Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE 9 Homepage Redirected to Software Education


  • This topic is locked This topic is locked
41 replies to this topic

#1 dmcmaster

dmcmaster

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 01 November 2012 - 07:12 PM

My Firefox browser was being redirected to a page entitled Software Education instead of its normal homepage. Forum Addict was able to help me get rid of the redirect for Firefox, but when they had me check IE 9, which I don't normally use, the redirect was then active in it. They referred me to this topic to find out what was the problem was, thinking that I'd have to go in deeper. The logs which you require follow.

DDS (Ver_2012-10-19.01) - NTFS_x86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.9.2
Run by David McMaster at 18:30:22 on 2012-11-01
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2047.1203 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\BitLord 2\Bitlord files\bitlord.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
uSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: Interfaces\{66CC76D1-553A-4132-913D-E7F1FAC14DF1} : NameServer = 68.94.156.1 68.94.157.1
SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\david mcmaster\appdata\roaming\mozilla\firefox\profiles\a5ql0mzu.default\
FF - prefs.js: browser.startup.homepage - www.my.yahoo.com
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_287.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-7-27 63960]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-9-30 250808]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-4-11 62464]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-10-30 115168]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-9-30 1343400]
.
=============== Created Last 30 ================
.
2012-10-31 00:20:20 6918632 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{896f02e0-203e-4763-92c4-81d3120f7bab}\mpengine.dll
2012-10-30 23:44:07 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-10-30 03:17:13 -------- d-----w- c:\users\david mcmaster\appdata\roaming\Malwarebytes
2012-10-30 03:16:50 -------- d-----w- c:\programdata\Malwarebytes
2012-10-30 03:16:48 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-30 03:16:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-29 00:43:36 -------- d-----w- c:\program files\CMAK
2012-10-27 17:43:51 96224 ----a-w- c:\program files\mozilla firefox\webapprt-stub.exe
2012-10-27 17:43:51 157272 ----a-w- c:\program files\mozilla firefox\webapp-uninstaller.exe
2012-10-27 11:11:21 -------- d-----w- C:\JRT
2012-10-25 12:35:36 -------- d-----w- c:\users\david mcmaster\appdata\roaming\Watchtower
2012-10-25 11:55:44 -------- d-----w- c:\program files\Watchtower
2012-10-25 11:43:40 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2012-10-24 20:57:25 6918632 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-10-24 20:25:58 713784 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{db371266-de6f-4d56-a9a6-9338f93062d9}\gapaengine.dll
2012-10-24 19:43:04 -------- d-----w- c:\program files\Microsoft Security Client
2012-10-23 11:23:05 6980552 ----a-w- c:\programdata\microsoft\windows defender\definition updates\backup\mpengine.dll
2012-10-23 11:23:01 6918632 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{41b6ff2c-a348-4118-91e5-73c714e55f78}\mpengine.dll
2012-10-23 11:13:36 -------- d-----w- c:\users\david mcmaster\appdata\roaming\DriverCure
2012-10-22 13:20:52 -------- d-----w- C:\sh4ldr
2012-10-22 13:20:06 -------- d-----w- c:\windows\ADAFC0B4FC1545D9BAB3BC7A8829D0C4.TMP
2012-10-22 13:20:04 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2012-10-21 22:57:17 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-10-21 22:54:34 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2012-10-21 22:53:48 -------- d-----w- c:\program files\BillP Studios
2012-10-19 19:05:28 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-19 15:34:01 -------- d-sha-r- C:\37558
2012-10-19 08:36:17 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2012-10-19 08:36:17 36864 ----a-w- c:\windows\system32\trayicon_handler.ocx
2012-10-19 07:47:37 81920 ----a-w- c:\windows\system32\mbmouse.ocx
2012-10-19 07:47:37 662288 ----a-w- c:\windows\system32\mscomct2.ocx
2012-10-19 07:47:37 36864 ----a-w- c:\windows\system32\trayicon.ocx
2012-10-19 07:47:37 212240 ----a-w- c:\windows\system32\richtx32.ocx
2012-10-19 07:47:37 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-10-19 04:28:12 -------- d-----w- c:\users\david mcmaster\appdata\roaming\NVIDIA
2012-10-19 04:28:09 -------- d-----w- c:\users\david mcmaster\appdata\local\ImTOO
2012-10-19 04:27:44 -------- d-----w- c:\users\david mcmaster\appdata\roaming\ImTOO
2012-10-19 03:42:43 -------- d-----w- c:\users\david mcmaster\appdata\local\Google
2012-10-19 01:49:32 -------- d-----w- c:\users\david mcmaster\appdata\roaming\tiger-k
2012-10-19 01:49:32 -------- d-----w- c:\users\david mcmaster\appdata\roaming\Leawo
2012-10-19 01:49:32 -------- d-----w- c:\programdata\Leawo
2012-10-19 01:49:18 175616 ----a-w- c:\windows\system32\unrar.dll
2012-10-19 01:49:04 606208 ----a-w- c:\windows\system32\xvidcore.dll
2012-10-19 01:49:04 139264 ----a-w- c:\windows\system32\xvid.ax
2012-10-19 01:43:45 -------- d-----w- c:\users\david mcmaster\appdata\roaming\GetRightToGo
2012-10-10 12:15:58 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-10-10 12:15:58 1159680 ----a-w- c:\windows\system32\crypt32.dll
2012-10-10 12:15:58 103936 ----a-w- c:\windows\system32\cryptnet.dll
2012-10-10 12:15:49 1211760 ----a-w- c:\windows\system32\drivers\ntfs.sys
2012-10-10 12:15:48 542208 ----a-w- c:\windows\system32\kerberos.dll
2012-10-10 12:15:47 3968880 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-10-10 12:15:47 3914096 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-10-04 22:41:41 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2012-10-04 22:41:41 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2012-10-04 22:41:40 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2012-10-04 22:41:40 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2012-10-04 22:41:40 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2012-10-04 22:41:40 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2012-10-04 22:41:40 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2012-10-04 22:41:40 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2012-10-04 22:41:40 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2012-10-04 22:41:39 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2012-10-04 22:31:36 -------- d-----w- c:\program files\2K Sports
2012-10-03 01:57:05 726376 ----a-w- c:\windows\system32\nv3dappshext.dll
2012-10-03 01:57:05 645992 ----a-w- c:\windows\system32\nvvsvc.exe
2012-10-03 01:57:05 62312 ----a-w- c:\windows\system32\nvshext.dll
2012-10-03 01:57:05 54632 ----a-w- c:\windows\system32\nv3dappshextr.dll
2012-10-03 01:57:05 2843496 ----a-w- c:\windows\system32\nvsvc.dll
2012-10-03 01:57:05 2557288 ----a-w- c:\windows\system32\nvsvcr.dll
2012-10-03 01:57:04 3965288 ----a-w- c:\windows\system32\nvcpl.dll
2012-10-03 01:57:04 108392 ----a-w- c:\windows\system32\nvmctray.dll
2012-10-03 01:55:40 -------- d-----w- c:\program files\NVIDIA Corporation
2012-10-03 01:55:15 -------- d-----w- C:\NVIDIA
.
==================== Find3M ====================
.
2012-10-19 19:05:21 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-10-19 19:05:21 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-10-15 17:15:03 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-15 17:15:03 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-14 18:28:53 2048 ----a-w- c:\windows\system32\tzres.dll
2012-08-24 16:57:48 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-08-24 06:59:17 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 06:51:27 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 06:51:02 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 06:47:26 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 06:47:12 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 06:43:58 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-08-22 17:16:54 1292144 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-08-22 17:16:46 712048 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-08-22 17:16:46 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2012-08-22 17:16:36 187760 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-08-21 20:12:27 245760 ----a-w- c:\windows\system32\OxpsConverter.exe
2012-08-20 17:40:31 169984 ----a-w- c:\windows\system32\winsrv.dll
2012-08-20 17:40:01 293376 ----a-w- c:\windows\system32\KernelBase.dll
2012-08-20 17:37:58 271360 ----a-w- c:\windows\system32\conhost.exe
2012-08-20 15:33:28 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-08-20 15:33:28 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-08-20 15:33:28 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-08-20 15:33:28 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2012-08-18 07:48:32 430952 ----a-w- c:\windows\system32\nvStreaming.exe
.
============= FINISH: 18:30:46.64 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:15 PM

