Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

yhs4 browser search redirect


  • This topic is locked This topic is locked
28 replies to this topic

#1 HuoXue

HuoXue

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 27 January 2014 - 09:43 AM

Hello!  Firstly, thank you for taking the time in reading this - I appreciate it!

 

I'm not sure at what point I got infected - I sometimes have my computer "borrowed", so I could have only myself to blame, or someone else.

 

It doesn't edit my actual search page, but at some point redirects it to a "us.yhs4" search when I use the "omnibox" in Google Chrome.  In the event that I do seem to remove it, any omnibox search afterwards is met by a google "we're blocking you because you're a robot" page, and entering the captcha to prove that I'm human does not bypass it - I simply get another captcha to fill out.

 

Logs:

-----------

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.51.2
Run by HuoXue at 8:20:42 on 2014-01-27
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3326.2437 [GMT -6:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
D:\Steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HuoXue\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HuoXue\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HuoXue\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HuoXue\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HuoXue\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HuoXue\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HuoXue\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HuoXue\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
BHO: Canon Easy-WebPrint EX BHO: {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
EB: Canon Easy-WebPrint EX: {21347690-EC41-4F9A-8887-1F4AEE672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\huoxue\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Steam] "d:\steam\steam.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [KiesPreload] c:\program files\samsung\kies\Kies.exe /preload
uRun: [] c:\program files\samsung\kies\external\firmwareupdate\KiesPDLR.exe Run
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DivXMediaServer] c:\program files\divx\divx media server\DivXMediaServer.exe
mRun: [SMessaging] c:\documents and settings\huoxue\local settings\application data\strongvault online backup\SMessaging.exe
mRun: [Aimersoft Helper Compact.exe] c:\program files\common files\aimersoft\aimersoft helper compact\ASHelper.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenuEx] c:\program files\canon\solution menu ex\CNSEMAIN.EXE /logon
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0051-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{48FA2EBB-A101-47EE-8D86-920C6550BDC5} : NameServer = 208.69.150.250,208.69.150.252
TCP: Interfaces\{7DEF3EB3-9040-4CD6-BCFF-31C5BBF0AAE0} : NameServer = 208.69.150.250,208.69.150.252
TCP: Interfaces\{7DEF3EB3-9040-4CD6-BCFF-31C5BBF0AAE0} : DHCPNameServer = 192.168.1.254
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: navnet - {AD6E5643-7B0C-46AA-95AD-9773FF2A857A} - c:\program files\navnetapp\ComUtilities.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2013-11-10 233472]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2001-8-18 14336]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2013-10-9 3275136]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2013-11-10 37344]
R3 nbdrvMP;nbdrvMP;c:\windows\system32\drivers\nbdrv.sys [2013-4-28 23040]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\documents and settings\huoxue\desktop\vcdrom.sys --> c:\documents and settings\huoxue\desktop\VCdRom.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 NetBalancerService;NetBalancerService;c:\program files\netbalancer\SeriousBit.NetBalancer.Service.exe [2013-4-28 10752]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-2-28 161384]
S3 apf001;apf001;\??\c:\game\softnyxgame\gunboundis\apf001.sys --> c:\game\softnyxgame\gunboundis\apf001.sys [?]
S3 cpuz135;cpuz135;\??\c:\windows\temp\cpuz135\cpuz135_x32.sys --> c:\windows\temp\cpuz135\cpuz135_x32.sys [?]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2013-11-11 83168]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys --> c:\windows\system32\drivers\dgderdrv.sys [?]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files\futuremark\futuremark systeminfo\FMSISvc.exe [2012-1-4 137488]
S3 nbdrv;NetBalancer Service;c:\windows\system32\drivers\nbdrv.sys [2013-4-28 23040]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\screamingbaudio.sys --> c:\windows\system32\drivers\ScreamingBAudio.sys [?]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2013-11-11 181344]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
S3 XDva392;XDva392;\??\c:\windows\system32\xdva392.sys --> c:\windows\system32\XDva392.sys [?]
.
=============== Created Last 30 ================
.
2014-01-26 13:23:37 -------- d-----w- c:\windows\pss
2014-01-25 03:11:45 -------- d-----w- c:\documents and settings\huoxue\application data\SYSTEMAX Software Development
2014-01-25 03:11:45 -------- d-----w- c:\documents and settings\all users\application data\SYSTEMAX Software Development
2014-01-24 13:00:34 877480 ----a-w- c:\windows\system32\npdeployJava1.dll
2014-01-24 13:00:34 800168 ----a-w- c:\windows\system32\deployJava1.dll
2014-01-23 13:24:27 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-01-23 13:15:00 145408 ----a-w- c:\windows\system32\javacpl.cpl
2014-01-23 12:17:33 -------- d-----w- c:\windows\Performance
2014-01-23 12:17:27 -------- d-----w- c:\documents and settings\huoxue\local settings\application data\Microsoft Corporation
2014-01-15 09:18:15 -------- d-----w- c:\program files\steam
2013-12-31 00:23:17 -------- d-----w- c:\documents and settings\huoxue\local settings\application data\FalloutNV
2013-12-29 18:31:44 -------- d-----w- c:\documents and settings\huoxue\application data\RenPy
2013-12-29 12:36:57 -------- d-----w- c:\documents and settings\huoxue\local settings\application data\Threaks
.
==================== Find3M  ====================
.
2014-01-07 02:30:47 1077176 ----a-w- c:\windows\system32\nvdrsdb1.bin
2014-01-07 02:30:47 1 ----a-w- c:\windows\system32\nvdrssel.bin
2013-12-12 17:59:54 1077176 ----a-w- c:\windows\system32\nvdrsdb0.bin
2013-12-11 14:30:46 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-11 14:30:46 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-12-11 14:30:42 9293192 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2013-11-27 20:21:06 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2013-11-13 02:59:42 150528 ----a-w- c:\windows\system32\imagehlp.dll
2013-11-11 09:28:22 851176 ----a-w- c:\windows\system32\WinUSBCoInstaller2.dll
2013-11-11 09:28:22 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2013-11-07 05:38:51 591360 ----a-w- c:\windows\system32\rpcrt4.dll
2013-11-06 01:03:31 7168 ----a-w- c:\windows\system32\xpsp4res.dll
2013-10-30 03:16:32 233472 ----a-w- c:\windows\system32\FsUsbExService.Exe
2013-10-30 03:16:30 37344 ----a-w- c:\windows\system32\FsUsbExDisk.Sys
2013-10-30 03:06:54 45320 ----a-w- c:\windows\system32\MAMACExtract.dll
2013-10-30 02:26:17 1879040 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH:  8:21:09.09 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:29 PM

Posted 27 January 2014 - 02:12 PM


Hello HuoXue

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 HuoXue

HuoXue
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 27 January 2014 - 05:12 PM

Well, both programs found a few files, but after running both and having them clean up, I'm still being redirected to the yhs4 search.  Again, thank you for your time!

