:\Windows\system32\drivers\isapnp.sys
16:47:59.0595 4000 isapnp - ok
16:47:59.0673 4000 [ 232FA340531D940AAC623B121A595034 ] iScsiPrt C:\Windows\system32\DRIVERS\msiscsi.sys
16:47:59.0673 4000 iScsiPrt - ok
16:47:59.0704 4000 [ BCED60D16156E428F8DF8CF27B0DF150 ] iteatapi C:\Windows\system32\drivers\iteatapi.sys
16:47:59.0704 4000 iteatapi - ok
16:47:59.0719 4000 [ 06FA654504A498C30ADCA8BEC4E87E7E ] iteraid C:\Windows\system32\drivers\iteraid.sys
16:47:59.0719 4000 iteraid - ok
16:47:59.0751 4000 [ 37605E0A8CF00CBBA538E753E4344C6E ] kbdclass C:\Windows\system32\DRIVERS\kbdclass.sys
16:47:59.0751 4000 kbdclass - ok
16:47:59.0782 4000 [ D2600CB17B7408B4A83F231DC9A11AC3 ] kbdhid C:\Windows\system32\drivers\kbdhid.sys
16:47:59.0782 4000 kbdhid - ok
16:47:59.0844 4000 [ A3E186B4B935905B829219502557314E ] KeyIso C:\Windows\system32\lsass.exe
16:47:59.0844 4000 KeyIso - ok
16:47:59.0907 4000 [ 4A1445EFA932A3BAF5BDB02D7131EE20 ] KSecDD C:\Windows\system32\Drivers\ksecdd.sys
16:47:59.0922 4000 KSecDD - ok
16:48:00.0000 4000 [ 8078F8F8F7A79E2E6B494523A828C585 ] KtmRm C:\Windows\system32\msdtckrm.dll
16:48:00.0000 4000 KtmRm - ok
16:48:00.0031 4000 [ 1BF5EEBFD518DD7298434D8C862F825D ] LanmanServer C:\Windows\System32\srvsvc.dll
16:48:00.0031 4000 LanmanServer - ok
16:48:00.0109 4000 [ 1DB69705B695B987082C8BAEC0C6B34F ] LanmanWorkstation C:\Windows\System32\wkssvc.dll
16:48:00.0109 4000 LanmanWorkstation - ok
16:48:00.0109 4000 Lavasoft Kernexplorer - ok
16:48:00.0125 4000 Lbd - ok
16:48:00.0187 4000 [ D1C5883087A0C3F1344D9D55A44901F6 ] lltdio C:\Windows\system32\DRIVERS\lltdio.sys
16:48:00.0187 4000 lltdio - ok
16:48:00.0219 4000 [ 2D5A428872F1442631D0959A34ABFF63 ] lltdsvc C:\Windows\System32\lltdsvc.dll
16:48:00.0219 4000 lltdsvc - ok
16:48:00.0265 4000 [ 35D40113E4A5B961B6CE5C5857702518 ] lmhosts C:\Windows\System32\lmhsvc.dll
16:48:00.0265 4000 lmhosts - ok
16:48:00.0312 4000 [ A2262FB9F28935E862B4DB46438C80D2 ] LSI_FC C:\Windows\system32\drivers\lsi_fc.sys
16:48:00.0312 4000 LSI_FC - ok
16:48:00.0328 4000 [ 30D73327D390F72A62F32C103DAF1D6D ] LSI_SAS C:\Windows\system32\drivers\lsi_sas.sys
16:48:00.0328 4000 LSI_SAS - ok
16:48:00.0359 4000 [ E1E36FEFD45849A95F1AB81DE0159FE3 ] LSI_SCSI C:\Windows\system32\drivers\lsi_scsi.sys
16:48:00.0359 4000 LSI_SCSI - ok
16:48:00.0406 4000 [ 8F5C7426567798E62A3B3614965D62CC ] luafv C:\Windows\system32\drivers\luafv.sys
16:48:00.0406 4000 luafv - ok
16:48:00.0499 4000 [ F453D1E6D881E8F8717E20CCD4199E85 ] McComponentHostService C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
16:48:00.0499 4000 McComponentHostService - ok
16:48:00.0546 4000 [ AEF9BABB8A506BC4CE0451A64AADED46 ] Mcx2Svc C:\Windows\system32\Mcx2Svc.dll
16:48:00.0546 4000 Mcx2Svc - ok
16:48:00.0593 4000 [ D153B14FC6598EAE8422A2037553ADCE ] megasas C:\Windows\system32\drivers\megasas.sys
16:48:00.0593 4000 megasas - ok
16:48:00.0624 4000 [ 1076FFCFFAAE8385FD62DFCB25AC4708 ] MMCSS C:\Windows\system32\mmcss.dll
16:48:00.0624 4000 MMCSS - ok
16:48:00.0640 4000 [ E13B5EA0F51BA5B1512EC671393D09BA ] Modem C:\Windows\system32\drivers\modem.sys
16:48:00.0640 4000 Modem - ok
16:48:00.0702 4000 [ 0A9BB33B56E294F686ABB7C1E4E2D8A8 ] monitor C:\Windows\system32\DRIVERS\monitor.sys
16:48:00.0702 4000 monitor - ok
16:48:00.0733 4000 [ 5BF6A1326A335C5298477754A506D263 ] mouclass C:\Windows\system32\DRIVERS\mouclass.sys
16:48:00.0733 4000 mouclass - ok
16:48:00.0765 4000 [ 93B8D4869E12CFBE663915502900876F ] mouhid C:\Windows\system32\DRIVERS\mouhid.sys
16:48:00.0765 4000 mouhid - ok
16:48:00.0811 4000 [ BDAFC88AA6B92F7842416EA6A48E1600 ] MountMgr C:\Windows\system32\drivers\mountmgr.sys
16:48:00.0811 4000 MountMgr - ok
16:48:00.0921 4000 [ 8BE15F71DE6FF33FC56DCDE7B2B9EFE8 ] MozillaMaintenance C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
16:48:00.0921 4000 MozillaMaintenance - ok
16:48:00.0952 4000 [ 583A41F26278D9E0EA548163D6139397 ] mpio C:\Windows\system32\drivers\mpio.sys
16:48:00.0952 4000 mpio - ok
16:48:00.0983 4000 [ 22241FEBA9B2DEFA669C8CB0A8DD7D2E ] mpsdrv C:\Windows\system32\drivers\mpsdrv.sys
16:48:00.0983 4000 mpsdrv - ok
16:48:01.0045 4000 [ 5DE62C6E9108F14F6794060A9BDECAEC ] MpsSvc C:\Windows\system32\mpssvc.dll
16:48:01.0061 4000 MpsSvc - ok
16:48:01.0108 4000 [ 4FBBB70D30FD20EC51F80061703B001E ] Mraid35x C:\Windows\system32\drivers\mraid35x.sys
16:48:01.0108 4000 Mraid35x - ok
16:48:01.0170 4000 [ F322E9118FFDAB03790EB8C4BDD4934A ] MRVW147 C:\Windows\system32\DRIVERS\MRVW147.sys
16:48:01.0186 4000 MRVW147 - ok
16:48:01.0217 4000 [ 82CEA0395524AACFEB58BA1448E8325C ] MRxDAV C:\Windows\system32\drivers\mrxdav.sys
16:48:01.0217 4000 MRxDAV - ok
16:48:01.0279 4000 [ 1E94971C4B446AB2290DEB71D01CF0C2 ] mrxsmb C:\Windows\system32\DRIVERS\mrxsmb.sys
16:48:01.0279 4000 mrxsmb - ok
16:48:01.0357 4000 [ 4FCCB34D793B116423209C0F8B7A3B03 ] mrxsmb10 C:\Windows\system32\DRIVERS\mrxsmb10.sys
16:48:01.0357 4000 mrxsmb10 - ok
16:48:01.0373 4000 [ C3CB1B40AD4A0124D617A1199B0B9D7C ] mrxsmb20 C:\Windows\system32\DRIVERS\mrxsmb20.sys
16:48:01.0373 4000 mrxsmb20 - ok
16:48:01.0420 4000 [ 742AED7939E734C36B7E8D6228CE26B7 ] msahci C:\Windows\system32\drivers\msahci.sys
16:48:01.0420 4000 msahci - ok
16:48:01.0451 4000 [ 3FC82A2AE4CC149165A94699183D3028 ] msdsm C:\Windows\system32\drivers\msdsm.sys
16:48:01.0467 4000 msdsm - ok
16:48:01.0498 4000 [ FD7520CC3A80C5FC8C48852BB24C6DED ] MSDTC C:\Windows\System32\msdtc.exe
16:48:01.0498 4000 MSDTC - ok
16:48:01.0560 4000 [ A9927F4A46B816C92F461ACB90CF8515 ] Msfs C:\Windows\system32\drivers\Msfs.sys
16:48:01.0560 4000 Msfs - ok
16:48:01.0607 4000 [ 0F400E306F385C56317357D6DEA56F62 ] msisadrv C:\Windows\system32\drivers\msisadrv.sys
16:48:01.0607 4000 msisadrv - ok
16:48:01.0654 4000 [ 85466C0757A23D9A9AECDC0755203CB2 ] MSiSCSI C:\Windows\system32\iscsiexe.dll
16:48:01.0654 4000 MSiSCSI - ok
16:48:01.0654 4000 msiserver - ok
16:48:01.0716 4000 [ D8C63D34D9C9E56C059E24EC7185CC07 ] MSKSSRV C:\Windows\system32\drivers\MSKSSRV.sys
16:48:01.0716 4000 MSKSSRV - ok
16:48:01.0747 4000 [ 1D373C90D62DDB641D50E55B9E78D65E ] MSPCLOCK C:\Windows\system32\drivers\MSPCLOCK.sys
16:48:01.0747 4000 MSPCLOCK - ok
16:48:01.0779 4000 [ B572DA05BF4E098D4BBA3A4734FB505B ] MSPQM C:\Windows\system32\drivers\MSPQM.sys
16:48:01.0779 4000 MSPQM - ok
16:48:01.0841 4000 [ B49456D70555DE905C311BCDA6EC6ADB ] MsRPC C:\Windows\system32\drivers\MsRPC.sys
16:48:01.0841 4000 MsRPC - ok
16:48:01.0857 4000 [ E384487CB84BE41D09711C30CA79646C ] mssmbios C:\Windows\system32\DRIVERS\mssmbios.sys
16:48:01.0857 4000 mssmbios - ok
16:48:01.0903 4000 [ 7199C1EEC1E4993CAF96B8C0A26BD58A ] MSTEE C:\Windows\system32\drivers\MSTEE.sys
16:48:01.0903 4000 MSTEE - ok
16:48:01.0935 4000 [ 6A57B5733D4CB702C8EA4542E836B96C ] Mup C:\Windows\system32\Drivers\mup.sys
16:48:01.0935 4000 Mup - ok
16:48:01.0997 4000 [ E4EAF0C5C1B41B5C83386CF212CA9584 ] napagent C:\Windows\system32\qagentRT.dll
16:48:01.0997 4000 napagent - ok
16:48:02.0059 4000 [ 85C44FDFF9CF7E72A40DCB7EC06A4416 ] NativeWifiP C:\Windows\system32\DRIVERS\nwifi.sys
16:48:02.0059 4000 NativeWifiP - ok
16:48:02.0122 4000 [ 1357274D1883F68300AEADD15D7BBB42 ] NDIS C:\Windows\system32\drivers\ndis.sys
16:48:02.0137 4000 NDIS - ok
16:48:02.0169 4000 [ 0E186E90404980569FB449BA7519AE61 ] NdisTapi C:\Windows\system32\DRIVERS\ndistapi.sys
16:48:02.0169 4000 NdisTapi - ok
16:48:02.0215 4000 [ D6973AA34C4D5D76C0430B181C3CD389 ] Ndisuio C:\Windows\system32\DRIVERS\ndisuio.sys
16:48:02.0215 4000 Ndisuio - ok
16:48:02.0231 4000 [ 818F648618AE34F729FDB47EC68345C3 ] NdisWan C:\Windows\system32\DRIVERS\ndiswan.sys
16:48:02.0231 4000 NdisWan - ok
16:48:02.0262 4000 [ 71DAB552B41936358F3B541AE5997FB3 ] NDProxy C:\Windows\system32\drivers\NDProxy.sys
16:48:02.0262 4000 NDProxy - ok
16:48:02.0293 4000 [ BCD093A5A6777CF626434568DC7DBA78 ] NetBIOS C:\Windows\system32\DRIVERS\netbios.sys
16:48:02.0293 4000 NetBIOS - ok
16:48:02.0325 4000 [ ECD64230A59CBD93C85F1CD1CAB9F3F6 ] netbt C:\Windows\system32\DRIVERS\netbt.sys
16:48:02.0325 4000 netbt - ok
16:48:02.0340 4000 [ A3E186B4B935905B829219502557314E ] Netlogon C:\Windows\system32\lsass.exe
16:48:02.0340 4000 Netlogon - ok
16:48:02.0418 4000 [ C8052711DAECC48B982434C5116CA401 ] Netman C:\Windows\System32\netman.dll
16:48:02.0418 4000 Netman - ok
16:48:02.0449 4000 [ 2EF3BBE22E5A5ACD1428EE387A0D0172 ] netprofm C:\Windows\System32\netprofm.dll
16:48:02.0465 4000 netprofm - ok
16:48:02.0512 4000 [ D6C4E4A39A36029AC0813D476FBD0248 ] NetTcpPortSharing C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
16:48:02.0512 4000 NetTcpPortSharing - ok
16:48:02.0668 4000 [ 6E9EDC1020B319E7676387B8CDF2398C ] NETw2v32 C:\Windows\system32\DRIVERS\NETw2v32.sys
16:48:02.0683 4000 NETw2v32 - ok
16:48:02.0715 4000 [ 2E7FB731D4790A1BC6270ACCEFACB36E ] nfrd960 C:\Windows\system32\drivers\nfrd960.sys
