View Full Version : Some help with redirects, a pop-up, & a corrupted hosts file?
Dragonzord
2012-07-31, 05:20
Hey guys,
I've been digging around trying to fix this redirection issue for a while, fruitlessly trying to edit/delete/rename the hosts file, and now recently some pop-ups have been occurring in the bottom-right of my browser.
It seems you guys have successfully solved very similar issues for other users in the past, so I'm hoping you can shed some light on this for me. :)
The contents of DDS.txt:
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_24
Run by User at 21:16:45 on 2012-07-30
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8109.6779 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe
C:\Windows\TEMP\FP_AX_CAB_INSTALLER.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe
"C:\Windows\SysWOW64\svchost.exe" -k LocalServiceDns
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyServer = http=127.0.0.1:63475
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [Google Update] "C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62 0.0.0.0
TCP: Interfaces\{E9BBE345-E75A-482D-B4C0-7AD3A469C10B} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{E9BBE345-E75A-482D-B4C0-7AD3A469C10B} : DhcpNameServer = 209.18.47.61 209.18.47.62 0.0.0.0
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
Hosts: 188.119.151.113 www.google-analytics.com.
Hosts: 188.119.151.113 ad-emea.doubleclick.net.
Hosts: 188.119.151.113 www.statcounter.com.
Hosts: 69.72.252.254 www.google-analytics.com.
Hosts: 69.72.252.254 ad-emea.doubleclick.net.
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\3ch0u0t8.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 63475
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Users\User\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Users\User\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\User\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_262.dll
.
============= SERVICES / DRIVERS ===============
.
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-12-27 378472]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2012-2-27 1153368]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-4-5 158856]
S3 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 64952]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
.
=============== Created Last 30 ================
.
2012-07-31 01:36:22 -------- d-----w- C:\_OTL
2012-07-26 05:48:08 -------- d-----w- C:\Program Files (x86)\MSECache
.
==================== Find3M ====================
.
2012-07-03 18:46:44 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-06-30 06:04:42 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-30 06:04:42 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-02 20:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-02 20:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-05-24 16:57:50 0 --sha-w- C:\Windows\System32\dds_trash_log.cmd
.
============= FINISH: 21:16:57.86 ===============
:snwelcome:
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.
Running programs with Vista or Windows 7 , you need to Right Click on the program and select RUN AS ADMINISTATOR
You do have some hosts file issues, lets check futher
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png
On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png
OTL by OldTimer
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
Dragonzord
2012-08-02, 23:15
Sorry about that ken545, I misunderstood the aswMBR "don't run fixes" as "don't run scans" until asked.
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-02 14:55:54
-----------------------------
14:55:54.099 OS Version: Windows x64 6.1.7601 Service Pack 1
14:55:54.099 Number of processors: 8 586 0x2A07
14:55:54.099 ComputerName: X UserName:
14:55:54.458 Initialize success
14:57:02.425 AVAST engine defs: 12080201
14:58:05.961 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
14:58:05.961 Disk 0 Vendor: SAMSUNG_HD080HJ/P ZH100-34 Size: 76293MB BusType: 3
14:58:05.961 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-5
14:58:05.961 Disk 1 Vendor: SAMSUNG_HD501LJ CR100-13 Size: 476940MB BusType: 3
14:58:05.977 Disk 0 MBR read successfully
14:58:05.977 Disk 0 MBR scan
14:58:05.977 Disk 0 Windows 7 default MBR code
14:58:05.977 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 31 MB offset 63
14:58:05.992 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 73076 MB offset 64260
14:58:06.024 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 3176 MB offset 149725800
14:58:06.070 Disk 0 scanning C:\Windows\system32\drivers
14:58:16.210 Service scanning
14:58:38.440 Modules scanning
14:58:38.440 Disk 0 trace - called modules:
14:58:38.456 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
14:58:38.456 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007a5b790]
14:58:38.456 3 CLASSPNP.SYS[fffff8800165143f] -> nt!IofCallDriver -> [0xfffffa800786d520]
14:58:38.472 5 ACPI.sys[fffff88000fb17a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800784f060]
14:58:38.862 AVAST engine scan C:\Windows
14:58:40.765 AVAST engine scan C:\Windows\system32
14:58:51.747 File: C:\Windows\system32\consrv.dll **INFECTED** Win32:Sirefef-HO [Rtk]
15:00:25.060 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-FQ [Drp]
15:00:27.556 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-HO [Rtk]
15:01:11.377 File: C:\Windows\assembly\temp\U\80000032.@ **INFECTED** Win32:Downloader-PKU [Trj]
15:01:11.689 AVAST engine scan C:\Windows\system32\drivers
15:01:23.170 AVAST engine scan C:\Users\User
15:04:28.857 AVAST engine scan C:\ProgramData
15:05:53.129 Scan finished successfully
15:06:24.344 Disk 0 MBR has been saved successfully to "C:\Users\User\Desktop\MBR.dat"
15:06:24.344 The log file has been saved successfully to "C:\Users\User\Desktop\aswMBR.txt"
Dragonzord
2012-08-02, 23:39
OTL logfile created on: 8/2/2012 3:16:29 PM - Run 1
OTL by OldTimer - Version 3.2.55.0 Folder = C:\Users\User\Desktop
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
7.92 Gb Total Physical Memory | 6.77 Gb Available Physical Memory | 85.53% Memory free
15.84 Gb Paging File | 14.71 Gb Available in Paging File | 92.90% Paging File free
Paging file location(s): ?:\pagefile.sys
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 71.36 Gb Total Space | 11.75 Gb Free Space | 16.46% Space Free | Partition Type: NTFS
Drive D: | 462.40 Gb Total Space | 262.23 Gb Free Space | 56.71% Space Free | Partition Type: NTFS
Computer Name: X | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Windows\Temp\FP_AX_CAB_INSTALLER.exe (Adobe Systems Incorporated)
PRC - C:\Users\User\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
PRC - C:\Windows\SysWOW64\wbem\WmiPrvSE.exe (Microsoft Corporation)
========== Modules (No Company Name) ==========
========== Win32 Services (SafeList) ==========
SRV:64bit: - (SBSDWSCService) -- C:\Program Files\Spybot File not found
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV - (SkypeUpdate) -- C:\Program Files (x86)\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (Steam Client Service) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (Stereo Service) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