Posted 03 November 2012 - 09:28 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html


Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs for my review.

#3 dmcmaster

dmcmaster
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 04 November 2012 - 02:45 PM

Here are the logs:

ComboFix 12-11-04.01 - David McMaster 11/04/2012 13:21:46.1.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2047.1330 [GMT -6:00]
Running from: c:\users\David McMaster\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-10-04 to 2012-11-04 )))))))))))))))))))))))))))))))
.
.
2012-11-04 19:25 . 2012-11-04 19:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-04 07:24 . 2012-10-12 03:56 6918632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D2785EBC-6CA8-4E72-B3DE-6BF4D39A9DE3}\mpengine.dll
2012-10-30 23:44 . 2012-10-30 23:44 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-10-30 03:17 . 2012-10-30 03:17 -------- d-----w- c:\users\David McMaster\AppData\Roaming\Malwarebytes
2012-10-30 03:16 . 2012-10-30 03:16 -------- d-----w- c:\programdata\Malwarebytes
2012-10-30 03:16 . 2012-10-30 03:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-30 03:16 . 2012-09-30 00:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-29 00:43 . 2012-10-29 00:43 -------- d-----w- c:\program files\CMAK
2012-10-27 11:11 . 2012-10-27 11:14 -------- d-----w- C:\JRT
2012-10-25 12:35 . 2012-10-25 12:35 -------- d-----w- c:\users\David McMaster\AppData\Roaming\Watchtower
2012-10-25 11:55 . 2012-10-25 11:55 -------- d-----w- c:\program files\Watchtower
2012-10-24 20:57 . 2012-10-12 03:56 6918632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-10-24 20:25 . 2012-10-24 20:25 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DB371266-DE6F-4D56-A9A6-9338F93062D9}\gapaengine.dll
2012-10-24 19:43 . 2012-10-24 19:43 -------- d-----w- c:\program files\Microsoft Security Client
2012-10-23 11:23 . 2012-10-12 05:56 6918632 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{41B6FF2C-A348-4118-91E5-73C714E55F78}\mpengine.dll
2012-10-23 11:13 . 2012-10-23 11:13 -------- d-----w- c:\users\David McMaster\AppData\Roaming\DriverCure
2012-10-22 13:20 . 2012-10-22 23:19 -------- d-----w- C:\sh4ldr
2012-10-22 13:20 . 2012-10-22 23:19 -------- d-----w- c:\windows\ADAFC0B4FC1545D9BAB3BC7A8829D0C4.TMP
2012-10-22 13:20 . 2012-10-22 13:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-10-21 22:57 . 2012-10-23 11:19 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-10-21 22:54 . 2010-01-10 23:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2012-10-21 22:53 . 2012-10-21 22:53 -------- d-----w- c:\program files\BillP Studios
2012-10-19 19:05 . 2012-10-19 19:05 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-19 15:34 . 2012-10-19 15:34 -------- d---a-r- C:\37558
2012-10-19 08:36 . 2007-08-31 23:36 36864 ----a-w- c:\windows\system32\trayicon_handler.ocx
2012-10-19 08:36 . 2003-01-26 18:41 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2012-10-19 07:47 . 2010-01-10 23:40 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-10-19 07:47 . 2004-03-09 05:00 662288 ----a-w- c:\windows\system32\mscomct2.ocx
2012-10-19 07:47 . 2004-03-09 05:00 212240 ----a-w- c:\windows\system32\richtx32.ocx
2012-10-19 07:47 . 2000-11-05 20:27 36864 ----a-w- c:\windows\system32\trayicon.ocx
2012-10-19 07:47 . 2000-05-19 22:56 81920 ----a-w- c:\windows\system32\mbmouse.ocx
2012-10-19 04:28 . 2012-10-19 04:28 -------- d-----w- c:\users\David McMaster\AppData\Roaming\NVIDIA
2012-10-19 04:28 . 2012-10-19 04:28 -------- d-----w- c:\users\David McMaster\AppData\Local\ImTOO
2012-10-19 04:27 . 2012-11-04 06:36 -------- d-----w- c:\users\David McMaster\AppData\Roaming\ImTOO
2012-10-19 03:42 . 2012-10-19 03:42 -------- d-----w- c:\users\David McMaster\AppData\Local\Google
2012-10-19 01:49 . 2012-10-19 01:50 -------- d-----w- c:\users\David McMaster\AppData\Roaming\tiger-k
2012-10-19 01:49 . 2012-10-19 01:49 -------- d-----w- c:\users\David McMaster\AppData\Roaming\Leawo
2012-10-19 01:49 . 2012-10-19 01:49 -------- d-----w- c:\programdata\Leawo
2012-10-19 01:49 . 2011-03-02 10:43 175616 ----a-w- c:\windows\system32\unrar.dll
2012-10-19 01:49 . 2012-01-09 16:34 606208 ----a-w- c:\windows\system32\xvidcore.dll
2012-10-19 01:49 . 2012-01-09 16:34 139264 ----a-w- c:\windows\system32\xvid.ax
2012-10-19 01:43 . 2012-10-19 01:48 -------- d-----w- c:\users\David McMaster\AppData\Roaming\GetRightToGo
2012-10-10 12:15 . 2012-06-02 04:36 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-10-10 12:15 . 2012-06-02 04:36 1159680 ----a-w- c:\windows\system32\crypt32.dll
2012-10-10 12:15 . 2012-06-02 04:36 103936 ----a-w- c:\windows\system32\cryptnet.dll
2012-10-10 12:15 . 2012-08-31 17:18 1211760 ----a-w- c:\windows\system32\drivers\ntfs.sys
2012-10-10 12:15 . 2012-08-10 23:56 542208 ----a-w- c:\windows\system32\kerberos.dll