16:48:02.0715 4000 nfrd960 - ok
16:48:02.0761 4000 [ 2997B15415F9BBE05B5A4C1C85E0C6A2 ] NlaSvc C:\Windows\System32\nlasvc.dll
16:48:02.0761 4000 NlaSvc - ok
16:48:02.0824 4000 [ D36F239D7CCE1931598E8FB90A0DBC26 ] Npfs C:\Windows\system32\drivers\Npfs.sys
16:48:02.0824 4000 Npfs - ok
16:48:02.0855 4000 [ 8BB86F0C7EEA2BDED6FE095D0B4CA9BD ] nsi C:\Windows\system32\nsisvc.dll
16:48:02.0855 4000 nsi - ok
16:48:02.0902 4000 [ 609773E344A97410CE4EBF74A8914FCF ] nsiproxy C:\Windows\system32\drivers\nsiproxy.sys
16:48:02.0902 4000 nsiproxy - ok
16:48:02.0980 4000 [ 6A4A98CEE84CF9E99564510DDA4BAA47 ] Ntfs C:\Windows\system32\drivers\Ntfs.sys
16:48:02.0995 4000 Ntfs - ok
16:48:03.0058 4000 [ E875C093AEC0C978A90F30C9E0DFBB72 ] ntrigdigi C:\Windows\system32\drivers\ntrigdigi.sys
16:48:03.0058 4000 ntrigdigi - ok
16:48:03.0105 4000 [ C5DBBCDA07D780BDA9B685DF333BB41E ] Null C:\Windows\system32\drivers\Null.sys
16:48:03.0105 4000 Null - ok
16:48:03.0167 4000 [ E69E946F80C1C31C53003BFBF50CBB7C ] nvraid C:\Windows\system32\drivers\nvraid.sys
16:48:03.0167 4000 nvraid - ok
16:48:03.0183 4000 [ 9E0BA19A28C498A6D323D065DB76DFFC ] nvstor C:\Windows\system32\drivers\nvstor.sys
16:48:03.0183 4000 nvstor - ok
16:48:03.0214 4000 [ 07C186427EB8FCC3D8D7927187F260F7 ] nv_agp C:\Windows\system32\drivers\nv_agp.sys
16:48:03.0214 4000 nv_agp - ok
16:48:03.0214 4000 NwlnkFlt - ok
16:48:03.0229 4000 NwlnkFwd - ok
16:48:03.0276 4000 [ BE32DA025A0BE1878F0EE8D6D9386CD5 ] ohci1394 C:\Windows\system32\DRIVERS\ohci1394.sys
16:48:03.0276 4000 ohci1394 - ok
16:48:03.0417 4000 [ 9D10F99A6712E28F8ACD5641E3A7EA6B ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
16:48:03.0417 4000 ose - ok
16:48:03.0573 4000 [ 358A9CCA612C68EB2F07DDAD4CE1D8D7 ] osppsvc C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
16:48:03.0697 4000 osppsvc - ok
16:48:03.0775 4000 [ 0C8E8E61AD1EB0B250B846712C917506 ] p2pimsvc C:\Windows\system32\p2psvc.dll
16:48:03.0775 4000 p2pimsvc - ok
16:48:03.0807 4000 [ 0C8E8E61AD1EB0B250B846712C917506 ] p2psvc C:\Windows\system32\p2psvc.dll
16:48:03.0807 4000 p2psvc - ok
16:48:03.0838 4000 [ 0FA9B5055484649D63C303FE404E5F4D ] Parport C:\Windows\system32\drivers\parport.sys
16:48:03.0838 4000 Parport - ok
16:48:03.0869 4000 [ B9C2B89F08670E159F7181891E449CD9 ] partmgr C:\Windows\system32\drivers\partmgr.sys
16:48:03.0869 4000 partmgr - ok
16:48:03.0885 4000 [ 4F9A6A8A31413180D0FCB279AD5D8112 ] Parvdm C:\Windows\system32\drivers\parvdm.sys
16:48:03.0885 4000 Parvdm - ok
16:48:03.0900 4000 [ C6276AD11F4BB49B58AA1ED88537F14A ] PcaSvc C:\Windows\System32\pcasvc.dll
16:48:03.0900 4000 PcaSvc - ok
16:48:03.0963 4000 [ 941DC1D19E7E8620F40BBC206981EFDB ] pci C:\Windows\system32\drivers\pci.sys
16:48:03.0963 4000 pci - ok
16:48:03.0978 4000 [ 3B1901E401473E03EB8C874271E50C26 ] pciide C:\Windows\system32\drivers\pciide.sys
16:48:03.0994 4000 pciide - ok
16:48:04.0025 4000 [ E6F3FB1B86AA519E7698AD05E58B04E5 ] pcmcia C:\Windows\system32\DRIVERS\pcmcia.sys
16:48:04.0025 4000 pcmcia - ok
16:48:04.0103 4000 [ 6349F6ED9C623B44B52EA3C63C831A92 ] PEAUTH C:\Windows\system32\drivers\peauth.sys
16:48:04.0134 4000 PEAUTH - ok
16:48:04.0212 4000 [ B1689DF169143F57053F795390C99DB3 ] pla C:\Windows\system32\pla.dll
16:48:04.0259 4000 pla - ok
16:48:04.0337 4000 [ C5E7F8A996EC0A82D508FD9064A5569E ] PlugPlay C:\Windows\system32\umpnpmgr.dll
16:48:04.0337 4000 PlugPlay - ok
16:48:04.0431 4000 [ 0C8E8E61AD1EB0B250B846712C917506 ] PNRPAutoReg C:\Windows\system32\p2psvc.dll
16:48:04.0431 4000 PNRPAutoReg - ok
16:48:04.0462 4000 [ 0C8E8E61AD1EB0B250B846712C917506 ] PNRPsvc C:\Windows\system32\p2psvc.dll
16:48:04.0462 4000 PNRPsvc - ok
16:48:04.0493 4000 [ D0494460421A03CD5225CCA0059AA146 ] PolicyAgent C:\Windows\System32\ipsecsvc.dll
16:48:04.0509 4000 PolicyAgent - ok
16:48:04.0524 4000 [ ECFFFAEC0C1ECD8DBC77F39070EA1DB1 ] PptpMiniport C:\Windows\system32\DRIVERS\raspptp.sys
16:48:04.0524 4000 PptpMiniport - ok
16:48:04.0571 4000 [ 0E3CEF5D28B40CF273281D620C50700A ] Processor C:\Windows\system32\drivers\processr.sys
16:48:04.0571 4000 Processor - ok
16:48:04.0618 4000 [ 0508FAA222D28835310B7BFCA7A77346 ] ProfSvc C:\Windows\system32\profsvc.dll
16:48:04.0633 4000 ProfSvc - ok
16:48:04.0649 4000 [ A3E186B4B935905B829219502557314E ] ProtectedStorage C:\Windows\system32\lsass.exe
16:48:04.0649 4000 ProtectedStorage - ok
16:48:04.0665 4000 [ 99514FAA8DF93D34B5589187DB3AA0BA ] PSched C:\Windows\system32\DRIVERS\pacer.sys
16:48:04.0665 4000 PSched - ok
16:48:04.0727 4000 [ CCDAC889326317792480C0A67156A1EC ] ql2300 C:\Windows\system32\drivers\ql2300.sys
16:48:04.0743 4000 ql2300 - ok
16:48:04.0774 4000 [ 81A7E5C076E59995D54BC1ED3A16E60B ] ql40xx C:\Windows\system32\drivers\ql40xx.sys
16:48:04.0774 4000 ql40xx - ok
16:48:04.0821 4000 [ E9ECAE663F47E6CB43962D18AB18890F ] QWAVE C:\Windows\system32\qwave.dll
16:48:04.0821 4000 QWAVE - ok
16:48:04.0852 4000 [ 9F5E0E1926014D17486901C88ECA2DB7 ] QWAVEdrv C:\Windows\system32\drivers\qwavedrv.sys
16:48:04.0852 4000 QWAVEdrv - ok
16:48:04.0883 4000 [ 147D7F9C556D259924351FEB0DE606C3 ] RasAcd C:\Windows\system32\DRIVERS\rasacd.sys
16:48:04.0883 4000 RasAcd - ok
16:48:04.0914 4000 [ F6A452EB4CEADBB51C9E0EE6B3ECEF0F ] RasAuto C:\Windows\System32\rasauto.dll
16:48:04.0914 4000 RasAuto - ok
16:48:04.0945 4000 [ A214ADBAF4CB47DD2728859EF31F26B0 ] Rasl2tp C:\Windows\system32\DRIVERS\rasl2tp.sys
16:48:04.0961 4000 Rasl2tp - ok
16:48:05.0023 4000 [ 75D47445D70CA6F9F894B032FBC64FCF ] RasMan C:\Windows\System32\rasmans.dll
16:48:05.0023 4000 RasMan - ok
16:48:05.0055 4000 [ 509A98DD18AF4375E1FC40BC175F1DEF ] RasPppoe C:\Windows\system32\DRIVERS\raspppoe.sys
16:48:05.0055 4000 RasPppoe - ok
16:48:05.0086 4000 [ 2005F4A1E05FA09389AC85840F0A9E4D ] RasSstp C:\Windows\system32\DRIVERS\rassstp.sys
16:48:05.0086 4000 RasSstp - ok
16:48:05.0117 4000 [ B14C9D5B9ADD2F84F70570BBBFAA7935 ] rdbss C:\Windows\system32\DRIVERS\rdbss.sys
16:48:05.0117 4000 rdbss - ok
16:48:05.0164 4000 [ 89E59BE9A564262A3FB6C4F4F1CD9899 ] RDPCDD C:\Windows\system32\DRIVERS\RDPCDD.sys
16:48:05.0164 4000 RDPCDD - ok
16:48:05.0226 4000 [ E8BD98D46F2ED77132BA927FCCB47D8B ] rdpdr C:\Windows\system32\drivers\rdpdr.sys
16:48:05.0226 4000 rdpdr - ok
16:48:05.0257 4000 [ 9D91FE5286F748862ECFFA05F8A0710C ] RDPENCDD C:\Windows\system32\drivers\rdpencdd.sys
16:48:05.0257 4000 RDPENCDD - ok
16:48:05.0320 4000 [ C127EBD5AFAB31524662C48DFCEB773A ] RDPWD C:\Windows\system32\drivers\RDPWD.sys
16:48:05.0335 4000 RDPWD - ok
16:48:05.0398 4000 [ BCDD6B4804D06B1F7EBF29E53A57ECE9 ] RemoteAccess C:\Windows\System32\mprdim.dll
16:48:05.0398 4000 RemoteAccess - ok
16:48:05.0413 4000 [ 9E6894EA18DAFF37B63E1005F83AE4AB ] RemoteRegistry C:\Windows\system32\regsvc.dll
16:48:05.0413 4000 RemoteRegistry - ok
16:48:05.0429 4000 [ 5123F83CBC4349D065534EEB6BBDC42B ] RpcLocator C:\Windows\system32\locator.exe
16:48:05.0445 4000 RpcLocator - ok
16:48:05.0476 4000 [ 3B5B4D53FEC14F7476CA29A20CC31AC9 ] RpcSs C:\Windows\System32\rpcss.dll
16:48:05.0476 4000 RpcSs - ok
16:48:05.0507 4000 [ 9C508F4074A39E8B4B31D27198146FAD ] rspndr C:\Windows\system32\DRIVERS\rspndr.sys
16:48:05.0507 4000 rspndr - ok
16:48:05.0569 4000 [ 904FD29EC1FF2709099AE2CD1C09A913 ] RTL8169 C:\Windows\system32\DRIVERS\Rtlh86.sys
16:48:05.0569 4000 RTL8169 - ok
16:48:05.0632 4000 [ 6E7F2054FAEDBE766034AA8A185213EC ] RTSTOR C:\Windows\system32\drivers\RTSTOR.SYS
16:48:05.0632 4000 RTSTOR - ok
16:48:05.0647 4000 [ A3E186B4B935905B829219502557314E ] SamSs C:\Windows\system32\lsass.exe
16:48:05.0647 4000 SamSs - ok
16:48:05.0725 4000 [ 3CE8F073A557E172B330109436984E30 ] sbp2port C:\Windows\system32\drivers\sbp2port.sys
16:48:05.0725 4000 sbp2port - ok
16:48:05.0757 4000 SBRE - ok
16:48:05.0881 4000 [ 794D4B48DFB6E999537C7C3947863463 ] SBSDWSCService C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
16:48:05.0881 4000 SBSDWSCService - ok
16:48:05.0944 4000 [ 77B7A11A0C3D78D3386398FBBEA1B632 ] SCardSvr C:\Windows\System32\SCardSvr.dll
16:48:05.0944 4000 SCardSvr - ok
16:48:06.0022 4000 [ 1A58069DB21D05EB2AB58EE5753EBE8D ] Schedule C:\Windows\system32\schedsvc.dll
16:48:06.0037 4000 Schedule - ok
16:48:06.0053 4000 [ 312EC3E37A0A1F2006534913E37B4423 ] SCPolicySvc C:\Windows\System32\certprop.dll
16:48:06.0053 4000 SCPolicySvc - ok
16:48:06.0084 4000 [ 4339A2585708C7D9B0C0CE5AAD3DD6FF ] sdbus C:\Windows\system32\DRIVERS\sdbus.sys
16:48:06.0084 4000 sdbus - ok
16:48:06.0131 4000 [ 716313D9F6B0529D03F726D5AAF6F191 ] SDRSVC C:\Windows\System32\SDRSVC.dll
16:48:06.0131 4000 SDRSVC - ok
16:48:06.0147 4000 [ 90A3935D05B494A5A39D37E71F09A677 ] secdrv C:\Windows\system32\drivers\secdrv.sys
16:48:06.0147 4000 secdrv - ok
16:48:06.0193 4000 [ FD5199D4D8A521005E4B5EE7FE00FA9B ] seclogon C:\Windows\system32\seclogon.dll