SRV - (WAS) -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll (Microsoft Corporation)
SRV - (W3SVC) -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll (Microsoft Corporation)
SRV - (AppHostSvc) -- C:\Windows\SysWOW64\inetsrv\apphostsvc.dll (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
========== Driver Services (SafeList) ==========
DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\drivers\Rt64win7.sys (Realtek )
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (RdpVideoMiniport) -- C:\Windows\SysNative\drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV:64bit: - (NVHDA) -- C:\Windows\SysNative\drivers\nvhda64v.sys (NVIDIA Corporation)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:56162
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:56162
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:55576
IE - HKU\S-1-5-21-2413128680-2735381842-1444654988-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-2413128680-2735381842-1444654988-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-2413128680-2735381842-1444654988-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = A4 08 C7 CE 3F 93 CC 01 [binary data]
IE - HKU\S-1-5-21-2413128680-2735381842-1444654988-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-2413128680-2735381842-1444654988-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-2413128680-2735381842-1444654988-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2413128680-2735381842-1444654988-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:63475
========== FireFox ==========
FF - prefs.js..browser.search.update: false
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 63475
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_3_300_262.dll File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_262.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Users\User\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Users\User\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\User\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\User\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/02/26 16:07:33 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
[2011/10/25 13:02:55 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\User\AppData\Roaming\Mozilla\Extensions
[2012/01/19 00:16:16 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/02/26 16:07:33 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012/02/26 16:07:32 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012/02/26 16:07:32 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml
========== Chrome ==========
CHR - homepage: http://www.google.com/
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage: http://www.google.com/
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\User\AppData\Local\Google\Chrome\Application\20.0.1132.57\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\User\AppData\Local\Google\Chrome\Application\20.0.1132.57\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\User\AppData\Local\Google\Chrome\Application\20.0.1132.57\gcswf32.dll
CHR - plugin: Shockwave Flash (Disabled) = C:\Users\User\AppData\Local\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.240.7 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java(TM) Platform SE 6 U24 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Google Talk Plugin (Enabled) = C:\Users\User\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
CHR - plugin: Google Talk Plugin Video Accelerator (Enabled) = C:\Users\User\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll
CHR - plugin: NVIDIA 3D Vision (Enabled) = C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
CHR - plugin: NVIDIA 3D VISION (Enabled) = C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
CHR - plugin: Pando Web Plugin (Enabled) = C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
CHR - plugin: Google Update (Enabled) = C:\Users\User\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
O1 HOSTS File: ([2012/01/20 14:50:14 | 000,001,401 | RHS- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 188.119.151.113 www.google-analytics.com.
O1 - Hosts: 188.119.151.113 ad-emea.doubleclick.net.
O1 - Hosts: 188.119.151.113 www.statcounter.com.
O1 - Hosts: 69.72.252.254 www.google-analytics.com.
O1 - Hosts: 69.72.252.254 ad-emea.doubleclick.net.
O1 - Hosts: 69.72.252.254 www.statcounter.com.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
F3:64bit: - HKU\S-1-5-19 WinNT: Load - (C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\2006C\lvvm.exe) - File not found
F3 - HKU\S-1-5-19 WinNT: Load - (C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\2006C\lvvm.exe) - File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\S-1-5-21-2413128680-2735381842-1444654988-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000001 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000002 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000003 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000004 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000005 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000006 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000007 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000008 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000009 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000010 - mmswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\System32\winrnr.dll File not found
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62 0.0.0.0
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E9BBE345-E75A-482D-B4C0-7AD3A469C10B}: DhcpNameServer = 209.18.47.61 209.18.47.62 0.0.0.0
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E9BBE345-E75A-482D-B4C0-7AD3A469C10B}: NameServer = 8.8.8.8,8.8.4.4
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKU\S-1-5-19 Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKU\S-1-5-19 Winlogon: Shell - (C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\F8B20\55CB6.exe) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 17:15:00 | 000,000,000 | -H-- | M] () - D:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{2dd2a1c4-ff3f-11e0-baac-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{2dd2a1c4-ff3f-11e0-baac-806e6f6e6963}\Shell\AutoRun\command - "" = E:\KingVideoPlayer.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=consrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
NetSvcs:64bit: AppMgmt - C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
========== Files/Folders - Created Within 30 Days ==========
[2012/08/02 14:53:59 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\User\Desktop\aswMBR.exe
[2012/07/30 21:06:27 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/07/30 21:06:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2012/07/30 21:06:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ERUNT
[2012/07/30 21:00:14 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\User\Desktop\dds.scr
[2012/07/30 21:00:05 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Users\User\Desktop\erunt-setup.exe
[2012/07/30 20:36:22 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/07/30 20:34:55 | 000,597,504 | ---- | C] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe
[2012/07/26 00:48:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Office
[2012/07/26 00:48:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MSECache
[2012/07/24 13:22:36 | 002,136,664 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\User\Desktop\TDSSKiller.exe
========== Files - Modified Within 30 Days ==========
[2012/08/02 15:06:24 | 000,000,512 | ---- | M] () -- C:\Users\User\Desktop\MBR.dat
[2012/08/02 14:54:26 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\User\Desktop\aswMBR.exe
[2012/08/02 14:54:10 | 000,018,000 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/08/02 14:54:10 | 000,018,000 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/08/02 14:48:57 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/08/02 14:48:51 | 2082,349,055 | -HS- | M] () -- C:\hiberfil.sys
[2012/08/02 02:43:00 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2413128680-2735381842-1444654988-1000UA.job
[2012/08/01 19:43:00 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2413128680-2735381842-1444654988-1000Core.job
[2012/08/01 08:56:38 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
[2012/07/30 21:58:05 | 000,049,879 | ---- | M] () -- C:\Users\User\Desktop\Untitled.wma
[2012/07/30 21:30:19 | 000,000,170 | ---- | M] () -- C:\Users\User\Desktop\- .rtf
[2012/07/30 21:18:12 | 000,002,754 | ---- | M] () -- C:\Users\User\Desktop\Attach.zip
[2012/07/30 21:00:14 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\User\Desktop\dds.scr
[2012/07/30 21:00:07 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Users\User\Desktop\erunt-setup.exe
[2012/07/30 20:34:56 | 000,597,504 | ---- | M] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe
[2012/07/30 20:23:24 | 002,136,664 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\User\Desktop\TDSSKiller.exe
[2012/07/30 18:45:31 | 000,000,914 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
========== Files Created - No Company Name ==========
[2037/11/30 02:43:57 | 000,001,024 | ---- | C] () -- C:\Windows\assembly\temp\U\80000000.@
[2037/04/09 23:28:15 | 000,001,024 | ---- | C] () -- C:\Windows\assembly\temp\U\000000c0.@
[2037/04/09 23:28:09 | 000,001,024 | ---- | C] () -- C:\Windows\assembly\temp\U\000000cb.@
[2037/04/09 23:27:51 | 000,001,024 | ---- | C] () -- C:\Windows\assembly\temp\U\000000cf.@
[2037/04/09 23:27:36 | 000,001,024 | ---- | C] () -- C:\Windows\assembly\temp\U\800000c0.@
[2037/04/09 23:27:26 | 000,001,024 | ---- | C] () -- C:\Windows\assembly\temp\U\800000cb.@
[2037/04/09 23:27:17 | 000,001,024 | ---- | C] () -- C:\Windows\assembly\temp\U\800000cf.@
[2012/08/02 15:06:24 | 000,000,512 | ---- | C] () -- C:\Users\User\Desktop\MBR.dat
[2012/08/01 08:56:38 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
[2012/07/30 21:58:05 | 000,049,879 | ---- | C] () -- C:\Users\User\Desktop\Untitled.wma
[2012/07/30 21:18:12 | 000,002,754 | ---- | C] () -- C:\Users\User\Desktop\Attach.zip
[2012/07/30 10:51:28 | 000,092,672 | ---- | C] () -- C:\Windows\assembly\temp\U\80000032.@
[2012/07/30 10:51:28 | 000,080,896 | ---- | C] () -- C:\Windows\assembly\temp\U\80000064.@
[2012/07/26 00:48:34 | 000,002,557 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office PowerPoint Viewer 2007.lnk
[2012/06/26 13:36:17 | 000,000,218 | ---- | C] () -- C:\Windows\assembly\temp\L\00000004.@
[2012/06/25 02:36:09 | 000,001,536 | ---- | C] () -- C:\Windows\assembly\temp\U\00000001.@
[2012/06/13 17:12:52 | 000,224,768 | ---- | C] () -- C:\Windows\assembly\temp\U\00000002.@
[2012/03/30 09:18:01 | 000,001,024 | ---- | C] () -- C:\Windows\assembly\temp\U\80000004.@
[2012/02/27 20:15:51 | 000,000,085 | ---- | C] () -- C:\Windows\wininit.ini
[2012/02/09 00:11:11 | 000,788,128 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/01/19 19:14:11 | 000,002,048 | -HS- | C] () -- C:\Windows\assembly\temp\@
[2011/12/26 19:39:29 | 000,010,224 | -HS- | C] () -- C:\Users\User\AppData\Local\17672385l5n4
[2011/12/26 19:39:29 | 000,010,224 | -HS- | C] () -- C:\ProgramData\17672385l5n4
[2011/11/02 12:48:14 | 000,001,024 | ---- | C] () -- C:\Windows\assembly\temp\U\00000004.@
[2011/11/01 20:52:30 | 000,000,262 | ---- | C] () -- C:\Windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
[2011/10/25 13:25:10 | 000,007,601 | -H-- | C] () -- C:\Users\User\AppData\Local\Resmon.ResmonCfg
========== LOP Check ==========
[2012/02/09 00:02:58 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\2006C
[2012/05/26 10:45:57 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Audacity
[2012/02/18 01:03:04 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\F8B20
[2011/12/09 22:11:52 | 000,000,000 | -H-D | M] -- C:\Users\User\AppData\Roaming\flightgear.org
[2011/12/09 21:37:12 | 000,000,000 | -H-D | M] -- C:\Users\User\AppData\Roaming\fltk.org
[2012/01/18 19:47:01 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\King Schools
[2011/10/25 17:17:58 | 000,000,000 | -H-D | M] -- C:\Users\User\AppData\Roaming\LolClient
[2012/05/23 13:26:57 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\LolClient2
[2012/08/02 01:40:29 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Mumble
[2011/12/09 22:06:50 | 000,000,000 | -H-D | M] -- C:\Users\User\AppData\Roaming\Subversion
[2012/06/16 01:59:01 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\uTorrent
[2012/02/07 01:33:04 | 000,000,374 | ---- | M] () -- C:\Windows\Tasks\At1.job
[2012/06/17 06:48:27 | 000,032,648 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
========== Purity Check ==========
========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\Windows\system64] -> \systemroot\system32 -> Mount Point
< End of report >
[B] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OTL Extras logfile created on: 8/2/2012 3:16:29 PM - Run 1
OTL by OldTimer - Version 3.2.55.0 Folder = C:\Users\User\Desktop
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
7.92 Gb Total Physical Memory | 6.77 Gb Available Physical Memory | 85.53% Memory free
15.84 Gb Paging File | 14.71 Gb Available in Paging File | 92.90% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 71.36 Gb Total Space | 11.75 Gb Free Space | 16.46% Space Free | Partition Type: NTFS
Drive D: | 462.40 Gb Total Space | 262.23 Gb Free Space | 56.71% Space Free | Partition Type: NTFS
Computer Name: X | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html[@ = htmlfile] -- Reg Error: Key error. File not found
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = htmlfile] -- Reg Error: Key error. File not found
[HKEY_USERS\S-1-5-21-2413128680-2735381842-1444654988-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- Reg Error: Key error.
htmlfile [opennew] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
http [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
https [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- Reg Error: Key error.
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Key error.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- Reg Error: Key error.
htmlfile [opennew] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
http [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
https [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- Reg Error: Key error.