2012-10-10 12:15 . 2012-08-30 17:12 3968880 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-10-10 12:15 . 2012-08-30 17:12 3914096 ----a-w- c:\windows\system32\ntoskrnl.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-19 19:05 . 2012-09-30 21:07 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-10-19 19:05 . 2012-02-15 23:49 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-10-15 17:15 . 2012-09-30 12:23 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-15 17:15 . 2012-02-15 23:53 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-30 21:29 . 2012-09-30 21:29 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-09-30 21:29 . 2012-09-30 21:29 161792 ----a-w- c:\windows\system32\msls31.dll
2012-09-30 21:29 . 2012-09-30 21:29 86528 ----a-w- c:\windows\system32\iesysprep.dll
2012-09-30 21:29 . 2012-09-30 21:29 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-09-30 21:29 . 2012-09-30 21:29 74752 ----a-w- c:\windows\system32\iesetup.dll
2012-09-30 21:29 . 2012-09-30 21:29 63488 ----a-w- c:\windows\system32\tdc.ocx
2012-09-30 21:29 . 2012-09-30 21:29 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-09-30 21:29 . 2012-09-30 21:29 367104 ----a-w- c:\windows\system32\html.iec
2012-09-30 21:29 . 2012-09-30 21:29 23552 ----a-w- c:\windows\system32\licmgr10.dll
2012-09-30 21:29 . 2012-09-30 21:29 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-09-30 21:29 . 2012-09-30 21:29 35840 ----a-w- c:\windows\system32\imgutil.dll
2012-09-30 21:29 . 2012-09-30 21:29 152064 ----a-w- c:\windows\system32\wextract.exe
2012-09-30 21:29 . 2012-09-30 21:29 150528 ----a-w- c:\windows\system32\iexpress.exe
2012-09-30 21:29 . 2012-09-30 21:29 11776 ----a-w- c:\windows\system32\mshta.exe
2012-09-30 21:29 . 2012-09-30 21:29 101888 ----a-w- c:\windows\system32\admparse.dll
2012-08-24 06:59 . 2012-10-02 01:30 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 06:51 . 2012-10-02 01:30 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 06:51 . 2012-10-02 01:30 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 06:47 . 2012-10-02 01:30 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 06:47 . 2012-10-02 01:30 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 06:43 . 2012-10-02 01:30 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-08-22 17:16 . 2012-09-30 20:46 1292144 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-08-22 17:16 . 2012-09-30 20:46 712048 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-08-22 17:16 . 2012-09-30 20:46 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2012-08-22 17:16 . 2012-09-30 20:46 187760 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-08-21 20:12 . 2012-09-30 20:42 245760 ----a-w- c:\windows\system32\OxpsConverter.exe
2012-08-18 17:42 . 2012-10-03 01:56 52584 ----a-w- c:\windows\system32\OpenCL.dll
2012-08-18 17:42 . 2012-10-03 01:56 888168 ----a-w- c:\windows\system32\nvdispgenco32.dll
2012-08-18 17:42 . 2012-10-03 01:56 7694184 ----a-w- c:\windows\system32\nvcuda.dll
2012-08-18 17:42 . 2012-10-03 01:56 6127464 ----a-w- c:\windows\system32\nvopencl.dll
2012-08-18 17:42 . 2012-10-03 01:56 2574696 ----a-w- c:\windows\system32\nvcuvid.dll
2012-08-18 17:42 . 2012-10-03 01:56 19905384 ----a-w- c:\windows\system32\nvoglv32.dll
2012-08-18 17:42 . 2012-10-03 01:56 1867112 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-08-18 17:42 . 2012-10-03 01:56 15307624 ----a-w- c:\windows\system32\nvd3dum.dll
2012-08-18 17:42 . 2012-10-03 01:56 12490600 ----a-w- c:\windows\system32\nvwgf2um.dll
2012-08-18 17:42 . 2012-10-03 01:56 10817384 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2012-08-18 17:42 . 2012-10-03 01:56 1010536 ----a-w- c:\windows\system32\nvdispco32.dll
2012-08-18 17:42 . 2012-10-03 01:56 2428264 ----a-w- c:\windows\system32\nvapi.dll
2012-08-18 17:42 . 2012-10-03 01:56 17559912 ----a-w- c:\windows\system32\nvcompiler.dll
2012-08-18 07:48 . 2012-08-18 07:48 430952 ----a-w- c:\windows\system32\nvStreaming.exe
2012-08-18 07:47 . 2012-10-03 01:57 726376 ----a-w- c:\windows\system32\nv3dappshext.dll
2012-08-18 07:47 . 2012-10-03 01:57 645992 ----a-w- c:\windows\system32\nvvsvc.exe
2012-08-18 07:47 . 2012-10-03 01:57 62312 ----a-w- c:\windows\system32\nvshext.dll
2012-08-18 07:47 . 2012-10-03 01:57 54632 ----a-w- c:\windows\system32\nv3dappshextr.dll
2012-08-18 07:47 . 2012-10-03 01:57 2557288 ----a-w- c:\windows\system32\nvsvcr.dll
2012-08-18 07:47 . 2012-10-03 01:57 108392 ----a-w- c:\windows\system32\nvmctray.dll
2012-08-18 07:47 . 2012-10-03 01:57 2843496 ----a-w- c:\windows\system32\nvsvc.dll
2012-08-18 07:47 . 2012-10-03 01:57 3965288 ----a-w- c:\windows\system32\nvcpl.dll
2012-10-24 17:50 . 2012-10-30 23:43 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-30 17:15]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com
FF - ProfilePath - c:\users\David McMaster\AppData\Roaming\Mozilla\Firefox\Profiles\a5ql0mzu.default\
FF - prefs.js: browser.startup.homepage - www.my.yahoo.com
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver - c:\program files\NVIDIA Corporation\Installer2\installer.0\NVI2.DLL
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-11-04 13:29:04
ComboFix-quarantined-files.txt 2012-11-04 19:29
.
Pre-Run: 49,215,414,272 bytes free
Post-Run: 49,184,485,376 bytes free
.
- - End Of File - - 8B1581F9139D2231BB18E9F6B25567CE