16:48:06.0193 4000 seclogon - ok
16:48:06.0209 4000 [ A9BBAB5759771E523F55563D6CBE140F ] SENS C:\Windows\system32\sens.dll
16:48:06.0209 4000 SENS - ok
16:48:06.0240 4000 [ 68E44E331D46F0FB38F0863A84CD1A31 ] Serenum C:\Windows\system32\drivers\serenum.sys
16:48:06.0240 4000 Serenum - ok
16:48:06.0256 4000 [ C70D69A918B178D3C3B06339B40C2E1B ] Serial C:\Windows\system32\drivers\serial.sys
16:48:06.0256 4000 Serial - ok
16:48:06.0271 4000 [ 8AF3D28A879BF75DB53A0EE7A4289624 ] sermouse C:\Windows\system32\drivers\sermouse.sys
16:48:06.0271 4000 sermouse - ok
16:48:06.0318 4000 [ D2193326F729B163125610DBF3E17D57 ] SessionEnv C:\Windows\system32\sessenv.dll
16:48:06.0334 4000 SessionEnv - ok
16:48:06.0349 4000 [ 103B79418DA647736EE95645F305F68A ] sffdisk C:\Windows\system32\drivers\sffdisk.sys
16:48:06.0349 4000 sffdisk - ok
16:48:06.0365 4000 [ 8FD08A310645FE872EEEC6E08C6BF3EE ] sffp_mmc C:\Windows\system32\drivers\sffp_mmc.sys
16:48:06.0365 4000 sffp_mmc - ok
16:48:06.0381 4000 [ 9CFA05FCFCB7124E69CFC812B72F9614 ] sffp_sd C:\Windows\system32\drivers\sffp_sd.sys
16:48:06.0381 4000 sffp_sd - ok
16:48:06.0396 4000 [ 46ED8E91793B2E6F848015445A0AC188 ] sfloppy C:\Windows\system32\drivers\sfloppy.sys
16:48:06.0412 4000 sfloppy - ok
16:48:06.0427 4000 [ E1499BD0FF76B1B2FBBF1AF339D91165 ] SharedAccess C:\Windows\System32\ipnathlp.dll
16:48:06.0443 4000 SharedAccess - ok
16:48:06.0490 4000 [ C7230FBEE14437716701C15BE02C27B8 ] ShellHWDetection C:\Windows\System32\shsvcs.dll
16:48:06.0490 4000 ShellHWDetection - ok
16:48:06.0521 4000 [ D2A595D6EEBEEAF4334F8E50EFBC9931 ] sisagp C:\Windows\system32\drivers\sisagp.sys
16:48:06.0521 4000 sisagp - ok
16:48:06.0537 4000 [ CEDD6F4E7D84E9F98B34B3FE988373AA ] SiSRaid2 C:\Windows\system32\drivers\sisraid2.sys
16:48:06.0537 4000 SiSRaid2 - ok
16:48:06.0568 4000 [ DF843C528C4F69D12CE41CE462E973A7 ] SiSRaid4 C:\Windows\system32\drivers\sisraid4.sys
16:48:06.0568 4000 SiSRaid4 - ok
16:48:06.0646 4000 [ A37740568718F245E818D0C5575B9AA9 ] SkypeUpdate C:\Program Files\Skype\Updater\Updater.exe
16:48:06.0646 4000 SkypeUpdate - ok
16:48:06.0786 4000 [ 862BB4CBC05D80C5B45BE430E5EF872F ] slsvc C:\Windows\system32\SLsvc.exe
16:48:06.0817 4000 slsvc - ok
16:48:06.0880 4000 [ 6EDC422215CD78AA8A9CDE6B30ABBD35 ] SLUINotify C:\Windows\system32\SLUINotify.dll
16:48:06.0880 4000 SLUINotify - ok
16:48:06.0942 4000 [ 7B75299A4D201D6A6533603D6914AB04 ] Smb C:\Windows\system32\DRIVERS\smb.sys
16:48:06.0942 4000 Smb - ok
16:48:06.0973 4000 [ 2A146A055B4401C16EE62D18B8E2A032 ] SNMPTRAP C:\Windows\System32\snmptrap.exe
16:48:06.0973 4000 SNMPTRAP - ok
16:48:07.0005 4000 [ 7AEBDEEF071FE28B0EEF2CDD69102BFF ] spldr C:\Windows\system32\drivers\spldr.sys
16:48:07.0005 4000 spldr - ok
16:48:07.0067 4000 [ 8554097E5136C3BF9F69FE578A1B35F4 ] Spooler C:\Windows\System32\spoolsv.exe
16:48:07.0067 4000 Spooler - ok
16:48:07.0129 4000 [ 41987F9FC0E61ADF54F581E15029AD91 ] srv C:\Windows\system32\DRIVERS\srv.sys
16:48:07.0129 4000 srv - ok
16:48:07.0176 4000 [ FF33AFF99564B1AA534F58868CBE41EF ] srv2 C:\Windows\system32\DRIVERS\srv2.sys
16:48:07.0176 4000 srv2 - ok
16:48:07.0207 4000 [ 7605C0E1D01A08F3ECD743F38B834A44 ] srvnet C:\Windows\system32\DRIVERS\srvnet.sys
16:48:07.0207 4000 srvnet - ok
16:48:07.0223 4000 [ 03D50B37234967433A5EA5BA72BC0B62 ] SSDPSRV C:\Windows\System32\ssdpsrv.dll
16:48:07.0239 4000 SSDPSRV - ok
16:48:07.0301 4000 [ 6F1A32E7B7B30F004D9A20AFADB14944 ] SstpSvc C:\Windows\system32\sstpsvc.dll
16:48:07.0317 4000 SstpSvc - ok
16:48:07.0348 4000 STHDA - ok
16:48:07.0410 4000 [ 5DE7D67E49B88F5F07F3E53C4B92A352 ] stisvc C:\Windows\System32\wiaservc.dll
16:48:07.0441 4000 stisvc - ok
16:48:07.0473 4000 [ 7BA58ECF0C0A9A69D44B3DCA62BECF56 ] swenum C:\Windows\system32\DRIVERS\swenum.sys
16:48:07.0473 4000 swenum - ok
16:48:07.0535 4000 [ F21FD248040681CCA1FB6C9A03AAA93D ] swprv C:\Windows\System32\swprv.dll
16:48:07.0551 4000 swprv - ok
16:48:07.0582 4000 [ 192AA3AC01DF071B541094F251DEED10 ] Symc8xx C:\Windows\system32\drivers\symc8xx.sys
16:48:07.0582 4000 Symc8xx - ok
16:48:07.0597 4000 SymIM - ok
16:48:07.0597 4000 SymIMMP - ok
16:48:07.0629 4000 [ 8C8EB8C76736EBAF3B13B633B2E64125 ] Sym_hi C:\Windows\system32\drivers\sym_hi.sys
16:48:07.0629 4000 Sym_hi - ok
16:48:07.0644 4000 [ 8072AF52B5FD103BBBA387A1E49F62CB ] Sym_u3 C:\Windows\system32\drivers\sym_u3.sys
16:48:07.0644 4000 Sym_u3 - ok
16:48:07.0691 4000 [ 21470BF105B96DED47E99E1EE7495E8F ] SynTP C:\Windows\system32\DRIVERS\SynTP.sys
16:48:07.0691 4000 SynTP - ok
16:48:07.0738 4000 [ 9A51B04E9886AA4EE90093586B0BA88D ] SysMain C:\Windows\system32\sysmain.dll
16:48:07.0769 4000 SysMain - ok
16:48:07.0800 4000 [ 2DCA225EAE15F42C0933E998EE0231C3 ] TabletInputService C:\Windows\System32\TabSvc.dll
16:48:07.0800 4000 TabletInputService - ok
16:48:07.0863 4000 [ D7673E4B38CE21EE54C59EEEB65E2483 ] TapiSrv C:\Windows\System32\tapisrv.dll
16:48:07.0863 4000 TapiSrv - ok
16:48:07.0909 4000 [ CB05822CD9CC6C688168E113C603DBE7 ] TBS C:\Windows\System32\tbssvc.dll
16:48:07.0909 4000 TBS - ok
16:48:07.0972 4000 [ 27D470DABC77BC60D0A3B0E4DEB6CB91 ] Tcpip C:\Windows\system32\drivers\tcpip.sys
16:48:07.0972 4000 Tcpip - ok
16:48:08.0003 4000 [ 27D470DABC77BC60D0A3B0E4DEB6CB91 ] Tcpip6 C:\Windows\system32\DRIVERS\tcpip.sys
16:48:08.0019 4000 Tcpip6 - ok
16:48:08.0081 4000 [ 608C345A255D82A6289C2D468EB41FD7 ] tcpipreg C:\Windows\system32\drivers\tcpipreg.sys
16:48:08.0081 4000 tcpipreg - ok
16:48:08.0128 4000 [ 5DCF5E267BE67A1AE926F2DF77FBCC56 ] TDPIPE C:\Windows\system32\drivers\tdpipe.sys
16:48:08.0128 4000 TDPIPE - ok
16:48:08.0159 4000 [ 389C63E32B3CEFED425B61ED92D3F021 ] TDTCP C:\Windows\system32\drivers\tdtcp.sys
16:48:08.0159 4000 TDTCP - ok
16:48:08.0190 4000 [ 76B06EB8A01FC8624D699E7045303E54 ] tdx C:\Windows\system32\DRIVERS\tdx.sys
16:48:08.0190 4000 tdx - ok
16:48:08.0206 4000 [ 3CAD38910468EAB9A6479E2F01DB43C7 ] TermDD C:\Windows\system32\DRIVERS\termdd.sys
16:48:08.0206 4000 TermDD - ok
16:48:08.0268 4000 [ BB95DA09BEF6E7A131BFF3BA5032090D ] TermService C:\Windows\System32\termsrv.dll
16:48:08.0268 4000 TermService - ok
16:48:08.0284 4000 [ C7230FBEE14437716701C15BE02C27B8 ] Themes C:\Windows\system32\shsvcs.dll
16:48:08.0284 4000 Themes - ok
16:48:08.0315 4000 [ 1076FFCFFAAE8385FD62DFCB25AC4708 ] THREADORDER C:\Windows\system32\mmcss.dll
16:48:08.0315 4000 THREADORDER - ok
16:48:08.0346 4000 [ EC74E77D0EB004BD3A809B5F8FB8C2CE ] TrkWks C:\Windows\System32\trkwks.dll
16:48:08.0346 4000 TrkWks - ok
16:48:08.0440 4000 [ 97D9D6A04E3AD9B6C626B9931DB78DBA ] TrustedInstaller C:\Windows\servicing\TrustedInstaller.exe
16:48:08.0440 4000 TrustedInstaller - ok
16:48:08.0487 4000 [ DCF0F056A2E4F52287264F5AB29CF206 ] tssecsrv C:\Windows\system32\DRIVERS\tssecsrv.sys
16:48:08.0487 4000 tssecsrv - ok
16:48:08.0518 4000 [ CAECC0120AC49E3D2F758B9169872D38 ] tunmp C:\Windows\system32\DRIVERS\tunmp.sys
16:48:08.0518 4000 tunmp - ok
16:48:08.0580 4000 [ 300DB877AC094FEAB0BE7688C3454A9C ] tunnel C:\Windows\system32\DRIVERS\tunnel.sys
16:48:08.0596 4000 tunnel - ok
16:48:08.0627 4000 [ C3ADE15414120033A36C0F293D4A4121 ] uagp35 C:\Windows\system32\drivers\uagp35.sys
16:48:08.0627 4000 uagp35 - ok
16:48:08.0658 4000 [ D9728AF68C4C7693CB100B8441CBDEC6 ] udfs C:\Windows\system32\DRIVERS\udfs.sys
16:48:08.0658 4000 udfs - ok
16:48:08.0689 4000 [ ECEF404F62863755951E09C802C94AD5 ] UI0Detect C:\Windows\system32\UI0Detect.exe
16:48:08.0705 4000 UI0Detect - ok
16:48:08.0721 4000 [ 75E6890EBFCE0841D3291B02E7A8BDB0 ] uliagpkx C:\Windows\system32\drivers\uliagpkx.sys
16:48:08.0721 4000 uliagpkx - ok
16:48:08.0752 4000 [ 3CD4EA35A6221B85DCC25DAA46313F8D ] uliahci C:\Windows\system32\drivers\uliahci.sys
16:48:08.0752 4000 uliahci - ok
16:48:08.0783 4000 [ 8514D0E5CD0534467C5FC61BE94A569F ] UlSata C:\Windows\system32\drivers\ulsata.sys
16:48:08.0783 4000 UlSata - ok
16:48:08.0799 4000 [ 38C3C6E62B157A6BC46594FADA45C62B ] ulsata2 C:\Windows\system32\drivers\ulsata2.sys
16:48:08.0799 4000 ulsata2 - ok
16:48:08.0845 4000 [ 32CFF9F809AE9AED85464492BF3E32D2 ] umbus C:\Windows\system32\DRIVERS\umbus.sys
16:48:08.0845 4000 umbus - ok
16:48:08.0877 4000 [ 68308183F4AE0BE7BF8ECD07CB297999 ] upnphost C:\Windows\System32\upnphost.dll
16:48:08.0877 4000 upnphost - ok
16:48:08.0955 4000 [ 73B41F4EAD65F355962168D766AF0F2E ] USBAAPL C:\Windows\system32\Drivers\usbaapl.sys
16:48:08.0955 4000 USBAAPL - ok
16:48:09.0033 4000 [ 32DB9517628FF0D070682AAB61E688F0 ] usbaudio C:\Windows\system32\drivers\usbaudio.sys
16:48:09.0033 4000 usbaudio - ok
16:48:09.0079 4000 [ 9419FAAC6552A51542DBBA02971C841C ] usbbus C:\Windows\system32\DRIVERS\lgusbbus.sys
16:48:09.0079 4000 usbbus - ok
16:48:09.0126 4000 [ CAF811AE4C147FFCD5B51750C7F09142 ] usbccgp C:\Windows\system32\DRIVERS\usbccgp.sys