 

LOGS:

----------

 

# AdwCleaner v3.017 - Report created 27/01/2014 at 16:01:08
# Updated 12/01/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : HuoXue - HUO
# Running from : C:\Documents and Settings\HuoXue\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Ask
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\All Users\Application Data\boost_interprocess
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Tarma Installer
Folder Deleted : C:\Documents and Settings\All Users\Start Menu\Programs\myfree codec
Folder Deleted : C:\Program Files\myfree codec
Folder Deleted : C:\Documents and Settings\HuoXue\Local Settings\Application Data\apn
Folder Deleted : C:\Documents and Settings\HuoXue\Local Settings\Application Data\Conduit
Folder Deleted : C:\DOCUME~1\HuoXue\LOCALS~1\Temp\AirInstaller
Folder Deleted : C:\DOCUME~1\HuoXue\LOCALS~1\Temp\AskSearch
Folder Deleted : C:\Documents and Settings\HuoXue\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\HuoXue\Application Data\strongvault
File Deleted : C:\END
File Deleted : C:\DOCUME~1\HuoXue\LOCALS~1\Temp\Uninstall.exe
File Deleted : C:\Program Files\Mozilla Firefox\user.js
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3268494
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4C836512-BB70-11D2-A5A7-00105A9C91C6}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5C3B5DAA-0AFF-4808-90FB-0F2F2D760E36}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{64697678-0000-0010-8000-00AA00389B71}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DB797690-40E0-11D2-9BD5-0060082AE372}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FD501041-8EBE-11CE-8183-00AA00577DA2}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{DB797681-40E0-11D2-9BD5-0060082AE372}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\Cr_Installer
Key Deleted : HKCU\Software\Myfree Codec
Key Deleted : HKCU\Software\pc optimizer pro
Key Deleted : HKCU\Software\SmartBar
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\visualbee
Key Deleted : HKCU\Software\Zugo
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\Software\Myfree Codec
Key Deleted : HKLM\Software\PIP
Key Deleted : HKLM\Software\Tarma Installer
Key Deleted : HKLM\Software\visualbee
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\MyFreeCodec
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\MyFreeCodec
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v8.0.6001.18702
 
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls [Tabs]
 
-\\ Google Chrome v
 
[ File : C:\Documents and Settings\HuoXue\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [5448 octets] - [27/01/2014 15:57:28]
AdwCleaner[S0].txt - [5411 octets] - [27/01/2014 16:01:08]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [5471 octets] ##########
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.0 (01.07.2014:1)
OS: Microsoft Windows XP x86
Ran by HuoXue on Mon 01/27/2014 at 16:04:23.40
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SMessaging [Strongvault]
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\caphyon
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110211181104}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{6BF9D4F6-0483-4B14-9C0B-089A9E26AFBA}
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\strongvault online backup"
Successfully deleted: [Folder] "C:\Documents and Settings\HuoXue\Local Settings\Application Data\cre"
Successfully deleted: [Folder] "C:\Documents and Settings\HuoXue\Local Settings\Application Data\stronghold_llc"
Successfully deleted: [Folder] "C:\Documents and Settings\HuoXue\Local Settings\Application Data\strongvault online backup"
Successfully deleted: [Folder] "C:\WINDOWS\system32\ai_recyclebin"
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 01/27/2014 at 16:08:00.18
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:29 PM

Posted 27 January 2014 - 05:27 PM


Hello HuoXue

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 HuoXue

HuoXue
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 27 January 2014 - 07:44 PM

Alright, so I seem to have come upon a bit of a problem.  When I run Combofix, it gets to "Completed Stage_50", then an empty line shows up at the bottom of the window, and my computer crashes to a BSOD with a "Bad Header Pool" error.

 

I can't seem to upload the minidump file - I get an error from the website that says I'm not permitted to upload .dmp files.

 

 



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:29 PM

Posted 27 January 2014 - 08:16 PM





Hello HuoXue

Malwarebytes Anti-Rootkit

1.Download Malwarebytes Anti-Rootkit
2.Unzip the contents to a folder in a convenient location.
3.Open the folder where the contents were unzipped and run mbar.exe
4.Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
5.Click on the Cleanup button to remove any threats and reboot if prompted to do so.
6.Wait while the system shuts down and the cleanup process is performed.
7.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
8.If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
  • •Internet access
    •Windows Update
    •Windows Firewall
9.If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.
10.Verify that your system is now functioning normally.


--RogueKiller--

Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • the scan will make two reports the one I would like to see is called RKreport[2].txt on your Desktop
  • Exit/Close RogueKiller+
send me the reports made from MBAR and Roguekiller and also let me know how the computer is doing at this time.

Gringo






When you are complete please send me both reports

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 HuoXue

HuoXue
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 28 January 2014 - 02:58 AM

Alright, both ran just fine - Malwarebytes rootkit didn't find anything, so nothing was removed/did not restart.  Also, RogueKiller did not produce a report that was numbered [2], so I'm including the second one that it provided.

 

Should I be restarting manually after each step if I'm not prompted to by the programs?

 

EDIT: I forgot to include that before a restart, I was still getting redirected to the yhs4 search site, however, I did a reboot myself, and upon restarting it seems to have subsided.  

 

LOGS:

---------

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1009
www.malwarebytes.org
 
Database version: v2014.01.28.02
 
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
 :: HUO [administrator]
 
1/28/2014 1:13:51 AM
mbar-log-2014-01-28 (01-13-51).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 235513
Time elapsed: 32 minute(s), 8 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
 
RogueKiller V8.8.3 [Jan 24 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : HuoXue [Admin rights]
Mode : Remove -- Date : 01/28/2014 01:51:40
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 2 ¤¤¤
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Browser Addons : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[122] : NtOpenProcess @ 0x8057F956 -> HOOKED (C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xB36E5184)
[Address] SSDT[128] : NtOpenThread @ 0x805E4867 -> HOOKED (C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xB36E52D0)
 
¤¤¤ External Hives: ¤¤¤
-> F:\windows\system32\config\SYSTEM | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> F:\windows\system32\config\SOFTWARE | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> F:\windows\system32\config\SECURITY | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> F:\windows\system32\config\SAM | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> F:\windows\system32\config\DEFAULT | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> F:\Users\Default\NTUSER.DAT | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HDS721050CLA362 +++++
--- User ---
[MBR] be305957a574b1115705246843cad26c
[BSP] f611a10388487050d6aed09f0fd697c3 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 131061 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) Hitachi HDT725032VLA380 +++++
--- User ---
[MBR] f2e9c96a0003bd3bcda5884de07db4b2
[BSP] 6139991970aba5d116638453ca182115 : Legit.B MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 9946 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 20370420 | Size: 295297 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_D_01282014_015140.txt >>
RKreport[0]_S_01282014_015050.txt
 
 
 

Edited by HuoXue, 28 January 2014 - 03:13 AM.


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:29 PM

Posted 28 January 2014 - 03:24 AM


Hello HuoXue

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 HuoXue

HuoXue
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 28 January 2014 - 05:08 AM

Alright, it didn't crash on me this time, however, it did not restart the computer either.  It did finish and produce a log, though, so hopefully that's just as good.

 

Everything seems to be running well, and I'm no longer getting the redirect (knock on wood).