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Key error.
========== Security Center Settings ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{09394E2F-9482-40D2-AF77-8578EABE6E28}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{111CBF57-1054-4699-8DE0-DE505C17EAE8}" = lport=58258 | protocol=17 | dir=in | name=pando media booster |
"{161DD9A5-0313-422C-9BD9-FB63B33BB09E}" = rport=10243 | protocol=6 | dir=out | app=system |
"{1C3F5A88-2315-4C06-BAF3-EA4D9A5831C2}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{1EB9FCD4-BB70-43D2-9887-1F8F4DF67296}" = lport=58258 | protocol=6 | dir=in | name=pando media booster |
"{22DB2BCB-D90E-43AB-9EB3-DA8DC434B4F8}" = lport=58258 | protocol=6 | dir=in | name=pando media booster |
"{2F360896-41DB-4167-B8F1-DB83C41419C3}" = lport=2869 | protocol=6 | dir=in | app=system |
"{395F5C18-8B94-4E23-A66D-0F7A0EC09052}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{4AFCE7A7-3ED7-405D-BE2D-B36C9AF76676}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{58E67A09-246F-483D-AC6A-35E6B9BEE60E}" = lport=138 | protocol=17 | dir=in | app=system |
"{5EA8A834-6268-41FB-BE5B-D586A5AA33B0}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{6C9484CF-C7B2-4CFB-A18C-F2328DD3205F}" = lport=10243 | protocol=6 | dir=in | app=system |
"{70FED018-8409-48FB-95D8-A473C22BFDDA}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{74AA49A3-DFBE-4D8B-A9ED-03F9FB24ACB9}" = rport=138 | protocol=17 | dir=out | app=system |
"{79015AE3-7829-455C-BCE0-0B9209336A54}" = lport=58258 | protocol=17 | dir=in | name=pando media booster |
"{7E7F8B26-62B1-4B89-BE5E-FE3F1813D52E}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{84035D9A-055E-4F21-9021-AAE4B81B3DC7}" = rport=445 | protocol=6 | dir=out | app=system |
"{974D78B4-8173-43BE-B056-40E8105A180F}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{9F3BEE03-8408-40F9-98A3-04B481D1F1F6}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{A514A437-EF38-426B-883F-26D78F9FC3A6}" = rport=137 | protocol=17 | dir=out | app=system |
"{B92F4EB3-355E-4DB6-A895-B62479B77DFF}" = lport=137 | protocol=17 | dir=in | app=system |
"{C34C9D85-0212-4678-AA6D-2EBFE225BD9D}" = rport=139 | protocol=6 | dir=out | app=system |
"{D29F1747-65DF-4FF7-9267-08F02C456927}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{D85FA7C7-3A43-47E3-A619-FCFAB823F52B}" = lport=139 | protocol=6 | dir=in | app=system |
"{F7D7EDEB-0934-4297-815C-C486A999E1E7}" = lport=445 | protocol=6 | dir=in | app=system |
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0063E821-85A2-48CD-B80B-6E51416B3D72}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{01C910CD-A215-4641-AFB7-AF9938124DE7}" = dir=in | app=c:\program files (x86)\common files\apple\apple application support\webkit2webprocess.exe |
"{04FC7008-87A3-4D3E-943E-26A6FBFAEE9F}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{0F6877F0-8EDF-4E00-B60A-1B96E579EA3C}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{1608B276-23AF-47B7-BBCD-6935A2CC7C3C}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{183E3271-0280-41DD-9797-F233907FF6D2}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{1C543302-697D-4F5D-80A9-391E2C4EC73F}" = protocol=6 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
"{22E263A5-D362-432D-B51E-5F2EAF4810EF}" = protocol=17 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |
"{25BBB851-8A98-4EA6-8356-66E7FBE0BF92}" = protocol=17 | dir=in | app=c:\program files\ventrilo\ventrilo.exe |
"{31BDE90C-2C43-42A0-A8CD-FD4B7C7E56E5}" = protocol=6 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
"{340AE53F-0F07-4FEE-A612-0E712A951312}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{4844845B-6584-469E-A587-498E2D1CAC7B}" = protocol=6 | dir=out | app=system |
"{4E16112F-C943-412F-8669-7EC45D8ECE95}" = protocol=6 | dir=in | app=c:\program files\ventrilo\ventrilo.exe |
"{4F7A6E5E-FE90-4CB1-9E5B-35B445888C60}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{5C68BDFD-DDE3-44DC-B42A-084D87544711}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steam.exe |
"{5FEC65D5-8CAF-4698-B2A7-0137D54F4EF0}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{6B628FA6-F18E-4E2B-8D51-7659095EC8EA}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{7A64844B-8089-4C98-8B7E-7CECE77AFA45}" = dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
"{80F39FA2-BB63-4B6E-B5CF-98DF0C1C557E}" = protocol=6 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |
"{821416E8-BB01-4B56-A3F4-B9DBFAE1DE79}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{870F10FC-E4C9-4BE9-B5D4-D03B09995D3A}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{957667F3-6A1B-417D-948A-A9558582B8C9}" = protocol=17 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
"{A0E1F4CB-A510-45F7-9A59-4EAE1951820F}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{A2F15E8D-5196-465C-82F4-E67A0F41F926}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{B13B4E1F-AF96-47AE-A126-EABBCE6D304A}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{B55C690C-E59E-4333-94CA-89A9EC9E29F2}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{BB6B05BF-834F-483F-A82E-65A52F84AE87}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{C8C6ABDB-2410-4898-85B9-2E667F0C5A3D}" = protocol=17 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
"{CB8C86BC-DC6E-4B33-A761-E9305C943A2C}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\left 4 dead 2\left4dead2.exe |
"{D6C506DA-0E1D-49E1-A4A8-6E37DF4349B3}" = protocol=17 | dir=in | app=c:\users\user\appdata\local\google\google talk plugin\googletalkplugin.exe |
"{D7C16531-0A7E-487F-BB39-2217575C0BD2}" = protocol=6 | dir=in | app=c:\users\user\appdata\local\google\google talk plugin\googletalkplugin.exe |
"{D8A0FBA2-2755-4E67-8860-D4A3871F15B1}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\left 4 dead 2\left4dead2.exe |
"{E3CE1886-824A-4E8D-A356-7FFB44C78B68}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{F348226D-042C-4F08-9BE4-BDCE3A151250}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{F636B83B-1654-4E7D-B4C1-AE3AD919CBEE}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steam.exe |
"TCP Query User{93B1C9DF-7FB1-44D1-8B66-84826854E7C3}C:\program files\lolreplay\lolreplay.exe" = protocol=6 | dir=in | app=c:\program files\lolreplay\lolreplay.exe |