16:48:09.0126 4000 usbccgp - ok
16:48:09.0157 4000 [ E9476E6C486E76BC4898074768FB7131 ] usbcir C:\Windows\system32\drivers\usbcir.sys
16:48:09.0157 4000 usbcir - ok
16:48:09.0204 4000 [ C0A466FA4FFEC464320E159BC1BBDC0C ] UsbDiag C:\Windows\system32\DRIVERS\lgusbdiag.sys
16:48:09.0204 4000 UsbDiag - ok
16:48:09.0267 4000 [ 79E96C23A97CE7B8F14D310DA2DB0C9B ] usbehci C:\Windows\system32\DRIVERS\usbehci.sys
16:48:09.0267 4000 usbehci - ok
16:48:09.0282 4000 [ 4673BBCB006AF60E7ABDDBE7A130BA42 ] usbhub C:\Windows\system32\DRIVERS\usbhub.sys
16:48:09.0298 4000 usbhub - ok
16:48:09.0313 4000 [ F74A54774A9B0AFEB3C40ADEC68AA600 ] USBModem C:\Windows\system32\DRIVERS\lgusbmodem.sys
16:48:09.0329 4000 USBModem - ok
16:48:09.0345 4000 [ 38DBC7DD6CC5A72011F187425384388B ] usbohci C:\Windows\system32\drivers\usbohci.sys
16:48:09.0345 4000 usbohci - ok
16:48:09.0376 4000 [ E75C4B5269091D15A2E7DC0B6D35F2F5 ] usbprint C:\Windows\system32\DRIVERS\usbprint.sys
16:48:09.0376 4000 usbprint - ok
16:48:09.0454 4000 [ A508C9BD8724980512136B039BBA65E9 ] usbscan C:\Windows\system32\DRIVERS\usbscan.sys
16:48:09.0454 4000 usbscan - ok
16:48:09.0485 4000 [ BE3DA31C191BC222D9AD503C5224F2AD ] USBSTOR C:\Windows\system32\DRIVERS\USBSTOR.SYS
16:48:09.0485 4000 USBSTOR - ok
16:48:09.0516 4000 [ 814D653EFC4D48BE3B04A307ECEFF56F ] usbuhci C:\Windows\system32\DRIVERS\usbuhci.sys
16:48:09.0516 4000 usbuhci - ok
16:48:09.0579 4000 [ E67998E8F14CB0627A769F6530BCB352 ] usbvideo C:\Windows\system32\Drivers\usbvideo.sys
16:48:09.0579 4000 usbvideo - ok
16:48:09.0641 4000 [ 7B8424BBAAFBC127C8F55AD6007D6D6B ] UVCFTR C:\Windows\system32\Drivers\UVCFTR_S.SYS
16:48:09.0657 4000 UVCFTR - ok
16:48:09.0703 4000 [ 1509E705F3AC1D474C92454A5C2DD81F ] UxSms C:\Windows\System32\uxsms.dll
16:48:09.0703 4000 UxSms - ok
16:48:09.0766 4000 [ CD88D1B7776DC17A119049742EC07EB4 ] vds C:\Windows\System32\vds.exe
16:48:09.0766 4000 vds - ok
16:48:09.0781 4000 [ 7D92BE0028ECDEDEC74617009084B5EF ] vga C:\Windows\system32\DRIVERS\vgapnp.sys
16:48:09.0781 4000 vga - ok
16:48:09.0813 4000 [ 2E93AC0A1D8C79D019DB6C51F036636C ] VgaSave C:\Windows\System32\drivers\vga.sys
16:48:09.0828 4000 VgaSave - ok
16:48:09.0844 4000 [ 045D9961E591CF0674A920B6BA3BA5CB ] viaagp C:\Windows\system32\drivers\viaagp.sys
16:48:09.0844 4000 viaagp - ok
16:48:09.0859 4000 [ 56A4DE5F02F2E88182B0981119B4DD98 ] ViaC7 C:\Windows\system32\drivers\viac7.sys
16:48:09.0859 4000 ViaC7 - ok
16:48:09.0891 4000 [ FD2E3175FCADA350C7AB4521DCA187EC ] viaide C:\Windows\system32\drivers\viaide.sys
16:48:09.0891 4000 viaide - ok
16:48:09.0906 4000 [ 69503668AC66C77C6CD7AF86FBDF8C43 ] volmgr C:\Windows\system32\drivers\volmgr.sys
16:48:09.0906 4000 volmgr - ok
16:48:09.0984 4000 [ 23E41B834759917BFD6B9A0D625D0C28 ] volmgrx C:\Windows\system32\drivers\volmgrx.sys
16:48:09.0984 4000 volmgrx - ok
16:48:10.0031 4000 [ 147281C01FCB1DF9252DE2A10D5E7093 ] volsnap C:\Windows\system32\drivers\volsnap.sys
16:48:10.0031 4000 volsnap - ok
16:48:10.0062 4000 [ D984439746D42B30FC65A4C3546C6829 ] vsmraid C:\Windows\system32\drivers\vsmraid.sys
16:48:10.0062 4000 vsmraid - ok
16:48:10.0109 4000 [ DB3D19F850C6EB32BDCB9BC0836ACDDB ] VSS C:\Windows\system32\vssvc.exe
16:48:10.0140 4000 VSS - ok
16:48:10.0218 4000 [ 96EA68B9EB310A69C25EBB0282B2B9DE ] W32Time C:\Windows\system32\w32time.dll
16:48:10.0218 4000 W32Time - ok
16:48:10.0249 4000 [ 48DFEE8F1AF7C8235D4E626F0C4FE031 ] WacomPen C:\Windows\system32\drivers\wacompen.sys
16:48:10.0249 4000 WacomPen - ok
16:48:10.0281 4000 [ 55201897378CCA7AF8B5EFD874374A26 ] Wanarp C:\Windows\system32\DRIVERS\wanarp.sys
16:48:10.0281 4000 Wanarp - ok
16:48:10.0281 4000 [ 55201897378CCA7AF8B5EFD874374A26 ] Wanarpv6 C:\Windows\system32\DRIVERS\wanarp.sys
16:48:10.0281 4000 Wanarpv6 - ok
16:48:10.0343 4000 [ A3CD60FD826381B49F03832590E069AF ] wcncsvc C:\Windows\System32\wcncsvc.dll
16:48:10.0359 4000 wcncsvc - ok
16:48:10.0374 4000 [ 11BCB7AFCDD7AADACB5746F544D3A9C7 ] WcsPlugInService C:\Windows\System32\WcsPlugInService.dll
16:48:10.0390 4000 WcsPlugInService - ok
16:48:10.0421 4000 [ AFC5AD65B991C1E205CF25CFDBF7A6F4 ] Wd C:\Windows\system32\drivers\wd.sys
16:48:10.0421 4000 Wd - ok
16:48:10.0468 4000 [ B6F0A7AD6D4BD325FBCD8BAC96CD8D96 ] Wdf01000 C:\Windows\system32\drivers\Wdf01000.sys
16:48:10.0483 4000 Wdf01000 - ok
16:48:10.0530 4000 [ ABFC76B48BB6C96E3338D8943C5D93B5 ] WdiServiceHost C:\Windows\system32\wdi.dll
16:48:10.0530 4000 WdiServiceHost - ok
16:48:10.0546 4000 [ ABFC76B48BB6C96E3338D8943C5D93B5 ] WdiSystemHost C:\Windows\system32\wdi.dll
16:48:10.0546 4000 WdiSystemHost - ok
16:48:10.0561 4000 [ 04C37D8107320312FBAE09926103D5E2 ] WebClient C:\Windows\System32\webclnt.dll
16:48:10.0561 4000 WebClient - ok
16:48:10.0608 4000 [ AE3736E7E8892241C23E4EBBB7453B60 ] Wecsvc C:\Windows\system32\wecsvc.dll
16:48:10.0608 4000 Wecsvc - ok
16:48:10.0639 4000 [ 670FF720071ED741206D69BD995EA453 ] wercplsupport C:\Windows\System32\wercplsupport.dll
16:48:10.0639 4000 wercplsupport - ok
16:48:10.0702 4000 [ 32B88481D3B326DA6DEB07B1D03481E7 ] WerSvc C:\Windows\System32\WerSvc.dll
16:48:10.0702 4000 WerSvc - ok
16:48:10.0764 4000 [ 4575AA12561C5648483403541D0D7F2B ] WinDefend C:\Program Files\Windows Defender\mpsvc.dll
16:48:10.0764 4000 WinDefend - ok
16:48:10.0780 4000 WinHttpAutoProxySvc - ok
16:48:10.0842 4000 [ 6B2A1D0E80110E3D04E6863C6E62FD8A ] Winmgmt C:\Windows\system32\wbem\WMIsvc.dll
16:48:10.0842 4000 Winmgmt - ok
16:48:10.0905 4000 [ 7CFE68BDC065E55AA5E8421607037511 ] WinRM C:\Windows\system32\WsmSvc.dll
16:48:10.0936 4000 WinRM - ok
16:48:11.0014 4000 [ C008405E4FEEB069E30DA1D823910234 ] Wlansvc C:\Windows\System32\wlansvc.dll
16:48:11.0029 4000 Wlansvc - ok
16:48:11.0061 4000 [ 2E7255D172DF0B8283CDFB7B433B864E ] WmiAcpi C:\Windows\system32\DRIVERS\wmiacpi.sys
16:48:11.0076 4000 WmiAcpi - ok
16:48:11.0092 4000 [ 43BE3875207DCB62A85C8C49970B66CC ] wmiApSrv C:\Windows\system32\wbem\WmiApSrv.exe
16:48:11.0092 4000 wmiApSrv - ok
16:48:11.0170 4000 [ 3978704576A121A9204F8CC49A301A9B ] WMPNetworkSvc C:\Program Files\Windows Media Player\wmpnetwk.exe
16:48:11.0170 4000 WMPNetworkSvc - ok
16:48:11.0217 4000 [ CFC5A04558F5070CEE3E3A7809F3FF52 ] WPCSvc C:\Windows\System32\wpcsvc.dll
16:48:11.0232 4000 WPCSvc - ok
16:48:11.0295 4000 [ 801FBDB89D472B3C467EB112A0FC9246 ] WPDBusEnum C:\Windows\system32\wpdbusenum.dll
16:48:11.0295 4000 WPDBusEnum - ok
16:48:11.0357 4000 [ DE9D36F91A4DF3D911626643DEBF11EA ] WpdUsb C:\Windows\system32\DRIVERS\wpdusb.sys
16:48:11.0357 4000 WpdUsb - ok
16:48:11.0529 4000 [ DCF3E3EDF5109EE8BC02FE6E1F045795 ] WPFFontCache_v0400 C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
16:48:11.0560 4000 WPFFontCache_v0400 - ok
16:48:11.0591 4000 [ E3A3CB253C0EC2494D4A61F5E43A389C ] ws2ifsl C:\Windows\system32\drivers\ws2ifsl.sys
16:48:11.0591 4000 ws2ifsl - ok
16:48:11.0653 4000 [ 1CA6C40261DDC0425987980D0CD2AAAB ] wscsvc C:\Windows\system32\wscsvc.dll
16:48:11.0653 4000 wscsvc - ok
16:48:11.0669 4000 WSearch - ok
16:48:11.0763 4000 [ FC3EC24FCE372C89423E015A2AC1A31E ] wuauserv C:\Windows\system32\wuaueng.dll
16:48:11.0809 4000 wuauserv - ok
16:48:11.0872 4000 [ AC13CB789D93412106B0FB6C7EB2BCB6 ] WUDFRd C:\Windows\system32\DRIVERS\WUDFRd.sys
16:48:11.0887 4000 WUDFRd - ok
16:48:11.0903 4000 [ 575A4190D989F64732119E4114045A4F ] wudfsvc C:\Windows\System32\WUDFSvc.dll
16:48:11.0919 4000 wudfsvc - ok
16:48:11.0919 4000 ================ Scan global ===============================
16:48:11.0934 4000 [ F31EEBC1A1C81FD04005489CC3DCDFE7 ] C:\Windows\system32\basesrv.dll
16:48:11.0981 4000 [ D2293B069E4B63DC17B2F08D45E71124 ] C:\Windows\system32\winsrv.dll
16:48:12.0012 4000 [ D2293B069E4B63DC17B2F08D45E71124 ] C:\Windows\system32\winsrv.dll
16:48:12.0075 4000 [ D4E6D91C1349B7BFB3599A6ADA56851B ] C:\Windows\system32\services.exe
16:48:12.0075 4000 [Global] - ok
16:48:12.0075 4000 ================ Scan MBR ==================================
16:48:12.0090 4000 [ 5C616939100B85E558DA92B899A0FC36 ] \Device\Harddisk0\DR0
16:48:12.0371 4000 \Device\Harddisk0\DR0 - ok
16:48:12.0371 4000 ================ Scan VBR ==================================
16:48:12.0371 4000 [ 034DC566075F964DC73202F23AEB1EB2 ] \Device\Harddisk0\DR0\Partition1
16:48:12.0371 4000 \Device\Harddisk0\DR0\Partition1 - ok
16:48:12.0387 4000 [ 6CD54B645026F2B5B54E6BF5A07C6E3C ] \Device\Harddisk0\DR0\Partition2
16:48:12.0387 4000 \Device\Harddisk0\DR0\Partition2 - ok
16:48:12.0387 4000 ============================================================
16:48:12.0387 4000 Scan finished
16:48:12.0387 4000 ============================================================
16:48:12.0402 3296 Detected object count: 0
16:48:12.0402 3296 Actual detected object count: 0
16:51:10.0461 0328 Deinitialize success