 

LOGS:

----------

 

ComboFix 14-01-27.02 - HuoXue 01/28/2014   3:41.4.2 - x86 MINIMAL
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3326.3061 [GMT -6:00]
Running from: c:\documents and settings\HuoXue\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\HuoXue\WINDOWS
C:\install.exe
c:\windows\system32\frapsvid.dll
F:\Autorun.inf
.
.
(((((((((((((((((((((((((   Files Created from 2013-12-28 to 2014-01-28  )))))))))))))))))))))))))))))))
.
.
2014-01-28 06:59 . 2014-01-28 07:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-01-28 06:59 . 2014-01-28 06:59 107224 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-01-28 06:58 . 2014-01-28 06:58 52312 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-01-27 22:04 . 2014-01-27 22:04 -------- d-----w- c:\windows\ERUNT
2014-01-27 21:57 . 2014-01-27 22:01 -------- d-----w- C:\AdwCleaner
2014-01-25 03:11 . 2014-01-25 03:11 -------- d-----w- c:\documents and settings\HuoXue\Application Data\SYSTEMAX Software Development
2014-01-25 03:11 . 2014-01-25 03:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SYSTEMAX Software Development
2014-01-24 13:00 . 2014-01-23 13:24 877480 ----a-w- c:\windows\system32\npdeployJava1.dll
2014-01-24 13:00 . 2014-01-23 13:24 800168 ----a-w- c:\windows\system32\deployJava1.dll
2014-01-23 13:24 . 2014-01-23 13:24 -------- d-----w- c:\program files\Common Files\Java
2014-01-23 13:24 . 2014-01-23 13:24 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-01-23 13:15 . 2014-01-23 13:24 145408 ----a-w- c:\windows\system32\javacpl.cpl
2014-01-23 12:17 . 2014-01-23 12:17 -------- d-----w- c:\windows\Performance
2014-01-23 12:17 . 2014-01-23 12:17 -------- d-----w- c:\documents and settings\HuoXue\Local Settings\Application Data\Microsoft Corporation
2014-01-15 09:18 . 2014-01-15 09:18 -------- d-----w- c:\program files\steam
2013-12-31 00:23 . 2013-12-31 00:23 -------- d-----w- c:\documents and settings\HuoXue\Local Settings\Application Data\FalloutNV
2013-12-29 18:31 . 2013-12-29 18:31 -------- d-----w- c:\documents and settings\HuoXue\Application Data\RenPy
2013-12-29 12:36 . 2013-12-29 12:36 -------- d-----w- c:\documents and settings\HuoXue\Local Settings\Application Data\Threaks
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-11 14:30 . 2012-11-08 11:26 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-11 14:30 . 2012-11-08 11:26 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-12-11 14:30 . 2013-12-11 14:30 9293192 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2013-11-27 20:21 . 2001-08-18 08:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2013-11-13 02:59 . 2001-08-18 08:00 150528 ----a-w- c:\windows\system32\imagehlp.dll
2013-11-11 09:28 . 2013-11-11 09:28 851176 ----a-w- c:\windows\system32\WinUSBCoInstaller2.dll
2013-11-11 09:28 . 2013-11-11 09:28 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2013-11-07 05:38 . 2001-08-18 08:00 591360 ----a-w- c:\windows\system32\rpcrt4.dll
2013-11-06 01:03 . 2011-11-07 06:35 7168 ----a-w- c:\windows\system32\xpsp4res.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="d:\steam\steam.exe" [2014-01-07 1815464]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-08 421776]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2011-03-15 2565520]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2011-08-04 1612920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-12-29 15635896]
"NvMediaCenter"="NvMCTray.dll" [2012-12-29 108984]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-12-29 1982312]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\NexmuTK\\NeXmuTK.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\IceChat7\\IceChat7.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\KVIrc\\kvirc.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre7\\bin\\javaw.exe"=
"c:\\Documents and Settings\\HuoXue\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Softnyx\\GunboundThor\\GunBound.exe"=
"c:\\Program Files\\Softnyx\\GunboundThor\\gunbound.gme"=
"c:\\Program Files\\Java\\jre7\\bin\\java.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Nexia\\NexusTK.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
"d:\\SteamLibrary\\SteamApps\\common\\Galactic Civilizations II - Ultimate Edition\\Twilight\\GC2TwilightOfTheArnor.exe"=
"c:\\Documents and Settings\\HuoXue\\Desktop\\Dogeminer\\dogecoin-qt.exe"=
"d:\\Steam\\Steam.exe"=
"d:\\Steam\\steamapps\\common\\Spelunky\\Spelunky.exe"=
"d:\\Steam\\steamapps\\common\\Brothers - A Tale of Two Sons\\Binaries\\Win32\\BrothersLauncher.exe"=
"d:\\Steam\\steamapps\\common\\Brothers - A Tale of Two Sons\\Binaries\\Win32\\Brothers.exe"=
"d:\\Steam\\steamapps\\common\\LongLiveTheQueen\\LongLiveTheQueen.exe"=
"d:\\Steam\\steamapps\\common\\pixeljunkeden\\eden.exe"=
"d:\\Steam\\steamapps\\common\\Fallout New Vegas\\FalloutNVLauncher.exe"=
"d:\\Steam\\steamapps\\common\\vvvvvv\\VVVVVV.exe"=
"d:\\SteamLibrary\\SteamApps\\common\\ElectronicSuperJoy\\ElectronicSuperJoy.exe"=
"d:\\Steam\\steamapps\\common\\Beatbuddy\\Beatbuddy.exe"=
"d:\\SteamLibrary\\SteamApps\\common\\FE Legendary Heroes\\LegendaryHeroes.exe"=
"d:\\SteamLibrary\\SteamApps\\common\\GarrysMod\\hl2.exe"=
"d:\\Steam\\steamapps\\common\\Starbound\\win32\\launcher\\launcher.exe"=
.
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\documents and settings\HuoXue\Desktop\VCdRom.sys --> c:\documents and settings\HuoXue\Desktop\VCdRom.sys [?]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [11/10/2013 6:23 PM 233472]
S2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [8/18/2001 2:00 AM 14336]
S2 NetBalancerService;NetBalancerService;c:\program files\NetBalancer\SeriousBit.NetBalancer.Service.exe [4/28/2013 12:59 PM 10752]
S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [10/9/2013 9:58 AM 3275136]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2/28/2013 5:45 PM 161384]
S3 apf001;apf001;\??\c:\game\SoftnyxGame\GunBoundIS\apf001.sys --> c:\game\SoftnyxGame\GunBoundIS\apf001.sys [?]
S3 cpuz135;cpuz135;\??\c:\windows\TEMP\cpuz135\cpuz135_x32.sys --> c:\windows\TEMP\cpuz135\cpuz135_x32.sys [?]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [11/11/2013 4:51 AM 83168]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys --> c:\windows\system32\drivers\dgderdrv.sys [?]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [11/10/2013 6:23 PM 37344]