Results of screen317's Security Check version 0.99.54
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Windows Firewall Disabled!
Microsoft Security Essentials
(On Access scanning disabled!)
Error obtaining update status for antivirus!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.1.1000
Java™ 6 Update 26
Java 7 Update 9
Adobe Flash Player 11.4.402.287
Adobe Reader X (10.1.4)
Mozilla Firefox (16.0.2)
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials msseces.exe
Windows Defender MSMpEng.exe
Microsoft Security Client Antimalware MsMpEng.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:15 PM

Posted 05 November 2012 - 08:00 AM

Using the Add/Remove Programs applet remove this old version of Java™ 6 Update 26
===

If the redirection continue please execute these instructions.

Click the Posted Image button. In the Search box, type Command Prompt, and then, in the list of results, double-click Command Prompt.

at the cursor type:
ipconfig /flushdns <-- (A space between g and / is needed)

repeat with
ipconfig /renew

Then hit Enter, type Exit, hit the Enter key.

You may need to run CMD - Command Prompt on Vista - Windows 7 with Elevated Privilege
http://www.mydigitallife.info/2007/02/17/how-to-open-elevated-command-prompt-with-administrator-privileges-in-windows-vista/
<<<>>>

Continue if still having the problem.

Click the Posted Image button. In the Search box, type Command Prompt, and then, in the list of results, double-click Command Prompt.

at the cursor type:
ipconfig /flushdns <-- (A space between g and / is needed)

repeat with
ipconfig /renew

Then hit Enter, type Exit, hit the Enter key.

You may need to run CMD - Command Prompt on Vista - Windows 7 with Elevated Privilege
http://www.mydigitallife.info/2007/02/17/how-to-open-elevated-command-prompt-with-administrator-privileges-in-windows-vista/
<<<>>>

Keep me posted.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:15 PM

Posted 11 November 2012 - 10:07 AM

If all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

To remove AdwCleaner.

Please double click on AdwCleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

Delete the other tools we used.

Surf Safely, and Think Prevention!
===

#6 dmcmaster

dmcmaster
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 11 November 2012 - 02:18 PM

I don't think that you got my last reply. I'm still being redirected when in IE 9.

dmcmaster@sbcglobal.net

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:15 PM

Posted 12 November 2012 - 10:24 AM

Please delete your version od DDS.exe file and download the latest.

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.[list]
  • DDS.scr <- not recommended if you use Chrome to download this .scr file. Use the other options.
  • DDS.pif
  • DDS.COM

Run the program and post the log.

===

Please download RogueKiller© by Tigzy from one of the links below and save it to your desktop.