aswMBR Log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-30 16:51:46
-----------------------------
16:51:46.044 OS Version: Windows 6.0.6002 Service Pack 2
16:51:46.044 Number of processors: 2 586 0xF0D
16:51:46.044 ComputerName: TMADXXX-PC UserName: tmadxxx
16:51:47.464 Initialize success
16:53:01.704 AVAST engine defs: 12103000
16:53:56.491 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
16:53:56.491 Disk 0 Vendor: WDC_WD25 01.0 Size: 238475MB BusType: 3
16:53:56.523 Disk 0 MBR read successfully
16:53:56.523 Disk 0 MBR scan
16:53:56.523 Disk 0 Windows VISTA default MBR code
16:53:56.538 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 11350 MB offset 63
16:53:56.554 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 227122 MB offset 23246055
16:53:56.554 Disk 0 scanning sectors +488392065
16:53:56.647 Disk 0 scanning C:\Windows\system32\drivers
16:54:08.644 Service scanning
16:54:33.432 Modules scanning
16:54:38.814 Disk 0 trace - called modules:
16:54:38.845 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
16:54:38.845 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86034ac8]
16:54:38.861 3 CLASSPNP.SYS[8a7a38b3] -> nt!IofCallDriver -> [0x84b6e220]
16:54:38.861 5 acpi.sys[806966bc] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x84b7f030]
16:54:40.655 AVAST engine scan C:\Windows
16:54:43.900 AVAST engine scan C:\Windows\system32
16:58:25.251 AVAST engine scan C:\Windows\system32\drivers
16:58:40.789 AVAST engine scan C:\Users\tmadxxx
17:04:46.484 AVAST engine scan C:\ProgramData
17:07:46.087 Scan finished successfully
17:08:49.345 Disk 0 MBR has been saved successfully to "C:\Temp\MBR.dat"
17:08:49.345 The log file has been saved successfully to "C:\Temp\aswMBR2.txt"