S3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files\Futuremark\Futuremark SystemInfo\FMSISvc.exe [1/4/2012 2:15 PM 137488]
S3 nbdrv;NetBalancer Service;c:\windows\system32\drivers\nbdrv.sys [4/28/2013 12:59 PM 23040]
S3 nbdrvMP;nbdrvMP;c:\windows\system32\drivers\nbdrv.sys [4/28/2013 12:59 PM 23040]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys --> c:\windows\system32\drivers\ScreamingBAudio.sys [?]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [11/11/2013 4:51 AM 181344]
S3 XDva392;XDva392;\??\c:\windows\system32\XDva392.sys --> c:\windows\system32\XDva392.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2014-01-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-08 14:30]
.
2014-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-287218729-725345543-1004Core.job
- c:\documents and settings\HuoXue\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-06 17:18]
.
2014-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-287218729-725345543-1004UA.job
- c:\documents and settings\HuoXue\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-06 17:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{48FA2EBB-A101-47EE-8D86-920C6550BDC5}: NameServer = 208.69.150.250,208.69.150.252
TCP: Interfaces\{7DEF3EB3-9040-4CD6-BCFF-31C5BBF0AAE0}: NameServer = 208.69.150.250,208.69.150.252
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-KiesPreload - c:\program files\Samsung\Kies\Kies.exe
HKLM-Run-DivXMediaServer - c:\program files\DivX\DivX Media Server\DivXMediaServer.exe
HKLM-Run-Aimersoft Helper Compact.exe - c:\program files\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe
AddRemove-Nexus: The Kingdom of the Winds - c:\progra~1\Nexon\NextAeon\UNWISE.EXE
AddRemove-Steam App 105600 - c:\program files\Steam\steam.exe
AddRemove-Steam App 107100 - c:\program files\Steam\steam.exe
AddRemove-Steam App 113200 - c:\program files\Steam\steam.exe
AddRemove-Steam App 200210 - c:\program files\Steam\steam.exe
AddRemove-Steam App 200900 - c:\program files\Steam\steam.exe
AddRemove-Steam App 202200 - c:\program files\Steam\steam.exe
AddRemove-Steam App 202480 - c:\program files\Steam\steam.exe
AddRemove-Steam App 204360 - c:\program files\Steam\steam.exe
AddRemove-Steam App 207170 - c:\program files\Steam\steam.exe
AddRemove-Steam App 207320 - c:\program files\Steam\steam.exe
AddRemove-Steam App 207350 - c:\program files\Steam\steam.exe
AddRemove-Steam App 209830 - c:\program files\Steam\steam.exe
AddRemove-Steam App 212680 - c:\program files\Steam\steam.exe
AddRemove-Steam App 214150 - c:\program files\Steam\steam.exe
AddRemove-Steam App 219740 - c:\program files\Steam\steam.exe
AddRemove-Steam App 22370 - c:\program files\Steam\steam.exe
AddRemove-Steam App 223810 - c:\program files\Steam\steam.exe
AddRemove-Steam App 223870 - c:\program files\Steam\steam.exe
AddRemove-Steam App 228260 - c:\program files\Steam\steam.exe
AddRemove-Steam App 244870 - c:\program files\Steam\steam.exe
AddRemove-Steam App 38400 - c:\program files\Steam\steam.exe
AddRemove-Steam App 38420 - c:\program files\Steam\steam.exe
AddRemove-Steam App 4000 - c:\program files\Steam\steam.exe
AddRemove-Steam App 40800 - c:\program files\Steam\steam.exe
AddRemove-Steam App 42910 - c:\program files\Steam\steam.exe
AddRemove-Steam App 440 - c:\program files\Steam\steam.exe
AddRemove-Steam App 50620 - c:\program files\Steam\steam.exe
AddRemove-Steam App 57300 - c:\program files\Steam\steam.exe
AddRemove-Steam App 65800 - c:\program files\Steam\steam.exe
AddRemove-Steam App 65900 - c:\program files\Steam\steam.exe
AddRemove-Steam App 70400 - c:\program files\Steam\steam.exe
AddRemove-Steam App 72850 - c:\program files\Steam\steam.exe
AddRemove-Terraria Game Launcher GUI_is1 - c:\program files\steam\SteamApps\Common\Terraria\unins000.exe
AddRemove-Terraria Game Launcher_is1 - c:\program files\steam\SteamApps\Common\Terraria\unins002.exe
AddRemove-Zip Password Tool_is1 - c:\documents and settings\HuoXue\Desktop\Zip Password Tool\unins000.exe
AddRemove-{224E185A-DCC7-45C5-B04D-77E6CE82D83E}_is1 - c:\program files\steam\steamapps\common\terraria\unins001.exe
AddRemove-01_Simmental - c:\program files\SAMSUNG\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\SAMSUNG\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\SAMSUNG\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\SAMSUNG\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-05_Sloan - c:\program files\SAMSUNG\USB Drivers\05_Sloan\Uninstall.exe
AddRemove-06_Spencer - c:\program files\SAMSUNG\USB Drivers\06_Spencer\Uninstall.exe
AddRemove-07_Schorl - c:\program files\SAMSUNG\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-08_EMPChipset - c:\program files\SAMSUNG\USB Drivers\08_EMPChipset\Uninstall.exe
AddRemove-09_Hsp - c:\program files\SAMSUNG\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\SAMSUNG\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\SAMSUNG\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-17_EMP_Chipset2 - c:\program files\SAMSUNG\USB Drivers\17_EMP_Chipset2\Uninstall.exe
AddRemove-18_Zinia_Serial_Driver - c:\program files\SAMSUNG\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe
AddRemove-19_VIA_driver - c:\program files\SAMSUNG\USB Drivers\19_VIA_driver\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\SAMSUNG\USB Drivers\20_NXP_Driver\Uninstall.exe
AddRemove-21_Searsburg - c:\program files\SAMSUNG\USB Drivers\21_Searsburg\Uninstall.exe
AddRemove-22_WiBro_WiMAX - c:\program files\SAMSUNG\USB Drivers\22_WiBro_WiMAX\Uninstall.exe
AddRemove-24_flashusbdriver - c:\program files\SAMSUNG\USB Drivers\24_flashusbdriver\Uninstall.exe
AddRemove-25_escape - c:\program files\SAMSUNG\USB Drivers\25_escape\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-01-28 03:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2014-01-28  03:57:19
ComboFix-quarantined-files.txt  2014-01-28 09:57
.
Pre-Run: 86,070,591,488 bytes free
Post-Run: 87,118,925,824 bytes free
.
- - End Of File - - B9875ECBDDD75354600FBEEFCBDFBA84
8F558EB6672622401DA993E1E865C861