"UDP Query User{7B8014F8-AB97-4B52-AABF-03259152AA53}C:\program files\lolreplay\lolreplay.exe" = protocol=17 | dir=in | app=c:\program files\lolreplay\lolreplay.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision" = NVIDIA 3D Vision Driver 266.44
"{B2FE1952-0186-46c3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 266.44
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 266.44
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX System Software 9.10.0514
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver" = NVIDIA HD Audio Driver 1.1.13.1
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}" = Ventrilo Client for Windows x64
"{F83779DF-E1F5-43A2-A7BE-732F856FADB7}" = Microsoft SQL Server Compact 3.5 SP1 x64 English
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{26A24AE4-039D-4CA4-87B4-2F83216024FF}" = Java(TM) 6 Update 24
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{83A5D4E9-7FE6-336D-9525-F1C879496014}" = Google Talk Plugin
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{92606477-9366-4D3B-8AE3-6BE4B29727AB}" = League of Legends
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.1)
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4E343DD-BAAB-4D59-AD9C-DEA0AFE09DF1}" = Mumble 1.2.3
"{B9DB4C76-01A4-46D5-8910-F7AA6376DBAF}" = NVIDIA PhysX
"{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}" = Microsoft SQL Server Compact 3.5 SP1 English
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype 5.9
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Audacity_is1" = Audacity 2.0
"Cessna Multimedia Version 6.0" = Cessna Multimedia Version 6.0
"ERUNT_is1" = ERUNT 1.1j
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
"Mozilla Firefox 10.0.2 (x86 en-US)" = Mozilla Firefox 10.0.2 (x86 en-US)
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"Steam App 550" = Left 4 Dead 2
"uTorrent" = ΅Torrent
========== HKEY_USERS Uninstall List ==========
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Smad" = SanctionedMedia
========== HKEY_USERS Uninstall List ==========
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Smad" = SanctionedMedia
========== HKEY_USERS Uninstall List ==========
[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"ACFinder" = SancMedia
========== HKEY_USERS Uninstall List ==========
[HKEY_USERS\S-1-5-21-2413128680-2735381842-1444654988-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 7/26/2012 11:07:53 PM | Computer Name = X | Source = Application Hang | ID = 1002
Description = The program rads_user_kernel.exe version 0.0.0.0 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: ff0 Start
Time: 01cd6ba4facb50ad Termination Time: 1 Application Path: C:\Users\User\Desktop\Downloads\LOLPBE(1)\LOLPBE\RADS\system\rads_user_kernel.exe
Report
Id: 3dd5bf05-d798-11e1-9edb-50e54955cb63
Error - 7/26/2012 11:08:11 PM | Computer Name = X | Source = Application Hang | ID = 1002
Description = The program rads_user_kernel.exe version 0.0.0.0 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: afc Start
Time: 01cd6ba5081f6023 Termination Time: 0 Application Path: C:\Users\User\Desktop\Downloads\LOLPBE(1)\LOLPBE\RADS\system\rads_user_kernel.exe
Report
Id: 4af2df2d-d798-11e1-9edb-50e54955cb63
Error - 7/26/2012 11:10:07 PM | Computer Name = X | Source = Application Hang | ID = 1002
Description = The program rads_user_kernel.exe version 0.0.0.0 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 694 Start
Time: 01cd6ba54ee6d9c3 Termination Time: 1 Application Path: C:\Users\User\Desktop\Downloads\LOLPBE(1)\LOLPBE\RADS\system\rads_user_kernel.exe
Report
Id: 90922826-d798-11e1-9edb-50e54955cb63
Error - 7/26/2012 11:18:17 PM | Computer Name = X | Source = Application Hang | ID = 1002
Description = The program rads_user_kernel.exe version 0.0.0.0 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: ffc Start
Time: 01cd6ba661cdaa17 Termination Time: 1 Application Path: C:\Users\User\Desktop\Downloads\LOLPBE\RADS\system\rads_user_kernel.exe
Report
Id: b4317558-d799-11e1-9edb-50e54955cb63
Error - 7/26/2012 11:18:49 PM | Computer Name = X | Source = Application Hang | ID = 1002
Description = The program rads_user_kernel.exe version 0.0.0.0 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: f90 Start
Time: 01cd6ba67c30337e Termination Time: 1 Application Path: C:\Users\User\Desktop\Downloads\LOLPBE\RADS\system\rads_user_kernel.exe
Report
Id: c77d29dc-d799-11e1-9edb-50e54955cb63
Error - 7/27/2012 4:39:44 AM | Computer Name = X | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\program files\spybot
- search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program files\spybot
- search & destroy\DelZip179.dll" on line 8. The value "*" of attribute "language"
in element "assemblyIdentity" is invalid.
Error - 7/31/2012 12:54:01 AM | Computer Name = X | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\program files\spybot
- search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program files\spybot
- search & destroy\DelZip179.dll" on line 8. The value "*" of attribute "language"
in element "assemblyIdentity" is invalid.
Error - 7/31/2012 2:22:32 AM | Computer Name = X | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\program files\spybot
- search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program files\spybot
- search & destroy\DelZip179.dll" on line 8. The value "*" of attribute "language"
in element "assemblyIdentity" is invalid.
Error - 8/1/2012 6:12:08 PM | Computer Name = X | Source = Application Hang | ID = 1002
Description = The program firefox.exe version 10.0.2.4428 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 954 Start
Time: 01cd70241153772a Termination Time: 47 Application Path: C:\Program Files (x86)\Mozilla
Firefox\firefox.exe Report Id: ed893f7b-dc25-11e1-8b32-50e54955cb63
Error - 8/1/2012 10:50:26 PM | Computer Name = X | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\program files\spybot
- search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program files\spybot
- search & destroy\DelZip179.dll" on line 8. The value "*" of attribute "language"
in element "assemblyIdentity" is invalid.