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:30 PM

Posted 30 October 2012 - 05:57 PM

Hello

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Malroux

Malroux
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 30 October 2012 - 08:10 PM

Hello again, Gringo. OTL ran with no problems, and the OTL.txt log is presented below. Extra.txt is available, should you need it. Google continues to be redirected to the sites I have come to know too well.

Malroux

OTL log:

OTL logfile created on: 10/30/2012 8:41:27 PM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\tmadxxx\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 1.65 Gb Available Physical Memory | 55.18% Memory free
6.18 Gb Paging File | 5.00 Gb Available in Paging File | 80.89% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 221.80 Gb Total Space | 44.10 Gb Free Space | 19.89% Space Free | Partition Type: NTFS
Drive D: | 11.08 Gb Total Space | 3.89 Gb Free Space | 35.14% Space Free | Partition Type: NTFS

Computer Name: TMADXXX-PC | User Name: tmadxxx | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\tmadxxx\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\HitmanPro\hmpsched.exe (SurfRight B.V.)
PRC - C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe (Apple Inc.)
PRC - C:\Program Files\Microsoft Online Services\Sign In\SignIn.exe (Microsoft Corporation)
PRC - C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
PRC - C:\Windows\System32\agrsmsvc.exe (Agere Systems)


========== Modules (No Company Name) ==========

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\f2691cfa7671cdc58179e56ba9227591\System.Windows.Forms.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\18f9789aa214c657113e676b3a9015aa\System.Drawing.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\7343fbab1ba137db2f8b284047ef3f3c\PresentationFramework.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\7b6293b0c23321c255c2530aea8e32bb\PresentationCore.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\bd76aaaa03ddc15d1840207b5a480644\System.Configuration.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\d2630342a066a7cb9056d9eb6157687a\System.Xml.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\c8c3ab08933fef9fb6657da871395c46\PresentationFramework.Aero.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\54426ee1881b42af5b090e223f43823c\WindowsBase.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\28d633338fc8d29f8af31935ef7d001b\System.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\af9c9e9d7e0523cd444f8b551baa9cbf\mscorlib.ni.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()


========== Services (SafeList) ==========

SRV - (SBSDWSCService) -- C:\Program Files\Spybot File not found
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (HitmanProScheduler) -- C:\Program Files\HitmanPro\hmpsched.exe (SurfRight B.V.)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (SkypeUpdate) -- C:\Program Files\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (McComponentHostService) -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe (McAfee, Inc.)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (GameConsoleService) -- C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe (WildTangent, Inc.)
SRV - (IAANTMON) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
SRV - (AgereModemAudio) -- C:\Windows\System32\agrsmsvc.exe (Agere Systems)


========== Driver Services (SafeList) ==========

DRV - (SymIMMP) -- system32\DRIVERS\SymIM.sys File not found
DRV - (SymIM) -- system32\DRIVERS\SymIM.sys File not found
DRV - (STHDA) -- system32\drivers\stwrt.sys File not found
DRV - (SBRE) -- C:\Windows\system32\drivers\SBREdrv.sys File not found
DRV - (NwlnkFwd) -- system32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- system32\DRIVERS\nwlnkflt.sys File not found
DRV - (mbr) -- C:\ComboFix\mbr.sys File not found
DRV - (Lbd) -- system32\DRIVERS\Lbd.sys File not found
DRV - (Lavasoft Kernexplorer) -- C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys File not found
DRV - (IpInIp) -- system32\DRIVERS\ipinip.sys File not found
DRV - (catchme) -- C:\Users\tmadxxx\AppData\Local\Temp\catchme.sys File not found
DRV - (blbdrive) -- C:\Windows\system32\drivers\blbdrive.sys File not found
DRV - (aswMBR) -- C:\Users\tmadxxx\AppData\Local\Temp\aswMBR.sys File not found
DRV - (USBModem) -- C:\Windows\System32\drivers\lgusbmodem.sys (LG Electronics Inc.)
DRV - (UsbDiag) -- C:\Windows\System32\drivers\lgusbdiag.sys (LG Electronics Inc.)
DRV - (usbbus) -- C:\Windows\System32\drivers\lgusbbus.sys (LG Electronics Inc.)
DRV - (DniVapCo) -- C:\Windows\System32\drivers\vapco.sys (Deterministic Networks Inc.)
DRV - (MRVW147) -- C:\Windows\System32\drivers\MRVW147.sys (Marvell Semiconductor, Inc)
DRV - (UVCFTR) -- C:\Windows\System32\drivers\UVCFTR_S.SYS (Chicony Electronics Co., Ltd.)
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation)
DRV - (AgereSoftModem) -- C:\Windows\System32\drivers\AGRSM.sys (Agere Systems)
DRV - (NETw2v32) -- C:\Windows\System32\drivers\NETw2v32.sys (Intel® Corporation)
DRV - (bcm4sbxp) -- C:\Windows\System32\drivers\bcm4sbxp.sys (Broadcom Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6750
IE - HKLM\..\SearchScopes,DefaultScope =


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6750
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6750
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-1014990509-3480776375-117215019-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-1014990509-3480776375-117215019-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1014990509-3480776375-117215019-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1014990509-3480776375-117215019-1000\..\SearchScopes,DefaultScope = {442CF712-C00E-4779-90BE-BEBD9B4E649C}
IE - HKU\S-1-5-21-1014990509-3480776375-117215019-1000\..\SearchScopes\{442CF712-C00E-4779-90BE-BEBD9B4E649C}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GWYE
IE - HKU\S-1-5-21-1014990509-3480776375-117215019-1000\..\SearchScopes\{63140ECF-C629-BE59-8F0E-90B4FF340C03}: "URL" = http://www.bing.com/search?q={searchTerms}&pc=Z128&form=ZGAIDF&install_date=20111013&iesrc={referrer:source}
IE - HKU\S-1-5-21-1014990509-3480776375-117215019-1000\..\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}: "URL" = http://127.0.0.1:4664/search&s=6PXxDsvGqIhTcUaTRsvQ4jVvNDM?q={searchTerms}
IE - HKU\S-1-5-21-1014990509-3480776375-117215019-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1014990509-3480776375-117215019-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultthis.engineName: "Google + Flip"
FF - prefs.js..browser.search.defaulturl: "http://www.infoaxe.com/enhancedsearch.jsp?cx=partner-pub-6808396145675874:scfw9ganq4h&amp;cof=FORID:10&amp;ie=ISO-8859-1&amp;q={searchTerms}&amp;sa=Search&amp;tracking="
FF - prefs.js..browser.search.selectedEngine: "Google + Flip"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: {ACAA314B-EEBA-48e4-AD47-84E31C44796C}:1.0.1
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:5.0.0.6906
FF - prefs.js..keyword.URL: "http://www.infoaxe.com/enhancedsearch_add.jsp?cx=partner-pub-6808396145675874:xl345tirlb7&cof=FORID:10&ie=ISO-8859-1&q="
FF - prefs.js..browser.startup.homepage: "http://safesearchr.lavasoft.com/?source=3336ca5f&tbp=homepage&toolbarid=adawaretb&v=2_2&u=9202AA627752E0778EDB415085A463DB"
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_4_402_287.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.775: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.775: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=1.0.0.0: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.775: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKCU\Software\MozillaPlugins\@yahoo.com/BrowserPlus,version=2.9.8: C:\Users\tmadxxx\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll (Yahoo! Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/10/26 22:15:14 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/10/26 22:15:10 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/10/26 22:15:14 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/10/26 22:15:10 | 000,000,000 | ---D | M]