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:29 PM

Posted 28 January 2014 - 04:50 PM


Hello HuoXue

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 HuoXue

HuoXue
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 30 January 2014 - 09:15 AM

The redirect is still not showing up at all, so that's good, but while running combofix (once again, had to do it in safe mode, it crashed in the normal environment), I received the error "application corrupt" 3 times - once near the beginning, and twice towards the end.  Is this an issue I should be concerned about?

 

LOGS:

----------

 

ComboFix 14-01-27.02 - HuoXue 01/30/2014   7:52.6.2 - x86 MINIMAL
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3326.3051 [GMT -6:00]
Running from: c:\documents and settings\HuoXue\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HuoXue\Desktop\CFScript.txt
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected 
Restored copy from - c:\windows\erdnt\cache\ntfs.sys 
.
.
(((((((((((((((((((((((((   Files Created from 2013-12-28 to 2014-01-30  )))))))))))))))))))))))))))))))
.
.
2014-01-28 06:59 . 2014-01-28 07:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-01-28 06:59 . 2014-01-28 06:59 107224 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-01-28 06:58 . 2014-01-28 06:58 52312 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-01-27 22:04 . 2014-01-27 22:04 -------- d-----w- c:\windows\ERUNT
2014-01-27 21:57 . 2014-01-27 22:01 -------- d-----w- C:\AdwCleaner
2014-01-25 03:11 . 2014-01-25 03:11 -------- d-----w- c:\documents and settings\HuoXue\Application Data\SYSTEMAX Software Development
2014-01-25 03:11 . 2014-01-25 03:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SYSTEMAX Software Development
2014-01-24 13:00 . 2014-01-23 13:24 877480 ----a-w- c:\windows\system32\npdeployJava1.dll
2014-01-24 13:00 . 2014-01-23 13:24 800168 ----a-w- c:\windows\system32\deployJava1.dll
2014-01-23 13:24 . 2014-01-23 13:24 -------- d-----w- c:\program files\Common Files\Java
2014-01-23 13:24 . 2014-01-23 13:24 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-01-23 13:15 . 2014-01-23 13:24 145408 ----a-w- c:\windows\system32\javacpl.cpl
2014-01-23 12:17 . 2014-01-23 12:17 -------- d-----w- c:\windows\Performance
2014-01-23 12:17 . 2014-01-23 12:17 -------- d-----w- c:\documents and settings\HuoXue\Local Settings\Application Data\Microsoft Corporation
2014-01-15 09:18 . 2014-01-15 09:18 -------- d-----w- c:\program files\steam
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-11 14:30 . 2012-11-08 11:26 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-11 14:30 . 2012-11-08 11:26 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-12-11 14:30 . 2013-12-11 14:30 9293192 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2013-11-27 20:21 . 2001-08-18 08:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2013-11-13 02:59 . 2001-08-18 08:00 150528 ----a-w- c:\windows\system32\imagehlp.dll
2013-11-11 09:28 . 2013-11-11 09:28 851176 ----a-w- c:\windows\system32\WinUSBCoInstaller2.dll
2013-11-11 09:28 . 2013-11-11 09:28 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2013-11-07 05:38 . 2001-08-18 08:00 591360 ----a-w- c:\windows\system32\rpcrt4.dll
2013-11-06 01:03 . 2011-11-07 06:35 7168 ----a-w- c:\windows\system32\xpsp4res.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="d:\steam\steam.exe" [2014-01-07 1815464]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-08 421776]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2011-03-15 2565520]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2011-08-04 1612920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-12-29 15635896]
"NvMediaCenter"="NvMCTray.dll" [2012-12-29 108984]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-12-29 1982312]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\NexmuTK\\NeXmuTK.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\IceChat7\\IceChat7.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\KVIrc\\kvirc.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre7\\bin\\javaw.exe"=
"c:\\Documents and Settings\\HuoXue\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Softnyx\\GunboundThor\\GunBound.exe"=
"c:\\Program Files\\Softnyx\\GunboundThor\\gunbound.gme"=
"c:\\Program Files\\Java\\jre7\\bin\\java.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Nexia\\NexusTK.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
"d:\\SteamLibrary\\SteamApps\\common\\Galactic Civilizations II - Ultimate Edition\\Twilight\\GC2TwilightOfTheArnor.exe"=
"c:\\Documents and Settings\\HuoXue\\Desktop\\Dogeminer\\dogecoin-qt.exe"=
"d:\\Steam\\Steam.exe"=
"d:\\Steam\\steamapps\\common\\Spelunky\\Spelunky.exe"=
"d:\\Steam\\steamapps\\common\\Brothers - A Tale of Two Sons\\Binaries\\Win32\\BrothersLauncher.exe"=
"d:\\Steam\\steamapps\\common\\Brothers - A Tale of Two Sons\\Binaries\\Win32\\Brothers.exe"=
"d:\\Steam\\steamapps\\common\\LongLiveTheQueen\\LongLiveTheQueen.exe"=
"d:\\Steam\\steamapps\\common\\pixeljunkeden\\eden.exe"=
"d:\\Steam\\steamapps\\common\\Fallout New Vegas\\FalloutNVLauncher.exe"=
"d:\\Steam\\steamapps\\common\\vvvvvv\\VVVVVV.exe"=
"d:\\SteamLibrary\\SteamApps\\common\\ElectronicSuperJoy\\ElectronicSuperJoy.exe"=
"d:\\Steam\\steamapps\\common\\Beatbuddy\\Beatbuddy.exe"=
"d:\\SteamLibrary\\SteamApps\\common\\FE Legendary Heroes\\LegendaryHeroes.exe"=
"d:\\SteamLibrary\\SteamApps\\common\\GarrysMod\\hl2.exe"=
"d:\\Steam\\steamapps\\common\\Starbound\\win32\\launcher\\launcher.exe"=
.
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\documents and settings\HuoXue\Desktop\VCdRom.sys --> c:\documents and settings\HuoXue\Desktop\VCdRom.sys [?]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [11/10/2013 6:23 PM 233472]
S2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [8/18/2001 2:00 AM 14336]
S2 NetBalancerService;NetBalancerService;c:\program files\NetBalancer\SeriousBit.NetBalancer.Service.exe [4/28/2013 12:59 PM 10752]
S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [10/9/2013 9:58 AM 3275136]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2/28/2013 5:45 PM 161384]
S3 apf001;apf001;\??\c:\game\SoftnyxGame\GunBoundIS\apf001.sys --> c:\game\SoftnyxGame\GunBoundIS\apf001.sys [?]
S3 cpuz135;cpuz135;\??\c:\windows\TEMP\cpuz135\cpuz135_x32.sys --> c:\windows\TEMP\cpuz135\cpuz135_x32.sys [?]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [11/11/2013 4:51 AM 83168]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys --> c:\windows\system32\drivers\dgderdrv.sys [?]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [11/10/2013 6:23 PM 37344]
S3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files\Futuremark\Futuremark SystemInfo\FMSISvc.exe [1/4/2012 2:15 PM 137488]
S3 nbdrv;NetBalancer Service;c:\windows\system32\drivers\nbdrv.sys [4/28/2013 12:59 PM 23040]
S3 nbdrvMP;nbdrvMP;c:\windows\system32\drivers\nbdrv.sys [4/28/2013 12:59 PM 23040]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys --> c:\windows\system32\drivers\ScreamingBAudio.sys [?]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [11/11/2013 4:51 AM 181344]
S3 XDva392;XDva392;\??\c:\windows\system32\XDva392.sys --> c:\windows\system32\XDva392.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2014-01-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-08 14:30]
.
2014-01-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-287218729-725345543-1004Core.job
- c:\documents and settings\HuoXue\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-06 17:18]
.
2014-01-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-287218729-725345543-1004UA.job
- c:\documents and settings\HuoXue\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-06 17:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{48FA2EBB-A101-47EE-8D86-920C6550BDC5}: NameServer = 208.69.150.250,208.69.150.252
TCP: Interfaces\{7DEF3EB3-9040-4CD6-BCFF-31C5BBF0AAE0}: NameServer = 208.69.150.250,208.69.150.252
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-01-30 08:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1940)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2014-01-30  08:08:33 - machine was rebooted
ComboFix-quarantined-files.txt  2014-01-30 14:08
ComboFix2.txt  2014-01-28 09:57
.
Pre-Run: 88,946,544,640 bytes free
Post-Run: 88,936,656,896 bytes free
.
- - End Of File - - 17B40422B4B2BCD49BE15C32DBF8EB90
8F558EB6672622401DA993E1E865C861


#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:29 PM

Posted 30 January 2014 - 12:15 PM


Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)
  • Programs to remove

    • BitTorrent
      Strongvault Online Backup


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Clean Out Temp Files
  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here CCleaner
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.
: Malwarebytes' Anti-Malware :


I see You have MBAM installed on the computer - that is great!! it is a very good program! I would like you to run a quick scan for me now
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidentally close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



Download HijackThis
  • Go Here to download HijackThis program
  • Save HijackThis to your desktop.
  • Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
  • Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
  • copy and paste hijackthis report into the topic
"information and logs"
  • In your next post I need the following
    • Log From MBAM
    • report from Hijackthis
    • let me know of any problems you may have had
    • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 HuoXue

HuoXue
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 03 February 2014 - 07:35 AM

Well, the redirect is back.  Someone -may- have been on my computer between now and then - I do a lot of 3rd shifts and am not always awake when the rest of the family is.  I removed bittorrent, however, I cannot find "Strongvault" in my uninstall programs list - either in Revo or Windows' version of it.  Could this be related?  MBAM detected nothing, but I'll post the log regardless.