Link 1 Bleepingcomputer
Link 2 RogueKiller (par Tigzy)

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

#8 dmcmaster

dmcmaster
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 12 November 2012 - 12:29 PM

Here are the logs for dds attach(attached file) and rkreport




DDS (Ver_2012-11-07.01) - NTFS_x86
Internet Explorer: 9.0.8112.16450 BrowserJavaVersion: 10.9.2
Run by David McMaster at 11:07:57 on 2012-11-12
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2047.1482 [GMT -6:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\BitLord 2\Bitlord files\bitlord.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
mStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_4_402_287_Plugin.exe -update plugin
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\david mcmaster\appdata\roaming\mozilla\firefox\profiles\a5ql0mzu.default\
FF - prefs.js: browser.startup.homepage - www.my.yahoo.com
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_287.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-4-11 62464]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-9-30 1343400]
.
=============== Created Last 30 ================
.
2012-11-08 13:22:24 6918632 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{66fc1ee8-5282-4dd6-bc4b-0efef187f667}\mpengine.dll
2012-11-07 20:50:48 -------- d-----w- c:\programdata\Trymedia
2012-11-04 19:29:06 -------- d-----w- c:\users\david mcmaster\appdata\local\temp
2012-11-04 19:28:26 -------- d-sh--w- C:\$RECYCLE.BIN
2012-11-04 19:20:57 98816 ----a-w- c:\windows\sed.exe
2012-11-04 19:20:57 256000 ----a-w- c:\windows\PEV.exe
2012-11-04 19:20:57 208896 ----a-w- c:\windows\MBR.exe
2012-10-30 23:44:07 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-10-30 03:17:13 -------- d-----w- c:\users\david mcmaster\appdata\roaming\Malwarebytes
2012-10-30 03:16:50 -------- d-----w- c:\programdata\Malwarebytes
2012-10-30 03:16:48 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-30 03:16:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-29 00:43:36 -------- d-----w- c:\program files\CMAK
2012-10-27 17:43:51 96224 ----a-w- c:\program files\mozilla firefox\webapprt-stub.exe
2012-10-27 17:43:51 157272 ----a-w- c:\program files\mozilla firefox\webapp-uninstaller.exe
2012-10-27 11:11:21 -------- d-----w- C:\JRT
2012-10-25 12:35:36 -------- d-----w- c:\users\david mcmaster\appdata\roaming\Watchtower
2012-10-25 11:55:44 -------- d-----w- c:\program files\Watchtower
2012-10-24 20:57:25 6918632 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-10-24 20:25:58 713784 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{db371266-de6f-4d56-a9a6-9338f93062d9}\gapaengine.dll
2012-10-24 19:43:04 -------- d-----w- c:\program files\Microsoft Security Client
2012-10-23 11:23:05 6980552 ----a-w- c:\programdata\microsoft\windows defender\definition updates\backup\mpengine.dll
2012-10-23 11:23:01 6918632 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{41b6ff2c-a348-4118-91e5-73c714e55f78}\mpengine.dll
2012-10-23 11:13:36 -------- d-----w- c:\users\david mcmaster\appdata\roaming\DriverCure
2012-10-22 13:20:52 -------- d-----w- C:\sh4ldr
2012-10-22 13:20:06 -------- d-----w- c:\windows\ADAFC0B4FC1545D9BAB3BC7A8829D0C4.TMP
2012-10-22 13:20:04 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2012-10-21 22:57:17 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-10-21 22:54:34 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2012-10-21 22:53:48 -------- d-----w- c:\program files\BillP Studios
2012-10-19 19:05:28 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-19 15:34:01 -------- d---a-r- C:\37558
2012-10-19 08:36:17 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2012-10-19 08:36:17 36864 ----a-w- c:\windows\system32\trayicon_handler.ocx
2012-10-19 07:47:37 81920 ----a-w- c:\windows\system32\mbmouse.ocx
2012-10-19 07:47:37 662288 ----a-w- c:\windows\system32\mscomct2.ocx
2012-10-19 07:47:37 36864 ----a-w- c:\windows\system32\trayicon.ocx
2012-10-19 07:47:37 212240 ----a-w- c:\windows\system32\richtx32.ocx
2012-10-19 07:47:37 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-10-19 04:28:12 -------- d-----w- c:\users\david mcmaster\appdata\roaming\NVIDIA
2012-10-19 04:28:09 -------- d-----w- c:\users\david mcmaster\appdata\local\ImTOO
2012-10-19 04:27:44 -------- d-----w- c:\users\david mcmaster\appdata\roaming\ImTOO
2012-10-19 03:42:43 -------- d-----w- c:\users\david mcmaster\appdata\local\Google
2012-10-19 01:49:32 -------- d-----w- c:\users\david mcmaster\appdata\roaming\tiger-k
2012-10-19 01:49:32 -------- d-----w- c:\users\david mcmaster\appdata\roaming\Leawo
2012-10-19 01:49:32 -------- d-----w- c:\programdata\Leawo
2012-10-19 01:49:18 175616 ----a-w- c:\windows\system32\unrar.dll
2012-10-19 01:49:04 606208 ----a-w- c:\windows\system32\xvidcore.dll
2012-10-19 01:49:04 139264 ----a-w- c:\windows\system32\xvid.ax
2012-10-19 01:43:45 -------- d-----w- c:\users\david mcmaster\appdata\roaming\GetRightToGo
.
==================== Find3M ====================
.
2012-10-19 19:05:21 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-10-19 19:05:21 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-10-15 17:15:03 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-15 17:15:03 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-14 18:28:53 2048 ----a-w- c:\windows\system32\tzres.dll
2012-08-31 17:18:09 1211760 ----a-w- c:\windows\system32\drivers\ntfs.sys
2012-08-30 17:12:02 3968880 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-08-30 17:12:02 3914096 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-24 16:57:48 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-08-24 06:59:17 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 06:51:27 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 06:51:02 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 06:47:26 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 06:47:12 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 06:43:58 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-08-22 17:16:54 1292144 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-08-22 17:16:46 712048 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-08-22 17:16:46 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2012-08-22 17:16:36 187760 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-08-21 20:12:27 245760 ----a-w- c:\windows\system32\OxpsConverter.exe
2012-08-20 17:40:31 169984 ----a-w- c:\windows\system32\winsrv.dll
2012-08-20 17:40:01 293376 ----a-w- c:\windows\system32\KernelBase.dll
2012-08-20 17:37:58 271360 ----a-w- c:\windows\system32\conhost.exe
2012-08-20 15:33:28 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-08-20 15:33:28 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-08-20 15:33:28 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-08-20 15:33:28 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2012-08-18 07:48:32 430952 ----a-w- c:\windows\system32\nvStreaming.exe
2012-08-18 07:47:46 726376 ----a-w- c:\windows\system32\nv3dappshext.dll
2012-08-18 07:47:46 645992 ----a-w- c:\windows\system32\nvvsvc.exe
2012-08-18 07:47:46 62312 ----a-w- c:\windows\system32\nvshext.dll
2012-08-18 07:47:46 54632 ----a-w- c:\windows\system32\nv3dappshextr.dll
2012-08-18 07:47:46 2557288 ----a-w- c:\windows\system32\nvsvcr.dll
2012-08-18 07:47:46 108392 ----a-w- c:\windows\system32\nvmctray.dll
2012-08-18 07:47:20 3965288 ----a-w- c:\windows\system32\nvcpl.dll
2012-08-18 07:47:20 2843496 ----a-w- c:\windows\system32\nvsvc.dll
.
============= FINISH: 11:08:13.22 ===============