[2008/09/04 20:51:40 | 000,000,000 | ---D | M] (No name found) -- C:\Users\tmadxxx\AppData\Roaming\Mozilla\Extensions
[2012/10/26 17:20:59 | 000,000,000 | ---D | M] (No name found) -- C:\Users\tmadxxx\AppData\Roaming\Mozilla\Firefox\Profiles\5hdljzf5.default\extensions
[2012/10/22 15:54:26 | 000,000,000 | ---D | M] (Ad-Aware Security Add-on) -- C:\Users\tmadxxx\AppData\Roaming\Mozilla\Firefox\Profiles\5hdljzf5.default\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}
[2010/05/30 21:14:42 | 000,000,000 | ---D | M] ("DVDVideoSoft Menu") -- C:\Users\tmadxxx\AppData\Roaming\Mozilla\Firefox\Profiles\5hdljzf5.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
[2012/10/22 15:54:39 | 000,000,000 | ---D | M] (Lavasoft Search Plugin) -- C:\Users\tmadxxx\AppData\Roaming\Mozilla\Firefox\Profiles\5hdljzf5.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack
[2012/10/23 15:42:48 | 000,000,000 | ---D | M] (No name found) -- C:\Users\tmadxxx\AppData\Roaming\Mozilla\Firefox\Profiles\wk25kv16.default-1341699211259\extensions
[2012/10/22 15:54:26 | 000,000,000 | ---D | M] (Ad-Aware Security Add-on) -- C:\Users\tmadxxx\AppData\Roaming\Mozilla\Firefox\Profiles\wk25kv16.default-1341699211259\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}
[2012/10/22 15:54:43 | 000,000,000 | ---D | M] (Lavasoft Search Plugin) -- C:\Users\tmadxxx\AppData\Roaming\Mozilla\Firefox\Profiles\wk25kv16.default-1341699211259\extensions\jid1-yZwVFzbsyfMrqQ@jetpack
[2008/01/19 01:49:12 | 000,004,804 | ---- | M] () (No name found) -- C:\Users\tmadxxx\AppData\Roaming\Mozilla\Firefox\Profiles\5hdljzf5.default\extensions\yncsrmjvia@yncsrmjvia.org.xpi
[2012/02/03 17:29:35 | 000,020,591 | ---- | M] () (No name found) -- C:\Users\tmadxxx\AppData\Roaming\Mozilla\Firefox\Profiles\5hdljzf5.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi
[2008/01/19 01:49:12 | 000,004,804 | ---- | M] () (No name found) -- C:\Users\tmadxxx\AppData\Roaming\Mozilla\Firefox\Profiles\wk25kv16.default-1341699211259\extensions\yncsrmjvia@yncsrmjvia.org.xpi
[2012/01/04 13:56:50 | 000,002,096 | ---- | M] () -- C:\Users\tmadxxx\AppData\Roaming\Mozilla\Firefox\Profiles\5hdljzf5.default\searchplugins\infoaxe.xml
[2012/10/26 22:15:09 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/10/26 22:15:09 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2012/10/26 22:15:14 | 000,261,600 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/10/22 15:54:33 | 000,000,616 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\adawaretb.xml
[2012/10/18 14:33:35 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/10/18 14:33:35 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/10/26 17:33:00 | 000,000,019 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Ad-Aware Security Add-on) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - No CLSID value found.
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Ad-Aware Security Add-on) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKU\S-1-5-21-1014990509-3480776375-117215019-1000\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O4 - HKLM..\Run: [Ad-Aware Browsing Protection] C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe (Lavasoft)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [SignIn] C:\Program Files\Microsoft Online Services\Sign In\SignIn.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1014990509-3480776375-117215019-1000..\Run: [AROReminder] C:\Program Files\ARO 2012\ARO.exe (Support.com, Inc.)
O4 - HKU\S-1-5-21-1014990509-3480776375-117215019-1000..\Run: [CTSyncU.exe] C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe ()
O4 - HKU\S-1-5-21-1014990509-3480776375-117215019-1000..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - HKLM..\RunOnce: [Launcher] C:\Windows\SMINST\Launcher.exe (soft thinks)
O4 - HKU\.DEFAULT..\RunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f File not found
O4 - HKU\.DEFAULT..\RunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f File not found
O4 - HKU\S-1-5-18..\RunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f File not found
O4 - HKU\S-1-5-18..\RunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1014990509-3480776375-117215019-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1014990509-3480776375-117215019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Free YouTube Download - C:\Users\tmadxxx\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm ()
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Users\tmadxxx\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm ()
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe (PlotSoft LLC)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-1014990509-3480776375-117215019-1000\..Trusted Domains: livemeeting.com ([]https in Internet)
O15 - HKU\S-1-5-21-1014990509-3480776375-117215019-1000\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKU\S-1-5-21-1014990509-3480776375-117215019-1000\..Trusted Domains: microsoftonline.com ([]https in Local intranet)
O15 - HKU\S-1-5-21-1014990509-3480776375-117215019-1000\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://redvector.webex.com/client/T27LB/training/ieatgpc1.cab (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{ADF67151-6190-40DF-9538-0890B562DCC8}: DhcpNameServer = 209.18.47.61 209.18.47.62
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\GTW3_Standard.bmp
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\GTW3_Standard.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-1014990509-3480776375-117215019-1000\...com [@ = ComFile] -- Reg Error: Key error. File not found
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/10/30 12:29:06 | 000,000,000 | ---D | C] -- C:\Users\tmadxxx\AppData\Local\temp
[2012/10/30 12:28:11 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/10/29 17:35:22 | 000,687,724 | R--- | C] (Swearware) -- C:\Users\tmadxxx\Desktop\dds.com
[2012/10/27 10:39:13 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/10/26 22:38:00 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\tmadxxx\Desktop\OTL.exe
[2012/10/26 22:15:09 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2012/10/26 21:43:56 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\tmadxxx\Desktop\aswMBR.exe
[2012/10/26 17:35:58 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/10/26 17:27:49 | 000,000,000 | ---D | C] -- C:\Users\tmadxxx\Desktop\RK_Quarantine
[2012/10/26 11:12:00 | 000,000,000 | ---D | C] -- C:\Users\tmadxxx\AppData\Roaming\Sammsoft
[2012/10/26 11:11:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ARO 2012
[2012/10/26 11:11:40 | 000,000,000 | ---D | C] -- C:\Program Files\ARO 2012
[2012/10/26 10:57:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
[2012/10/26 10:57:32 | 000,000,000 | ---D | C] -- C:\Program Files\HitmanPro
[2012/10/26 10:56:35 | 000,000,000 | ---D | C] -- C:\ProgramData\HitmanPro
[2012/10/25 11:32:20 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/10/25 11:32:20 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/10/25 11:32:20 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/10/25 11:28:13 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2012/10/25 11:26:43 | 004,988,915 | R--- | C] (Swearware) -- C:\Users\tmadxxx\Desktop\ComboFix.exe
[2012/10/24 18:37:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2012/10/24 18:37:45 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012/10/24 18:34:07 | 002,213,464 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\tmadxxx\Desktop\tdsskiller.exe
[2012/10/22 15:58:07 | 000,000,000 | ---D | C] -- C:\Program Files\Ad-Aware Antivirus
[2012/10/22 15:55:43 | 000,000,000 | ---D | C] -- C:\Users\tmadxxx\AppData\Local\Downloaded Installations
[2012/10/22 15:54:55 | 000,000,000 | ---D | C] -- C:\Users\tmadxxx\AppData\Local\adawarebp
[2012/10/22 15:54:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Ad-Aware Browsing Protection
[2012/10/22 15:53:55 | 000,000,000 | ---D | C] -- C:\Program Files\adawaretb
[2012/10/22 15:36:42 | 000,000,000 | ---D | C] -- C:\Users\tmadxxx\AppData\Roaming\LavasoftStatistics
[2012/10/22 15:36:01 | 000,000,000 | ---D | C] -- C:\Users\tmadxxx\AppData\Roaming\Ad-Aware Antivirus
[2012/10/17 12:41:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iCloud
[2012/10/17 12:38:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2012/10/17 12:36:21 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/10/17 12:36:11 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2012/10/17 12:36:11 | 000,000,000 | ---D | C] -- C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
[2012/10/10 00:32:37 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2012/10/10 00:32:30 | 003,602,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2012/10/10 00:32:30 | 003,550,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe

========== Files - Modified Within 30 Days ==========

[2012/10/30 20:21:15 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/10/30 19:16:44 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/10/30 19:16:44 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/10/30 04:16:00 | 000,000,374 | ---- | M] () -- C:\Windows\tasks\ReclaimerUpdateXML_tmadxxx.job
[2012/10/29 23:21:50 | 000,617,702 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/10/29 23:21:50 | 000,108,772 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/10/29 23:18:28 | 000,001,110 | ---- | M] () -- C:\Users\tmadxxx\Desktop\Get Live PC Help Now.lnk
[2012/10/29 23:17:08 | 000,000,384 | ---- | M] () -- C:\Windows\tasks\RNUpgradeHelperLogonPrompt_tmadxxx.job
[2012/10/29 23:16:41 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/10/29 23:16:38 | 3211,190,272 | -HS- | M] () -- C:\hiberfil.sys
[2012/10/29 17:43:19 | 000,302,592 | ---- | M] () -- C:\Users\tmadxxx\Desktop\gmer.exe
[2012/10/29 17:40:02 | 000,003,140 | ---- | M] () -- C:\Users\tmadxxx\Desktop\attach.zip
[2012/10/29 17:35:22 | 000,687,724 | R--- | M] (Swearware) -- C:\Users\tmadxxx\Desktop\dds.com
[2012/10/29 17:30:57 | 000,000,000 | ---- | M] () -- C:\Users\tmadxxx\defogger_reenable
[2012/10/29 11:32:00 | 000,000,378 | ---- | M] () -- C:\Windows\tasks\ReclaimerUpdateFiles_tmadxxx.job
[2012/10/26 22:38:00 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\tmadxxx\Desktop\OTL.exe
[2012/10/26 21:44:03 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\tmadxxx\Desktop\aswMBR.exe
[2012/10/26 17:33:00 | 000,000,019 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/10/26 17:27:20 | 001,580,544 | ---- | M] () -- C:\Users\tmadxxx\Desktop\RogueKiller.exe
[2012/10/26 17:18:38 | 000,538,941 | ---- | M] () -- C:\Users\tmadxxx\Desktop\adwcleaner.exe
[2012/10/26 17:05:30 | 000,881,773 | ---- | M] () -- C:\Users\tmadxxx\Desktop\SecurityCheck.exe
[2012/10/26 10:57:33 | 000,001,732 | ---- | M] () -- C:\Users\Public\Desktop\HitmanPro.lnk
[2012/10/25 11:26:58 | 004,988,915 | R--- | M] (Swearware) -- C:\Users\tmadxxx\Desktop\ComboFix.exe
[2012/10/24 18:37:46 | 000,000,804 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/10/24 18:34:12 | 002,213,464 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\tmadxxx\Desktop\tdsskiller.exe
[2012/10/19 20:51:17 | 000,000,064 | ---- | M] () -- C:\Windows\System32\rp_stats.dat
[2012/10/19 20:51:17 | 000,000,044 | ---- | M] () -- C:\Windows\System32\rp_rules.dat
[2012/10/17 12:38:15 | 000,001,664 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/10/08 23:21:17 | 000,696,760 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2012/10/08 23:21:17 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl

========== Files Created - No Company Name ==========

[2012/10/29 23:18:28 | 000,001,110 | ---- | C] () -- C:\Users\tmadxxx\Desktop\Get Live PC Help Now.lnk
[2012/10/29 17:40:02 | 000,003,140 | ---- | C] () -- C:\Users\tmadxxx\Desktop\attach.zip
[2012/10/29 17:30:57 | 000,000,000 | ---- | C] () -- C:\Users\tmadxxx\defogger_reenable
[2012/10/26 17:27:08 | 001,580,544 | ---- | C] () -- C:\Users\tmadxxx\Desktop\RogueKiller.exe
[2012/10/26 17:18:38 | 000,538,941 | ---- | C] () -- C:\Users\tmadxxx\Desktop\adwcleaner.exe
[2012/10/26 17:05:30 | 000,881,773 | ---- | C] () -- C:\Users\tmadxxx\Desktop\SecurityCheck.exe
[2012/10/26 10:57:33 | 000,001,732 | ---- | C] () -- C:\Users\Public\Desktop\HitmanPro.lnk
[2012/10/25 11:32:20 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/10/25 11:32:20 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/10/25 11:32:20 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/10/25 11:32:20 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/10/25 11:32:20 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/10/24 18:37:46 | 000,000,804 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/10/17 12:38:15 | 000,001,664 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011/06/17 20:49:52 | 000,000,064 | ---- | C] () -- C:\Windows\System32\rp_stats.dat
[2011/06/17 20:49:52 | 000,000,044 | ---- | C] () -- C:\Windows\System32\rp_rules.dat
[2011/04/06 17:08:56 | 000,266,240 | ---- | C] () -- C:\Windows\System32\lame_enc.dll
[2010/07/21 14:25:14 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/02/03 21:06:25 | 000,001,492 | ---- | C] () -- C:\ProgramData\ss.ini
[2008/02/27 14:12:18 | 000,000,680 | ---- | C] () -- C:\Users\tmadxxx\AppData\Local\d3d9caps.dat
[2008/01/10 21:36:50 | 000,140,288 | ---- | C] () -- C:\Users\tmadxxx\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2006/11/02 08:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 13:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 02:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 02:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:30 PM

Posted 30 October 2012 - 08:16 PM

Hello

Run this custom script and when it is complete I need to know how the computer is doing

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word Code
    :OTL
    FF - user.js - File not found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
    O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
    O4 - HKU\.DEFAULT..\RunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f File not found
    O4 - HKU\.DEFAULT..\RunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f File not found
    O4 - HKU\S-1-5-18..\RunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f File not found
    O4 - HKU\S-1-5-18..\RunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f File not found
    O37 - HKU\S-1-5-21-1014990509-3480776375-117215019-1000\...com [@ = ComFile] -- Reg Error: Key error. File not found
    IE - HKU\S-1-5-21-1014990509-3480776375-117215019-1000\..\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}: "URL" = http://127.0.0.1:4664/search&s=6PXxDsvGqIhTcUaTRsvQ4jVvNDM?q={searchTerms}
    FF - prefs.js..browser.startup.homepage: "http://safesearchr.lavasoft.com/?source=3336ca5f&tbp=homepage&toolbarid=adawaretb&v=2_2&u=9202AA627752E0778EDB415085A463DB"
    [2008/01/19 01:49:12 | 000,004,804 | ---- | M] () (No name found) -- C:\Users\tmadxxx\AppData\Roaming\Mozilla\Firefox\Profiles\5hdljzf5.default\extensions\yncsrmjvia@yncsrmjvia.org.xpi
    [2008/01/19 01:49:12 | 000,004,804 | ---- | M] () (No name found) -- C:\Users\tmadxxx\AppData\Roaming\Mozilla\Firefox\Profiles\wk25kv16.default-1341699211259\extensions\yncsrmjvia@yncsrmjvia.org.xpi
    :files
    ipconfig /flushdns /c
    :Commands
    [PURITY]
    [emptyjava]
    [EMPTYFLASH]
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Let me know How things are doing

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Malroux

Malroux
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 30 October 2012 - 09:39 PM

Hello, Gringo. I ran OTL Run Fix using the script you provided. The OTL Runfix log is presented below. Following this I ran a lot of google searches (about 100) and experienced no redirects. So that has to be good news, right?