[ System Events ]
Error - 6/21/2012 12:39:59 PM | Computer Name = X | Source = Service Control Manager | ID = 7024
Description = The HomeGroup Listener service terminated with service-specific error
%%-2147023143.
Error - 6/21/2012 12:40:00 PM | Computer Name = X | Source = PNRPSvc | ID = 102
Description =
Error - 6/21/2012 12:40:01 PM | Computer Name = X | Source = PNRPSvc | ID = 102
Description =
Error - 6/21/2012 12:40:00 PM | Computer Name = X | Source = Service Control Manager | ID = 7023
Description = The Peer Name Resolution Protocol service terminated with the following
error: %%5
Error - 6/21/2012 12:40:00 PM | Computer Name = X | Source = Service Control Manager | ID = 7001
Description = The Peer Networking Grouping service depends on the Peer Name Resolution
Protocol service which failed to start because of the following error: %%5
Error - 6/21/2012 12:40:00 PM | Computer Name = X | Source = Service Control Manager | ID = 7024
Description = The HomeGroup Listener service terminated with service-specific error
%%-2147023143.
Error - 6/21/2012 12:40:01 PM | Computer Name = X | Source = Service Control Manager | ID = 7023
Description = The Peer Name Resolution Protocol service terminated with the following
error: %%5
Error - 6/21/2012 12:40:01 PM | Computer Name = X | Source = Service Control Manager | ID = 7001
Description = The Peer Networking Grouping service depends on the Peer Name Resolution
Protocol service which failed to start because of the following error: %%5
Error - 6/21/2012 12:40:26 PM | Computer Name = X | Source = WMPNetworkSvc | ID = 866314
Description =
Error - 6/21/2012 12:40:27 PM | Computer Name = X | Source = WMPNetworkSvc | ID = 866314
Description =
< End of report >
You have some serious issues going on virus wise :red:
Re-Run aswMBR
Click Scan
On completion of the scan
Click the Fix Button NOT FIX MBR
Save the log as before and post in your next reply
Dragonzord
2012-08-03, 11:00
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-03 02:47:58
-----------------------------
02:47:58.403 OS Version: Windows x64 6.1.7601 Service Pack 1
02:47:58.403 Number of processors: 8 586 0x2A07
02:47:58.403 ComputerName: X UserName:
02:47:58.668 Initialize success
02:48:02.771 AVAST engine defs: 12080201
02:48:12.459 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
02:48:12.459 Disk 0 Vendor: SAMSUNG_HD080HJ/P ZH100-34 Size: 76293MB BusType: 3
02:48:12.459 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-5
02:48:12.459 Disk 1 Vendor: SAMSUNG_HD501LJ CR100-13 Size: 476940MB BusType: 3
02:48:12.475 Disk 0 MBR read successfully
02:48:12.475 Disk 0 MBR scan
02:48:12.475 Disk 0 Windows 7 default MBR code
02:48:12.475 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 31 MB offset 63
02:48:12.490 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 73076 MB offset 64260
02:48:12.521 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 3176 MB offset 149725800
02:48:12.568 Disk 0 scanning C:\Windows\system32\drivers
02:48:22.490 Service scanning
02:48:44.163 Modules scanning
02:48:44.163 Disk 0 trace - called modules:
02:48:44.178 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys
02:48:44.178 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007a43790]
02:48:44.194 3 CLASSPNP.SYS[fffff8800185143f] -> nt!IofCallDriver -> [0xfffffa800784b520]
02:48:44.194 5 ACPI.sys[fffff88000ee57a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8007830060]
02:48:44.459 AVAST engine scan C:\Windows
02:48:47.345 AVAST engine scan C:\Windows\system32
02:51:21.879 AVAST engine scan C:\Windows\system32\drivers
02:51:33.563 AVAST engine scan C:\Users\User
02:55:15.988 AVAST engine scan C:\ProgramData
02:57:10.164 Scan finished successfully
02:58:41.503 Disk 0 MBR has been saved successfully to "C:\Users\User\Desktop\MBR.dat"
02:58:41.519 The log file has been saved successfully to "C:\Users\User\Desktop\aswMBR2.txt"
Good, looks like your infected with ZeroAccess Rootkit, there is more to remove
Open OTL.exe
Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:processes
killallprocesses
:OTL
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:56162
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:56162
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:55576
IE - HKU\S-1-5-21-2413128680-2735381842-1444654988-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:63475
FF - prefs.js..network.proxy.http_port: 63475
F3:64bit: - HKU\S-1-5-19 WinNT: Load - (C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\2006C\lvvm.exe) - File not found
F3 - HKU\S-1-5-19 WinNT: Load - (C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\2006C\lvvm.exe) - File not found
[2037/11/30 02:43:57 | 000,001,024 | ---- | C] () -- C:\Windows\assembly\temp\U\80000000.@
[2037/04/09 23:28:15 | 000,001,024 | ---- | C] () -- C:\Windows\assembly\temp\U\000000c0.@
[2037/04/09 23:28:09 | 000,001,024 | ---- | C] () -- C:\Windows\assembly\temp\U\000000cb.@
[2037/04/09 23:27:51 | 000,001,024 | ---- | C] () -- C:\Windows\assembly\temp\U\000000cf.@
[2037/04/09 23:27:36 | 000,001,024 | ---- | C] () -- C:\Windows\assembly\temp\U\800000c0.@
[2037/04/09 23:27:26 | 000,001,024 | ---- | C] () -- C:\Windows\assembly\temp\U\800000cb.@
[2037/04/09 23:27:17 | 000,001,024 | ---- | C] () -- C:\Windows\assembly\temp\U\800000cf.@
[2012/07/30 10:51:28 | 000,092,672 | ---- | C] () -- C:\Windows\assembly\temp\U\80000032.@
[2012/07/30 10:51:28 | 000,080,896 | ---- | C] () -- C:\Windows\assembly\temp\U\80000064.@
[2012/06/26 13:36:17 | 000,000,218 | ---- | C] () -- C:\Windows\assembly\temp\L\00000004.@
[2012/06/25 02:36:09 | 000,001,536 | ---- | C] () -- C:\Windows\assembly\temp\U\00000001.@
[2012/06/13 17:12:52 | 000,224,768 | ---- | C] () -- C:\Windows\assembly\temp\U\00000002.@
[2012/03/30 09:18:01 | 000,001,024 | ---- | C] () -- C:\Windows\assembly\temp\U\80000004.@
[2011/11/02 12:48:14 | 000,001,024 | ---- | C] () -- C:\Windows\assembly\temp\U\00000004.@
[2012/06/16 01:59:01 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\uTorrent
:Services
:Reg
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]
Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces
Dragonzord
2012-08-04, 00:09
Alright ken545, thanks for your help so far, I think identifying the issue(s) is half the battle. :)
I ran this code as directed but it gets hung up at [resethosts] with an error message window that says something along the lines of "Error: Cannot create file C:\Windows\System32\drivers\etc\Hosts" and "Resetting HOSTS file. DO NOT INTERRUPT..." at the bottom.