RogueKiller V8.2.3 [11/07/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : David McMaster [Admin rights]
Mode : Scan -- Date : 11/12/2012 11:14:53

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{66CC76D1-553A-4132-913D-E7F1FAC14DF1} : NameServer (68.94.156.1 68.94.157.1) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST380815AS ATA Device +++++
--- User ---
[MBR] 6188f9a185c647ae84c41fab25531019
[BSP] c3253755df50174ed7152ad603d1a7b4 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 5000 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 10242048 | Size: 71317 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_11122012_02d1114.txt >>
RKreport[1]_S_11122012_02d1114.txt

Attached Files



#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:15 PM

Posted 13 November 2012 - 08:18 AM

[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{66CC76D1-553A-4132-913D-E7F1FAC14DF1} : NameServer (68.94.156.1 68.94.157.1) -> FOUND

The IP address 68.94.156.1 belongs to AT&T Internet Services. It it's not your Internet Provider please let me know.

===

First try this.
Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]


Then, disconnect from the Internet!
Next, 
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.

On a Vista or Windows 7 operating system right click on the fixme.reg file and run as Administrator.

If still getting redirects:


Run RogueKiller again and click Scan
When the scan completes > click on the Registry tab
Put a check next to all of these and uncheck the rest: (if found)

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Now click Delete on the right hand column under Options

Post back the report which should be located on your desktop.

===

Keep me posted.

Edited by nasdaq, 13 November 2012 - 08:21 AM.


#10 dmcmaster

dmcmaster
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 13 November 2012 - 09:22 AM

Here is the log:

RogueKiller V8.2.3 [11/07/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : David McMaster [Admin rights]
Mode : Remove -- Date : 11/13/2012 08:18:53

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{66CC76D1-553A-4132-913D-E7F1FAC14DF1} : NameServer (68.94.156.1 68.94.157.1) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{66CC76D1-553A-4132-913D-E7F1FAC14DF1} : NameServer (68.94.156.1 68.94.157.1) -> NOT REMOVED, USE DNSFIX
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> NOT SELECTED
[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> NOT SELECTED
[HJ DESK] HKCU\[...]\NewStartPanel : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST380815AS ATA Device +++++
--- User ---
[MBR] 6188f9a185c647ae84c41fab25531019
[BSP] c3253755df50174ed7152ad603d1a7b4 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 5000 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 10242048 | Size: 71317 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_11132012_02d0818.txt >>
RKreport[1]_S_11132012_02d0817.txt ; RKreport[2]_D_11132012_02d0818.txt

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:15 PM

Posted 13 November 2012 - 09:41 AM

You missed these two items as suggested in post No 8.

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND


Please execute.


I also asked about the IP address being used. Are you with AT&T?

#12 dmcmaster

dmcmaster
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 13 November 2012 - 09:59 PM

Here is the log after deleting the final two items. I shut down the computer, restarted, and found that IE 9 still redirects and in addition I'm getting a security alert. Yes, ATT is my internet provider. Sorry about forgetting to include that in previous post.






RogueKiller V8.2.3 [11/07/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : David McMaster [Admin rights]
Mode : Scan -- Date : 11/13/2012 20:53:52

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{66CC76D1-553A-4132-913D-E7F1FAC14DF1} : NameServer (68.94.156.1 68.94.157.1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST380815AS ATA Device +++++
--- User ---
[MBR] 6188f9a185c647ae84c41fab25531019
[BSP] c3253755df50174ed7152ad603d1a7b4 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 5000 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 10242048 | Size: 71317 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_11132012_02d2053.txt >>
RKreport[1]_S_11132012_02d2053.txt

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:15 PM

Posted 14 November 2012 - 11:08 AM

I have search Google for this string 66CC76D1-553A-4132-913D-E7F1FAC14DF1 in your Control Set.
You are the only one found. It could be a unique AT&T identifyer. Lets check the registry.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :regfind
    66CC76D1-553A-4132-913D-E7F1FAC14DF1

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
===

Look for your about:config setting in Firefox.

How to here:
http://www.howtogeek.com/howto/1698/remove-custom-aboutconfig-entries-the-easy-way/

Search for some of the keywords comming from your redirects sites.

For any you don't like the looks of, probably ones with 'user set string'

Select the line, then right-click and select Copy. Paste into your reply.
Right-click 'user set' and select 'Toggle', or 'Modify' and change the string.
Again select the line, right-click and select Copy. Paste into your reply.


p.s. If you click on the Status bar all of the User set will be sorted out.