Malroux

OTL Runfix Log:

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA6319C0-31B7-401E-A518-A07C3DB8F777}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\ not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce\\adaware deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce\\adaware_XP deleted successfully.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce\\adaware not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce\\adaware_XP not found.
Registry key HKEY_USERS\S-1-5-21-1014990509-3480776375-117215019-1000_Classes\.com\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-1014990509-3480776375-117215019-1000_Classes\ComFile\ not found.
HKEY_LOCAL_MACHINE\Software\Classes\.com\\|comfile /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-1014990509-3480776375-117215019-1000\Software\Microsoft\Internet Explorer\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{70D46D94-BF1E-45ED-B567-48701376298E}\ not found.
Prefs.js: "http://safesearchr.lavasoft.com/?source=3336ca5f&tbp=homepage&toolbarid=adawaretb&v=2_2&u=9202AA627752E0778EDB415085A463DB" removed from browser.startup.homepage
C:\Users\tmadxxx\AppData\Roaming\Mozilla\Firefox\Profiles\5hdljzf5.default\extensions\yncsrmjvia@yncsrmjvia.org.xpi moved successfully.
C:\Users\tmadxxx\AppData\Roaming\Mozilla\Firefox\Profiles\wk25kv16.default-1341699211259\extensions\yncsrmjvia@yncsrmjvia.org.xpi moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\tmadxxx\Desktop\cmd.bat deleted successfully.
C:\Users\tmadxxx\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYJAVA]

User: All Users

User: AppData

User: Default

User: Default User

User: Public

User: tmadxxx
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: All Users

User: AppData

User: Default

User: Default User

User: Public

User: tmadxxx
->Flash cache emptied: 545 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 10302012_220133

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:30 PM

Posted 31 October 2012 - 08:13 AM

Greetings

That is very good news!!

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Malroux

Malroux
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 31 October 2012 - 10:23 AM

Hello, Gringo. I ran Combofix with the script you provided. There were no errors or problems in running Combofix, and I did not need to restart the computer. The Combofix log is presented below. Google searching is still doing fine, with no redirects. There are no other issues with my computer that I know of.

Malroux


Combofix (with SFScript) Log:

ComboFix 12-10-25.01 - tmadxxx 10/31/2012 10:32:23.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1541 [GMT -4:00]
Running from: c:\users\tmadxxx\Desktop\ComboFix.exe
Command switches used :: c:\users\tmadxxx\Desktop\cfscript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-09-28 to 2012-10-31 )))))))))))))))))))))))))))))))
.
.
2012-10-31 14:38 . 2012-10-31 14:38 -------- d-----w- c:\users\tmadxxx\AppData\Local\temp
2012-10-31 14:38 . 2012-10-31 14:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-10-31 05:37 . 2012-10-31 05:37 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FBEDF889-DFF1-4B9E-86F0-742F556AD799}\offreg.dll
2012-10-31 02:01 . 2012-10-31 02:01 -------- d-----w- C:\_OTL
2012-10-30 23:41 . 2012-10-17 06:32 6918632 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FBEDF889-DFF1-4B9E-86F0-742F556AD799}\mpengine.dll
2012-10-27 14:39 . 2012-10-27 14:39 -------- d-----w- c:\program files\ESET
2012-10-26 15:12 . 2012-10-26 15:12 -------- d-----w- c:\users\tmadxxx\AppData\Roaming\Sammsoft
2012-10-26 15:11 . 2012-10-26 15:11 -------- d-----w- c:\program files\ARO 2012
2012-10-26 14:57 . 2012-10-26 14:57 -------- d-----w- c:\program files\HitmanPro
2012-10-26 14:56 . 2012-10-26 14:57 -------- d-----w- c:\programdata\HitmanPro
2012-10-24 22:37 . 2012-10-24 22:37 -------- d-----w- c:\program files\CCleaner
2012-10-22 19:58 . 2012-10-25 15:31 -------- d-----w- c:\program files\Ad-Aware Antivirus
2012-10-22 19:55 . 2012-10-22 19:55 -------- d-----w- c:\users\tmadxxx\AppData\Local\Downloaded Installations
2012-10-22 19:54 . 2012-10-22 19:59 -------- d-----w- c:\users\tmadxxx\AppData\Local\adawarebp
2012-10-22 19:54 . 2012-10-30 03:17 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection
2012-10-22 19:53 . 2012-10-22 19:54 -------- d-----w- c:\program files\adawaretb
2012-10-22 19:36 . 2012-10-22 19:36 -------- d-----w- c:\users\tmadxxx\AppData\Roaming\LavasoftStatistics
2012-10-22 19:36 . 2012-10-23 14:30 -------- d-----w- c:\users\tmadxxx\AppData\Roaming\Ad-Aware Antivirus
2012-10-17 16:38 . 2012-08-21 17:01 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-10-17 16:36 . 2012-10-17 16:36 -------- d-----w- c:\program files\iPod
2012-10-17 16:36 . 2012-10-17 16:38 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-10-17 16:36 . 2012-10-17 16:38 -------- d-----w- c:\program files\iTunes
2012-10-10 04:32 . 2012-06-02 00:02 985088 ----a-w- c:\windows\system32\crypt32.dll
2012-10-10 04:32 . 2012-06-02 00:02 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-10-10 04:32 . 2012-06-02 00:02 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-10-10 04:32 . 2012-08-24 15:53 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-10-10 04:32 . 2012-09-13 13:28 2048 ----a-w- c:\windows\system32\tzres.dll
2012-10-10 04:32 . 2012-08-29 11:27 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-10-10 04:32 . 2012-08-29 11:27 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-09 03:21 . 2012-04-06 22:55 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 03:21 . 2011-06-22 01:01 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-24 06:59 . 2012-09-23 07:01 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 06:51 . 2012-09-23 07:01 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 06:51 . 2012-09-23 07:01 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 06:47 . 2012-09-23 07:01 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 06:47 . 2012-09-23 07:01 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 06:43 . 2012-09-23 07:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-08-21 17:01 . 2011-09-21 21:13 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2012-10-27 02:15 . 2012-10-27 02:15 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2009-12-01 04:07 . 2012-10-27 02:15 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
2012-09-20 20:06 87448 ----a-w- c:\program files\adawaretb\adawareDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2012-09-20 87448]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"AROReminder"="c:\program files\ARO 2012\ARO.exe" [2012-07-27 2553752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-13 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-26 865840]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-01 30192]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"SignIn"="c:\program files\Microsoft Online Services\Sign In\SignIn.exe" [2010-03-10 1734512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]
"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2012-08-08 540056]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-07-13 40072]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 14202562
*Deregistered* - 14202562
*Deregistered* - aswMBR
*Deregistered* - TrueSight
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-31 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 03:21]
.
2012-10-31 c:\windows\Tasks\ReclaimerUpdateFiles_tmadxxx.job
- c:\users\tmadxxx\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.20\agent\rnupgagent.exe [2012-09-26 04:43]
.
2012-10-31 c:\windows\Tasks\ReclaimerUpdateXML_tmadxxx.job
- c:\users\tmadxxx\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.20\agent\rnupgagent.exe [2012-09-26 04:43]
.
2012-10-30 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_tmadxxx.job
- c:\users\tmadxxx\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.20\agent\rnupgagent.exe [2012-09-26 04:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6750
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Free YouTube Download - c:\users\tmadxxx\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\users\tmadxxx\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\tmadxxx\AppData\Roaming\Mozilla\Firefox\Profiles\wk25kv16.default-1341699211259\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://safesearchr.lavasoft.com/?source=3336ca5f&tbp=url&toolbarid=adawaretb&u=9202AA627752E0778EDB415085A463DB&q=
FF - ExtSQL: 2012-10-22 15:54; {87934c42-161d-45bc-8cef-ef18abe2a30c}; c:\users\tmadxxx\AppData\Roaming\Mozilla\Firefox\Profiles\wk25kv16.default-1341699211259\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}
FF - ExtSQL: 2012-10-22 15:54; jid1-yZwVFzbsyfMrqQ@jetpack; c:\users\tmadxxx\AppData\Roaming\Mozilla\Firefox\Profiles\wk25kv16.default-1341699211259\extensions\jid1-yZwVFzbsyfMrqQ@jetpack
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-31 10:38
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-10-31 10:40:32
ComboFix-quarantined-files.txt 2012-10-31 14:40
ComboFix2.txt 2012-10-30 16:29
ComboFix3.txt 2012-10-27 02:34
ComboFix4.txt 2012-10-26 21:47
ComboFix5.txt 2012-10-31 14:30
.
Pre-Run: 46,232,158,208 bytes free
Post-Run: 46,286,213,120 bytes free
.
- - End Of File - - B77D4DC7D34B4765B812E9E9AB4BDB16

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:30 PM

Posted 31 October 2012 - 11:42 AM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (it does allot better of a job

Programs to remove

µTorrent
Adobe Reader 8.3.1
Browser Address Error Redirector
Java™ SE Runtime Environment 6 Update 1
McAfee Security Scan Plus
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.


Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Malroux

Malroux
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 31 October 2012 - 04:23 PM

Hello Gring. I uninstalled the programs you requested that I remove. I then installed Java from the site you provided. I then ran CCleaner, MBAM and HijackThis. I encountered no problems in running these programs. The MBAM log and the HijackThis report are provided below, as you requested. The google searches have been fine, with no redirects.

However, one strange thing I have noticed is that several folders on my computer denied me access. In order to get access to them I had to delete one of the users and specify a new user, with full access permissions. This then allowed me to access the folder. One of the folders that I couldn't (temporarily) access was C:\Documents and Settings, where the MBAM log was saved. That's why I noticed. I mention this for whatever it's worth.

Malroux


MBAM log:

Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.org

Database version: v2012.10.31.08

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
tmadxxx :: TMADXXX-PC [administrator]

Protection: Enabled

10/31/2012 4:12:48 PM
mbam-log-2012-10-31 (16-12-48).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 208617
Time elapsed: 4 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


HijackThis report:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:28:39 PM, on 10/31/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16450)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Online Services\Sign In\SignIn.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
C:\Windows\Explorer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\tmadxxx\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6750
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ad-Aware Security Add-on - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~3\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ad-Aware Security Add-on - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SignIn] "C:\Program Files\Microsoft Online Services\Sign In\SignIn.exe" /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\ARO 2012\ARO.exe -rem
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Free YouTube Download - C:\Users\tmadxxx\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Users\tmadxxx\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~3\Office14\ONBttnIE.dll/105
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre7\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre7\bin\jp2iexp.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://redvector.webex.com/client/T27LB/training/ieatgpc1.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HitmanPro Scheduler (HitmanProScheduler) - SurfRight B.V. - C:\Program Files\HitmanPro\hmpsched.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe

--
End of file - 9440 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users