 

LOGS:

----------

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2014.02.03.03
 
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
HuoXue :: HUO [administrator]
 
2/3/2014 6:22:53 AM
mbam-log-2014-02-03 (06-22-53).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 226739
Time elapsed: 5 minute(s), 59 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)
 
 
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:30:28 AM, on 2/3/2014
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\sndvol32.exe
C:\Documents and Settings\HuoXue\My Documents\Downloads\HijackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Canon Easy-WebPrint EX BHO - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [CanonSolutionMenuEx] C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKCU\..\Run: [Steam] "D:\Steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{48FA2EBB-A101-47EE-8D86-920C6550BDC5}: NameServer = 208.69.150.250,208.69.150.252
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DEF3EB3-9040-4CD6-BCFF-31C5BBF0AAE0}: NameServer = 208.69.150.250,208.69.150.252
O18 - Protocol: navnet - {AD6E5643-7B0C-46AA-95AD-9773FF2A857A} - C:\Program Files\NavNetApp\ComUtilities.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe
O23 - Service: Futuremark SystemInfo Service - Futuremark Corporation - C:\Program Files\Futuremark\Futuremark SystemInfo\FMSISvc.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetBalancerService - SeriousBit - C:\Program Files\NetBalancer\SeriousBit.NetBalancer.Service.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
O23 - Service: Skype C2C Service - Skype Technologies S.A. - C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
 
--
End of file - 6554 bytes
 


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:29 PM

Posted 03 February 2014 - 12:59 PM



Hello HuoXue

Which browser has the redirect?

Lets get a deeper look into the system and lets see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 HuoXue

HuoXue
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 03 February 2014 - 06:12 PM

Hello again Gringo,

 

I only noticed it in Chrome, but for thoroughness' sake, I opened up IE and tried a search there - having the same issue.  When I tried to search from the address bar in IE, a window popped up from IE itself for me to select a search provider, and none were available - but when I closed the settings window, it still redirected me to yhs4.  On Chrome, it -appears- as though it's trying to search from google, but at the last second it redirects to the yhs4 search.

 

LOGS:

----------

OTL logfile created on: 2/3/2014 5:02:00 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Documents and Settings\HuoXue\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
3.25 Gb Total Physical Memory | 2.71 Gb Available Physical Memory | 83.47% Memory free
5.09 Gb Paging File | 4.75 Gb Available in Paging File | 93.20% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 127.99 Gb Total Space | 83.25 Gb Free Space | 65.04% Space Free | Partition Type: NTFS
Drive D: | 288.38 Gb Total Space | 137.32 Gb Free Space | 47.62% Space Free | Partition Type: NTFS
Drive F: | 9.71 Gb Total Space | 4.31 Gb Free Space | 44.40% Space Free | Partition Type: NTFS
 
Computer Name: HUO | User Name: HuoXue | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Documents and Settings\HuoXue\My Documents\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Documents and Settings\HuoXue\Local Settings\Application Data\Google\Chrome\Application\chrome.exe (Google Inc.)
PRC - C:\WINDOWS\system32\FsUsbExService.Exe (Teruten)
PRC - C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe (Skype Technologies S.A.)
PRC - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\sndvol32.exe (Microsoft Corporation)
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\Documents and Settings\HuoXue\Local Settings\Application Data\Google\Chrome\Application\32.0.1700.102\ppgooglenaclpluginchrome.dll ()
MOD - C:\Documents and Settings\HuoXue\Local Settings\Application Data\Google\Chrome\Application\32.0.1700.102\pdf.dll ()
MOD - C:\Documents and Settings\HuoXue\Local Settings\Application Data\Google\Chrome\Application\32.0.1700.102\ffmpegsumo.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
 
 
========== Services (SafeList) ==========
 
SRV - (AppMgmt) -- %SystemRoot%\System32\appmgmts.dll File not found
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (FsUsbExService) -- C:\WINDOWS\system32\FsUsbExService.Exe (Teruten)
SRV - (Skype C2C Service) -- C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe (Skype Technologies S.A.)
SRV - (NetBalancerService) -- C:\Program Files\NetBalancer\SeriousBit.NetBalancer.Service.exe (SeriousBit)
SRV - (SkypeUpdate) -- C:\Program Files\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (nvUpdatusService) -- C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation)
SRV - (Futuremark SystemInfo Service) -- C:\Program Files\Futuremark\Futuremark SystemInfo\FMSISvc.exe (Futuremark Corporation)
SRV - (Steam Client Service) -- C:\Program Files\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (Iprip) -- C:\WINDOWS\system32\iprip.dll (Microsoft Corporation)
SRV - (Imapi Helper) -- C:\Program Files\ISO Recorder\ImapiHelper.exe (Alex Feinman)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (XDva392) -- C:\WINDOWS\system32\XDva392.sys File not found
DRV - (WDICA) --  File not found
DRV - (vcdrom) -- C:\Documents and Settings\HuoXue\Desktop\VCdRom.sys File not found
DRV - (SCREAMINGBDRIVER) -- system32\drivers\ScreamingBAudio.sys File not found
DRV - (PDRFRAME) --  File not found
DRV - (PDRELI) --  File not found
DRV - (PDFRAME) --  File not found
DRV - (PDCOMP) --  File not found
DRV - (PCIDump) --  File not found
DRV - (lbrtfdc) --  File not found
DRV - (i2omgmt) --  File not found
DRV - (EagleXNt) -- C:\WINDOWS\system32\drivers\EagleXNt.sys File not found
DRV - (dgderdrv) -- System32\drivers\dgderdrv.sys File not found
DRV - (cpuz135) -- C:\WINDOWS\TEMP\cpuz135\cpuz135_x32.sys File not found
DRV - (Changer) --  File not found
DRV - (catchme) -- C:\ComboFix\catchme.sys File not found
DRV - (apf001) -- C:\Game\SoftnyxGame\GunBoundIS\apf001.sys File not found
DRV - (FsUsbExDisk) -- C:\WINDOWS\system32\FsUsbExDisk.Sys ()
DRV - (nbdrvMP) -- C:\WINDOWS\system32\drivers\nbdrv.sys (SeriousBit)
DRV - (nbdrv) -- C:\WINDOWS\system32\drivers\nbdrv.sys (SeriousBit)
DRV - (ssudmdm) -- C:\WINDOWS\system32\drivers\ssudmdm.sys (DEVGURU Co., LTD.(www.devguru.co.kr))
DRV - (dg_ssudbus) -- C:\WINDOWS\system32\drivers\ssudbus.sys (DEVGURU Co., LTD.(www.devguru.co.kr))
DRV - (NVHDA) -- C:\WINDOWS\system32\drivers\nvhda32.sys (NVIDIA Corporation)
DRV - (BANTExt) -- C:\WINDOWS\system32\drivers\BANTExt.sys ()
DRV - (TPkd) -- C:\WINDOWS\System32\drivers\TPkd.sys (PACE Anti-Piracy, Inc.)
DRV - (WinUSB) -- C:\WINDOWS\system32\drivers\winusb.sys (Microsoft Corporation)
DRV - (hamachi) -- C:\WINDOWS\system32\drivers\hamachi.sys (LogMeIn, Inc.)
DRV - (senfilt) -- C:\WINDOWS\system32\drivers\senfilt.sys (Creative Technology Ltd.)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\SearchScopes,DefaultScope = 
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = 
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = 
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-21-606747145-287218729-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-21-606747145-287218729-725345543-1004\..\SearchScopes,DefaultScope = 
IE - HKU\S-1-5-21-606747145-287218729-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-606747145-287218729-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
IE - HKU\S-1-5-21-606747145-287218729-725345543-1006\..\SearchScopes,DefaultScope = 
IE - HKU\S-1-5-21-606747145-287218729-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
========== FireFox ==========
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_9_900_170.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw_1168638.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.51.2: C:\WINDOWS\system32\npdeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.51.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nexon.net/NxGame: C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll (Nexon)
FF - HKLM\Software\MozillaPlugins\@oberon-media.com/ONCAdapter: C:\Program Files\Common Files\Oberon Media\NCAdapter\1.0.0.14\npapicomadapter.dll File not found
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Documents and Settings\HuoXue\Application Data\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O1DPlugin: C:\Documents and Settings\HuoXue\Application Data\Mozilla\plugins\npo1d.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Documents and Settings\HuoXue\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\HuoXue\Local Settings\Application Data\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\HuoXue\Local Settings\Application Data\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
 