#14 dmcmaster

dmcmaster
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 14 November 2012 - 04:18 PM

Why am I looking in Firefox for something that is redirecting me in IE 9? Firefox hasn't redirected me since we deleted something that was messing with Java before I was directed to this topic. I realize that you are the one helping me, and believe me, I appreciate it, but give me some idea of what's going on, OK? I did what you told me to do about about:config in Firefox and I didn't see anything in the user set strings that looked suspicious to me, but unless I saw something that looked like the redirect address, I was clueless about anything else.

Here is the SystemLook log:

SystemLook 30.07.11 by jpshortstuff
Log created at 14:28 on 14/11/2012 by David McMaster
Administrator - Elevation successful

========== regfind ==========

Searching for "66CC76D1-553A-4132-913D-E7F1FAC14DF1"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{4CB8691D-0411-4FE6-B140-657C3495A2FD}\Connection]
"Name"="isatap.{66CC76D1-553A-4132-913D-E7F1FAC14DF1}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\Parameters\Isatap\{4CB8691D-0411-4FE6-B140-657C3495A2FD}]
"InterfaceName"="isatap.{66CC76D1-553A-4132-913D-E7F1FAC14DF1}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanServer\Linkage]
"Bind"="\Device\Smb_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Smb_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\Smb_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\Smb_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\Smb_Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\Smb_Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\NetbiosSmb \Device\NetBT_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\NetBT_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\NetBT_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\NetBT_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\NetBT_T
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanServer\Linkage]
"Export"="\Device\LanmanServer_Smb_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\LanmanServer_Smb_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\LanmanServer_Smb_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\LanmanServer_Smb_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\LanmanServer_Smb_Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\LanmanServer_Smb_Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\LanmanServer_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\LanmanServer_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\LanmanServer_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\LanmanServer_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\LanmanServer_Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\LanmanServer_Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\LanmanServer_NetbiosSmb \Device\LanmanServer_NetBT_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Lan
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\Linkage]
"Bind"="\Device\Smb_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Smb_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\Smb_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\Smb_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\Smb_Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\Smb_Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\NetbiosSmb \Device\NetBT_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\NetBT_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\NetBT_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\NetBT_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\Ne
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\Linkage]
"Export"="\Device\LanmanWorkstation_Smb_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\LanmanWorkstation_Smb_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\LanmanWorkstation_Smb_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\LanmanWorkstation_Smb_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\LanmanWorkstation_Smb_Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\LanmanWorkstation_Smb_Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\LanmanWorkstation_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\LanmanWorkstation_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\LanmanWorkstation_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\LanmanWorkstation_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\LanmanWorkstation_Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\LanmanWorkstation_Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\LanmanWorkstation_NetbiosSmb \Device\Lanma
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Linkage]
"Bind"="\Device\Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Tcpip_{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\Tcpip6_{66CC76D1-553A-4132-913D-E7F1FAC14DF1}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Linkage]
"Export"="\Device\NetBT_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\NetBT_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\NetBT_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\NetBT_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\NetBT_Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\NetBT_Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\NetBT_Tcpip_{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\NetBT_Tcpip6_{66CC76D1-553A-4132-913D-E7F1FAC14DF1}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\Interfaces\Tcpip_{66CC76D1-553A-4132-913D-E7F1FAC14DF1}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Smb\Linkage]
"Bind"="\Device\Tcpip6_{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\Tcpip_{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Smb\Linkage]
"Export"="\Device\Smb_Tcpip6_{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\Smb_Tcpip_{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\Smb_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Smb_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\Smb_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\Smb_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\Smb_Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\Smb_Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Linkage]
"Bind"="\Device\{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\{AFF2CF02-68FE-4015-9F1A-042DDA210128}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Linkage]
"Export"="\Device\Tcpip_{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{66CC76D1-553A-4132-913D-E7F1FAC14DF1}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Linkage]
"Bind"="\Device\{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\{CC470000-915D-4204-BE29-F97B970CA380} \Device\{AFF2CF02-68FE-4015-9F1A-042DDA210128}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Linkage]
"Export"="\Device\Tcpip6_{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters\Interfaces\{66CC76D1-553A-4132-913D-E7F1FAC14DF1}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\LanmanServer\Linkage]
"Bind"="\Device\Smb_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Smb_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\Smb_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\Smb_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\Smb_Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\Smb_Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\NetbiosSmb \Device\NetBT_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\NetBT_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\NetBT_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\NetBT_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\NetBT_T
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\LanmanServer\Linkage]
"Export"="\Device\LanmanServer_Smb_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\LanmanServer_Smb_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\LanmanServer_Smb_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\LanmanServer_Smb_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\LanmanServer_Smb_Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\LanmanServer_Smb_Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\LanmanServer_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\LanmanServer_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\LanmanServer_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\LanmanServer_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\LanmanServer_Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\LanmanServer_Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\LanmanServer_NetbiosSmb \Device\LanmanServer_NetBT_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Lan
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\LanmanWorkstation\Linkage]
"Bind"="\Device\Smb_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Smb_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\Smb_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\Smb_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\Smb_Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\Smb_Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\NetbiosSmb \Device\NetBT_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\NetBT_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\NetBT_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\NetBT_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\Ne
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\LanmanWorkstation\Linkage]