This may be in line with the issues I'd had trying to edit the hosts file running as admin, in safe mode, logged in as Administrator, trying to change permissions, etc. Something is denying me access/powers to edit or delete that file.
Lets omit the hosts file entry and run the script and we can deal with that in a bit
Open OTL.exe
Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:processes
killallprocesses
:OTL
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:56162
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:56162
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:55576
IE - HKU\S-1-5-21-2413128680-2735381842-1444654988-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:63475
FF - prefs.js..network.proxy.http_port: 63475
F3:64bit: - HKU\S-1-5-19 WinNT: Load - (C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\2006C\lvvm.exe) - File not found
F3 - HKU\S-1-5-19 WinNT: Load - (C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\2006C\lvvm.exe) - File not found
[2037/11/30 02:43:57 | 000,001,024 | ---- | C] () -- C:\Windows\assembly\temp\U\80000000.@
[2037/04/09 23:28:15 | 000,001,024 | ---- | C] () -- C:\Windows\assembly\temp\U\000000c0.@
[2037/04/09 23:28:09 | 000,001,024 | ---- | C] () -- C:\Windows\assembly\temp\U\000000cb.@
[2037/04/09 23:27:51 | 000,001,024 | ---- | C] () -- C:\Windows\assembly\temp\U\000000cf.@
[2037/04/09 23:27:36 | 000,001,024 | ---- | C] () -- C:\Windows\assembly\temp\U\800000c0.@
[2037/04/09 23:27:26 | 000,001,024 | ---- | C] () -- C:\Windows\assembly\temp\U\800000cb.@
[2037/04/09 23:27:17 | 000,001,024 | ---- | C] () -- C:\Windows\assembly\temp\U\800000cf.@
[2012/07/30 10:51:28 | 000,092,672 | ---- | C] () -- C:\Windows\assembly\temp\U\80000032.@
[2012/07/30 10:51:28 | 000,080,896 | ---- | C] () -- C:\Windows\assembly\temp\U\80000064.@
[2012/06/26 13:36:17 | 000,000,218 | ---- | C] () -- C:\Windows\assembly\temp\L\00000004.@
[2012/06/25 02:36:09 | 000,001,536 | ---- | C] () -- C:\Windows\assembly\temp\U\00000001.@
[2012/06/13 17:12:52 | 000,224,768 | ---- | C] () -- C:\Windows\assembly\temp\U\00000002.@
[2012/03/30 09:18:01 | 000,001,024 | ---- | C] () -- C:\Windows\assembly\temp\U\80000004.@
[2011/11/02 12:48:14 | 000,001,024 | ---- | C] () -- C:\Windows\assembly\temp\U\00000004.@
[2012/06/16 01:59:01 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\uTorrent
:Services
:Reg
:Files
ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces
Dragonzord
2012-08-04, 00:39
All processes killed
========== PROCESSES ==========
========== OTL ==========
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
HKU\S-1-5-21-2413128680-2735381842-1444654988-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Prefs.js: 63475 removed from network.proxy.http_port
64bit-Registry value HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\Load:C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\2006C\lvvm.exe deleted successfully.
Registry value HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\Load:C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\2006C\lvvm.exe deleted successfully.
File C:\Windows\assembly\temp\U\80000000.@ not found.
File C:\Windows\assembly\temp\U\000000c0.@ not found.
File C:\Windows\assembly\temp\U\000000cb.@ not found.
File C:\Windows\assembly\temp\U\000000cf.@ not found.
File C:\Windows\assembly\temp\U\800000c0.@ not found.
File C:\Windows\assembly\temp\U\800000cb.@ not found.
File C:\Windows\assembly\temp\U\800000cf.@ not found.
File C:\Windows\assembly\temp\U\80000032.@ not found.
File C:\Windows\assembly\temp\U\80000064.@ not found.
File C:\Windows\assembly\temp\L\00000004.@ not found.
File C:\Windows\assembly\temp\U\00000001.@ not found.
File C:\Windows\assembly\temp\U\00000002.@ not found.
File C:\Windows\assembly\temp\U\80000004.@ not found.
File C:\Windows\assembly\temp\U\00000004.@ not found.
Folder C:\Users\User\AppData\Roaming\uTorrent\ not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\User\Desktop\cmd.bat deleted successfully.
C:\Users\User\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: DefaultAppPool
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Public
User: User
->Temp folder emptied: 63074333 bytes
->Temporary Internet Files folder emptied: 1020648 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 91899634 bytes
->Google Chrome cache emptied: 9670777 bytes
->Flash cache emptied: 1790 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 156320 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 1533494971 bytes
Total Files Cleaned = 1,621.00 mb
OTL by OldTimer - Version 3.2.55.0 log created on 08032012_163423
Files\Folders moved on Reboot...
C:\Users\User\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
PendingFileRenameOperations files...
File C:\Users\User\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!
Registry entries deleted on Reboot...