 
[2012/11/23 18:10:57 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
 
========== Chrome  ==========
 
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:bookmarkBarPinned}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&xssi=t&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}{google:pageClassification}sugkey={google:suggestAPIKeyParameter},
CHR - Extension: Google Wallet = C:\Documents and Settings\HuoXue\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.6.0_1\
 
O1 HOSTS File: ([2014/01/30 08:04:42 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (Canon Easy-WebPrint EX BHO) - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O3 - HKU\S-1-5-21-606747145-287218729-725345543-1004\..\Toolbar\WebBrowser: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenuEx] C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE (CANON INC.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe ()
O4 - HKU\S-1-5-21-606747145-287218729-725345543-1004..\Run: [Steam] D:\Steam\steam.exe (Valve Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-606747145-287218729-725345543-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-606747145-287218729-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-606747145-287218729-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-606747145-287218729-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-606747145-287218729-725345543-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-606747145-287218729-725345543-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab (Java Plug-in 10.51.2)
O16 - DPF: {CAFEEFAC-0017-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab (Java Plug-in 1.7.0_21)
O16 - DPF: {CAFEEFAC-0017-0000-0051-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab (Java Plug-in 1.7.0_51)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab (Java Plug-in 10.51.2)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{48FA2EBB-A101-47EE-8D86-920C6550BDC5}: NameServer = 208.69.150.250,208.69.150.252
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7DEF3EB3-9040-4CD6-BCFF-31C5BBF0AAE0}: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7DEF3EB3-9040-4CD6-BCFF-31C5BBF0AAE0}: NameServer = 208.69.150.250,208.69.150.252
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\navnet {AD6E5643-7B0C-46AA-95AD-9773FF2A857A} - C:\Program Files\NavNetApp\ComUtilities.dll (MH)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\HuoXue\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\HuoXue\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/11/05 22:35:21 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2014/02/03 06:19:38 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\HuoXue\Recent
[2014/02/03 06:19:38 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2014/02/03 06:17:52 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2014/02/03 06:10:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HuoXue\Start Menu\Programs\Revo Uninstaller
[2014/02/03 06:10:05 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2014/01/31 01:55:21 | 000,000,000 | ---D | C] -- C:\Program Files\WinHasher
[2014/01/31 01:55:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinHasher
[2014/01/30 08:08:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2014/01/28 01:48:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HuoXue\Desktop\RK_Quarantine
[2014/01/28 00:59:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
[2014/01/28 00:58:54 | 000,052,312 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2014/01/28 00:58:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HuoXue\Desktop\MBAR
[2014/01/28 00:57:16 | 012,589,848 | ---- | C] (Malwarebytes Corp.) -- C:\Documents and Settings\HuoXue\Desktop\mbar-1.07.0.1009.exe
[2014/01/27 17:43:08 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2014/01/27 17:16:44 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2014/01/27 17:16:44 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2014/01/27 17:16:44 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2014/01/27 17:16:44 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2014/01/27 17:16:16 | 000,000,000 | ---D | C] -- C:\Qoobox
[2014/01/27 17:16:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2014/01/27 17:13:23 | 005,175,619 | R--- | C] (Swearware) -- C:\Documents and Settings\HuoXue\Desktop\ComboFix.exe
[2014/01/27 16:04:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2014/01/27 15:57:26 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2014/01/27 15:56:06 | 001,037,068 | ---- | C] (Thisisu) -- C:\Documents and Settings\HuoXue\Desktop\JRT.exe
[2014/01/27 08:20:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup
[2014/01/26 07:23:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2014/01/26 06:32:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HuoXue\Application Data\Mozilla
[2014/01/24 21:11:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HuoXue\Application Data\SYSTEMAX Software Development
[2014/01/24 21:11:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SYSTEMAX Software Development
[2014/01/24 21:11:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HuoXue\Desktop\PaintToolSAI
[2014/01/24 07:00:34 | 000,877,480 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\npdeployJava1.dll
[2014/01/24 07:00:34 | 000,800,168 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\deployJava1.dll
[2014/01/24 06:37:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HuoXue\Desktop\FTB2
[2014/01/23 07:24:39 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2014/01/23 07:24:34 | 000,264,616 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2014/01/23 07:24:27 | 000,094,632 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2014/01/23 07:24:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Java
[2014/01/23 07:15:00 | 000,175,016 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2014/01/23 07:15:00 | 000,174,504 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2014/01/23 07:15:00 | 000,145,408 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2014/01/23 06:17:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\Performance
[2014/01/23 06:17:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HuoXue\Local Settings\Application Data\Microsoft Corporation
[2014/01/20 08:19:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HuoXue\Desktop\Netherores
[2014/01/15 03:18:15 | 000,000,000 | ---D | C] -- C:\Program Files\steam
[2013/01/28 20:16:36 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\HuoXue\Application Data\pcouffin.sys
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2014/02/03 16:30:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2014/02/03 16:16:19 | 000,000,982 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-606747145-287218729-725345543-1004UA.job
[2014/02/03 06:38:32 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2014/02/03 06:38:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2014/02/03 06:17:52 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2014/02/03 06:10:06 | 000,000,917 | ---- | M] () -- C:\Documents and Settings\HuoXue\Desktop\Revo Uninstaller.lnk
[2014/02/02 22:16:00 | 000,000,930 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-606747145-287218729-725345543-1004Core.job
[2014/01/31 01:55:21 | 000,001,810 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\WinHasher.lnk
[2014/01/30 08:04:42 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2014/01/28 20:28:50 | 000,002,311 | ---- | M] () -- C:\Documents and Settings\HuoXue\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2014/01/28 00:58:54 | 000,052,312 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2014/01/28 00:58:07 | 012,589,848 | ---- | M] (Malwarebytes Corp.) -- C:\Documents and Settings\HuoXue\Desktop\mbar-1.07.0.1009.exe
[2014/01/28 00:57:39 | 003,792,384 | ---- | M] () -- C:\Documents and Settings\HuoXue\Desktop\RogueKiller.exe