"Export"="\Device\LanmanWorkstation_Smb_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\LanmanWorkstation_Smb_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\LanmanWorkstation_Smb_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\LanmanWorkstation_Smb_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\LanmanWorkstation_Smb_Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\LanmanWorkstation_Smb_Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\LanmanWorkstation_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\LanmanWorkstation_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\LanmanWorkstation_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\LanmanWorkstation_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\LanmanWorkstation_Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\LanmanWorkstation_Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\LanmanWorkstation_NetbiosSmb \Device\Lanma
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\NetBT\Linkage]
"Bind"="\Device\Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Tcpip_{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\Tcpip6_{66CC76D1-553A-4132-913D-E7F1FAC14DF1}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\NetBT\Linkage]
"Export"="\Device\NetBT_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\NetBT_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\NetBT_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\NetBT_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\NetBT_Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\NetBT_Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\NetBT_Tcpip_{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\NetBT_Tcpip6_{66CC76D1-553A-4132-913D-E7F1FAC14DF1}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\NetBT\Parameters\Interfaces\Tcpip_{66CC76D1-553A-4132-913D-E7F1FAC14DF1}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Smb\Linkage]
"Bind"="\Device\Tcpip6_{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\Tcpip_{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Smb\Linkage]
"Export"="\Device\Smb_Tcpip6_{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\Smb_Tcpip_{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\Smb_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Smb_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\Smb_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\Smb_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\Smb_Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\Smb_Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Tcpip\Linkage]
"Export"="\Device\Tcpip_{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Tcpip\Parameters\Interfaces\{66CC76D1-553A-4132-913D-E7F1FAC14DF1}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\TCPIP6\Linkage]
"Bind"="\Device\{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\{CC470000-915D-4204-BE29-F97B970CA380} \Device\{AFF2CF02-68FE-4015-9F1A-042DDA210128}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\TCPIP6\Linkage]
"Export"="\Device\Tcpip6_{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\TCPIP6\Parameters\Interfaces\{66CC76D1-553A-4132-913D-E7F1FAC14DF1}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{4CB8691D-0411-4FE6-B140-657C3495A2FD}\Connection]
"Name"="isatap.{66CC76D1-553A-4132-913D-E7F1FAC14DF1}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{4CB8691D-0411-4FE6-B140-657C3495A2FD}]
"InterfaceName"="isatap.{66CC76D1-553A-4132-913D-E7F1FAC14DF1}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Linkage]
"Bind"="\Device\Smb_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Smb_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\Smb_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\Smb_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\Smb_Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\Smb_Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\NetbiosSmb \Device\NetBT_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\NetBT_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\NetBT_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\NetBT_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\Net
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Linkage]
"Export"="\Device\LanmanServer_Smb_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\LanmanServer_Smb_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\LanmanServer_Smb_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\LanmanServer_Smb_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\LanmanServer_Smb_Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\LanmanServer_Smb_Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\LanmanServer_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\LanmanServer_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\LanmanServer_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\LanmanServer_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\LanmanServer_Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\LanmanServer_Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\LanmanServer_NetbiosSmb \Device\LanmanServer_NetBT_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Linkage]
"Bind"="\Device\Smb_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Smb_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\Smb_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\Smb_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\Smb_Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\Smb_Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\NetbiosSmb \Device\NetBT_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\NetBT_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\NetBT_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\NetBT_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Devic
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Linkage]
"Export"="\Device\LanmanWorkstation_Smb_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\LanmanWorkstation_Smb_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\LanmanWorkstation_Smb_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\LanmanWorkstation_Smb_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\LanmanWorkstation_Smb_Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\LanmanWorkstation_Smb_Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\LanmanWorkstation_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\LanmanWorkstation_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\LanmanWorkstation_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\LanmanWorkstation_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\LanmanWorkstation_Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\LanmanWorkstation_Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\LanmanWorkstation_NetbiosSmb \Device\L
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Linkage]
"Bind"="\Device\Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Tcpip_{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\Tcpip6_{66CC76D1-553A-4132-913D-E7F1FAC14DF1}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Linkage]
"Export"="\Device\NetBT_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\NetBT_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\NetBT_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\NetBT_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\NetBT_Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\NetBT_Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\NetBT_Tcpip_{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\NetBT_Tcpip6_{66CC76D1-553A-4132-913D-E7F1FAC14DF1}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{66CC76D1-553A-4132-913D-E7F1FAC14DF1}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Smb\Linkage]
"Bind"="\Device\Tcpip6_{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\Tcpip_{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Smb\Linkage]
"Export"="\Device\Smb_Tcpip6_{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\Smb_Tcpip_{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\Smb_Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128} \Device\Smb_Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\Smb_Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\Smb_Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\Smb_Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\Smb_Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Linkage]
"Bind"="\Device\{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\{AFF2CF02-68FE-4015-9F1A-042DDA210128}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Linkage]
"Export"="\Device\Tcpip_{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\Tcpip_{AFF2CF02-68FE-4015-9F1A-042DDA210128}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{66CC76D1-553A-4132-913D-E7F1FAC14DF1}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Linkage]
"Bind"="\Device\{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\{CC470000-915D-4204-BE29-F97B970CA380} \Device\{AFF2CF02-68FE-4015-9F1A-042DDA210128}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Linkage]
"Export"="\Device\Tcpip6_{66CC76D1-553A-4132-913D-E7F1FAC14DF1} \Device\Tcpip6_{56D4D3DD-3013-4814-A72F-0227D16D341E} \Device\Tcpip6_{4CB8691D-0411-4FE6-B140-657C3495A2FD} \Device\Tcpip6_{56BA9398-BBF3-4669-891B-32CF58EB17AC} \Device\Tcpip6_{CC470000-915D-4204-BE29-F97B970CA380} \Device\Tcpip6_{AFF2CF02-68FE-4015-9F1A-042DDA210128}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\Interfaces\{66CC76D1-553A-4132-913D-E7F1FAC14DF1}]

-= EOF =-

#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:15 PM

Posted 15 November 2012 - 09:02 AM

I will concentrate on IE and not Firefox.

  • Download OTL to your Desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\*. /mp /s
    c:\$recycle.bin\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    explorer.exe
    svchost.exe
    userinit.exe
    qmgr.dll
    proquota.exe
    kernel32.dll
    ndis.sys
    autochk.exe
    spoolsv.exe
    xmlprov.dll
    ntmssvc.dll
    mswsock.dll
    Beep.SYS
    ntfs.sys
    termsrv.dll
    sfcfiles.dll
    st3shark.sys
    ahcix86.sys
    srsvc.dll
    /md5stop
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users