[2014/01/27 17:43:11 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2014/01/27 17:25:19 | 000,494,004 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2014/01/27 17:25:19 | 000,084,548 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2014/01/27 17:14:00 | 005,175,619 | R--- | M] (Swearware) -- C:\Documents and Settings\HuoXue\Desktop\ComboFix.exe
[2014/01/27 15:56:10 | 001,037,068 | ---- | M] (Thisisu) -- C:\Documents and Settings\HuoXue\Desktop\JRT.exe
[2014/01/27 15:55:59 | 001,236,282 | ---- | M] () -- C:\Documents and Settings\HuoXue\Desktop\AdwCleaner.exe
[2014/01/26 22:30:21 | 000,067,324 | ---- | M] () -- C:\Documents and Settings\HuoXue\My Documents\tumblr_mx56ote6V61qf24ngo2_500.jpg
[2014/01/24 21:11:02 | 002,339,714 | ---- | M] () -- C:\Documents and Settings\HuoXue\Desktop\sai-1.1.0-ful-en.exe
[2014/01/24 13:31:03 | 000,217,600 | ---- | M] () -- C:\Documents and Settings\HuoXue\Desktop\jacob-1.17-M2-x64.dll
[2014/01/24 13:31:03 | 000,176,128 | ---- | M] () -- C:\Documents and Settings\HuoXue\Desktop\jacob-1.17-M2-x86.dll
[2014/01/24 06:22:37 | 000,791,994 | ---- | M] () -- C:\Documents and Settings\HuoXue\Desktop\FTB.jar
[2014/01/23 07:24:16 | 000,264,616 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2014/01/23 07:24:16 | 000,175,016 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2014/01/23 07:24:16 | 000,174,504 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2014/01/23 07:24:16 | 000,145,408 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2014/01/23 07:24:16 | 000,094,632 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2014/01/23 07:24:15 | 000,877,480 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\npdeployJava1.dll
[2014/01/23 07:24:15 | 000,800,168 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\deployJava1.dll
[2014/01/22 10:08:11 | 000,001,852 | ---- | M] () -- C:\Documents and Settings\HuoXue\Desktop\east.grumpycraft.com~colon~25568.points
[2014/01/20 08:23:21 | 000,003,502 | ---- | M] () -- C:\Documents and Settings\HuoXue\.recently-used.xbel
[2014/01/20 08:18:47 | 000,000,832 | ---- | M] () -- C:\Documents and Settings\HuoXue\Desktop\nether_cobalt.png
[2014/01/20 08:02:50 | 000,000,818 | ---- | M] () -- C:\Documents and Settings\HuoXue\Desktop\nether_ardite.png
[2014/01/15 03:00:52 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2014/01/06 20:30:47 | 001,077,176 | ---- | M] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2014/01/06 20:30:47 | 000,000,001 | ---- | M] () -- C:\WINDOWS\System32\nvdrssel.bin
[2014/01/05 19:43:40 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2014/02/03 06:17:52 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2014/02/03 06:10:06 | 000,000,917 | ---- | C] () -- C:\Documents and Settings\HuoXue\Desktop\Revo Uninstaller.lnk
[2014/01/31 01:55:21 | 000,001,810 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\WinHasher.lnk
[2014/01/28 00:57:19 | 003,792,384 | ---- | C] () -- C:\Documents and Settings\HuoXue\Desktop\RogueKiller.exe
[2014/01/27 17:43:11 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2014/01/27 17:43:09 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2014/01/27 17:16:44 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2014/01/27 17:16:44 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2014/01/27 17:16:44 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2014/01/27 17:16:44 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2014/01/27 17:16:44 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2014/01/27 15:55:54 | 001,236,282 | ---- | C] () -- C:\Documents and Settings\HuoXue\Desktop\AdwCleaner.exe
[2014/01/26 22:30:20 | 000,067,324 | ---- | C] () -- C:\Documents and Settings\HuoXue\My Documents\tumblr_mx56ote6V61qf24ngo2_500.jpg
[2014/01/24 21:10:52 | 002,339,714 | ---- | C] () -- C:\Documents and Settings\HuoXue\Desktop\sai-1.1.0-ful-en.exe
[2014/01/23 19:28:49 | 000,217,600 | ---- | C] () -- C:\Documents and Settings\HuoXue\Desktop\jacob-1.17-M2-x64.dll
[2014/01/23 19:28:49 | 000,176,128 | ---- | C] () -- C:\Documents and Settings\HuoXue\Desktop\jacob-1.17-M2-x86.dll
[2014/01/22 21:59:08 | 000,791,994 | ---- | C] () -- C:\Documents and Settings\HuoXue\Desktop\FTB.jar
[2014/01/22 21:38:17 | 000,001,852 | ---- | C] () -- C:\Documents and Settings\HuoXue\Desktop\east.grumpycraft.com~colon~25568.points
[2014/01/20 08:23:21 | 000,003,502 | ---- | C] () -- C:\Documents and Settings\HuoXue\.recently-used.xbel
[2014/01/20 08:18:11 | 000,000,832 | ---- | C] () -- C:\Documents and Settings\HuoXue\Desktop\nether_cobalt.png
[2014/01/20 08:00:50 | 000,001,909 | ---- | C] () -- C:\Documents and Settings\HuoXue\Desktop\googirl_blue.png
[2014/01/20 07:59:15 | 000,000,818 | ---- | C] () -- C:\Documents and Settings\HuoXue\Desktop\nether_ardite.png
[2014/01/20 07:59:15 | 000,000,719 | ---- | C] () -- C:\Documents and Settings\HuoXue\Desktop\nether_ardite_backup.png
[2013/11/10 18:23:51 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDevice.Dll
[2013/11/10 18:23:51 | 000,037,344 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDisk.Sys
[2013/07/25 12:19:44 | 000,178,688 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2013/03/25 18:19:44 | 000,000,346 | ---- | C] () -- C:\Documents and Settings\HuoXue\enbpatch.ini
[2013/01/29 06:49:04 | 000,001,188 | ---- | C] () -- C:\Documents and Settings\HuoXue\Application Data\vso_ts_preview.xml
[2013/01/28 23:09:03 | 000,000,028 | ---- | C] () -- C:\WINDOWS\v2d.INI
[2013/01/28 20:16:36 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\HuoXue\Application Data\inst.exe
[2013/01/28 20:16:36 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\HuoXue\Application Data\pcouffin.cat
[2013/01/28 20:16:36 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\HuoXue\Application Data\pcouffin.inf
[2013/01/28 00:59:12 | 000,000,039 | ---- | C] () -- C:\WINDOWS\WindowsSniper.INI
[2012/11/07 22:02:57 | 000,012,920 | ---- | C] () -- C:\WINDOWS\System32\apl001.sys
[2012/11/07 22:02:57 | 000,010,872 | ---- | C] () -- C:\WINDOWS\System32\apf001.sys
[2012/10/22 20:12:46 | 000,582,661 | ---- | C] () -- C:\Documents and Settings\HuoXue\Application Data\technic-launcher.jar
[2012/10/06 19:17:47 | 001,134,569 | ---- | C] () -- C:\Documents and Settings\HuoXue\Application Data\Middle Earth Adventure v1.1.zip
[2012/09/26 05:00:11 | 000,000,144 | ---- | C] () -- C:\WINDOWS\System32\msexcr.ini
[2012/07/26 11:43:33 | 000,000,754 | ---- | C] () -- C:\WINDOWS\wordpad.INI
[2012/06/12 17:54:11 | 000,000,140 | ---- | C] () -- C:\Documents and Settings\HuoXue\kvirc4.ini
[2012/06/06 21:40:35 | 000,000,062 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2012/04/03 04:41:54 | 000,013,824 | ---- | C] () -- C:\Documents and Settings\HuoXue\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/03/19 21:28:49 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2012/02/16 00:33:52 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/01/26 03:15:55 | 000,513,347 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-606747145-287218729-725345543-1004-0.dat
[2012/01/26 03:15:53 | 000,088,998 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2012/01/16 06:18:28 | 000,000,032 | R--- | C] () -- C:\Documents and Settings\All Users\hash.dat
 
========== ZeroAccess Check ==========
 
[2011/12/01 04:06:33 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2011/12/19 02:53:33 | 001,510,400 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 06:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/14 05:42:10 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 1277 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:9geTlVBvstRYjweHMab7
@Alternate Data Stream - 1180 bytes -> C:\Documents and Settings\HuoXue\Local Settings\Application Data\Qozyi7ovDK:0Bop90IPRjBtqQpLUzw
@Alternate Data Stream - 1120 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:Vys1H27shViwvArXmS6oymwT9D0Ti0
 
< End of report >





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users