First try this
Disable the TeaTimer, leave it disabled, do not turn it back on until we're done or it will prevent fixes from taking[/b]
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect
Please do not proceed until the TeaTimer is disabled
The reopen Spybot Search and Destroy and up at the top left go to Modes and make sure to check Advance Mode. Then to Tools > IE Tweeks and if the Lock the Hosts file is checked...uncheck it
Then run HostsXpert
Download the HostsXpert 4.3 - Hosts File Manager (http://www.funkytoad.com/download/HostsXpert.zip).
Unzip HostsXpert 4.2.0.0 - Hosts File Manager to a convenient folder such as C:\HostsXpert
Click HostsXpert.exe to Run HostsXpert - Hosts File Manager from its new home
Click "Make Hosts Writable?" in the upper left corner.
Click Restore Microsoft's Hosts file and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Dragonzord
2012-08-04, 01:03
TeaTimer has already been disabled somehow, the box was/is not checked, the SDHelper one is, however. Should I proceed with the rest of the steps?
"4/16/2012 4:08:48 PM Allowed (based on user decision) value "SpybotSD TeaTimer" (new data: "") deleted in System Startup user entry!"
This is actually the last note in the log. I don't remember ever disabling TeaTimer in the past, nor removing it from the startup processes.
OK, go ahead and give HostXpert a shot
Dragonzord
2012-08-04, 01:36
Some trouble here...
The "Hosts file read-only" lock re-checks itself if I move to another part of the menu or close Spybot.
Leaving it on the same screen with it unchecked while I run HostXpert seems to have no effect either as it gives me a couple of warnings:
"Your HOSTS file is marked as a "system file" and can NOT be manipulated. Press OK to remove the system file attribute, Cancel to Quit.
***HostXpert will NOT reset these attributes.***"
If I hit OK:
"Your HOSTS file is marked as a "Hidden file" and can NOT be manipulated. Press OK to remove the hidden file attribute, CANCEL to Quit.
***HostsXpert will NOT reset these attributes.***"
I hit OK again to move on.
"Make Writeable?" is in red with a locked padlock.
Clicking it doesn't appear to do anything.
So then clicking "Restore MS Hosts File" understandably gives the window:
"ERROR: Cannot create file C:\Windows\system32\DRIVERS\ETC\hosts"
Open OTL.exe
Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:processes
killallprocesses
:OTL
:Services
:Reg
:Files
C:\Windows\SysNative\drivers\etc\hosts
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]
Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces
Dragonzord
2012-08-04, 03:17
It gets hung up at [resethosts] with an error window:
"ERROR: Cannot create file C:\Windows\system32\DRIVERS\ETC\hosts"
In OTL it says ""Resetting HOSTS file. DO NOT INTERRUPT..." at the bottom.
Lets try this
Open OTL.exe
Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:processes
killallprocesses
:OTL
Hosts: 188.119.151.113 www.google-analytics.com.
Hosts: 188.119.151.113 ad-emea.doubleclick.net.
Hosts: 188.119.151.113 www.statcounter.com.
Hosts: 69.72.252.254 www.google-analytics.com.
Hosts: 69.72.252.254 ad-emea.doubleclick.net.
:Services
:Reg
:Files
C:\windows\system32\drivers\etc\hosts
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]
Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces
Dragonzord
2012-08-04, 03:47
Same error.
After I closed OTL and ran it again, it did give me a log though.
I don't think it helps, but here it is anyways:
Files\Folders moved on Reboot...
File move failed. C:\windows\system32\drivers\etc\hosts scheduled to be moved on reboot.
PendingFileRenameOperations files...
[2012/01/20 14:50:14 | 000,001,401 | RHS- | M] () C:\windows\system32\drivers\etc\hosts : MD5=AD6BCD6E15D11F9C8199DF8E53876AEB
Registry entries deleted on Reboot...
Reboot and then try running HostsXpert
Dragonzord
2012-08-04, 03:53
Same warnings and error as before.
Open Notepad as admin (right click on notepad icon or shortcut and click Run as admin) and type the following information in it:
127.0.0.1 localhost
::1 localhost
The "1" in the "127.0.0.1" must be at the first column of the line and there must be at least one space between "127.0.0.1" and "localhost". In the second line, there must be at least one space between "::1" and "localhost".
Save the file with the name "hosts" in C:\windows\system32\drivers\etc folder.
If it says that file exists do you want to override it say yes
Dragonzord
2012-08-04, 04:02
This is something I've tried to do and work-around in the past, to no avail.
Saving it as "hosts." and not "hosts.txt", right?
I get the error:
hosts
This file is set to read-only.
Try again with a different file name.
Dragonzord
2012-08-04, 04:17
Oh, my bad.
Well then I have it as a text file now. :)
Hows it going ? Where you able to create a new Host file ?
Dragonzord
2012-08-05, 02:28
No, this is something I've tried to do and work-around in the past, to no avail.
Tried to delete/replace/restore it by signing in as Admin, using Safe-Mode, etc.
I now have both a (corrupted) 'hosts' system file and the 'hosts' text document you asked me to make in the 'etc' folder.
Lets see if this will remove it
Please download OTM by OldTimer (http://oldtimer.geekstogo.com/OTM.exe) and save it to your desktop.
Double click the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/OTMdesktopicon.png icon on your desktop.
Paste the following code under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/pasteline.png area.
Do not include the word "Code".
:Processes
explorer.exe
:Services
:Reg
:Files
c:\windows\system32\drivers\etc\hosts
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
Push the large http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/btnmoveit.png button.
OTM may ask to reboot the machine. Please do so if asked.
Copy/Paste the contents under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/results.png line here in your next reply.
If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Now run HostsXpert
Restore Microsoft's Hosts file <-- You will get a message stating that there is no hosts file available do you want to create one SAY YES
Dragonzord
2012-08-05, 03:35
It gave me the log on reboot.
It's impenetrable! HostsXpert still couldn't get anything done.
All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File move failed. c:\windows\system32\drivers\etc\hosts scheduled to be moved on reboot.
========== COMMANDS ==========
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: DefaultAppPool
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Public
User: User
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 1157798 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 162775851 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1080 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 22709148 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 5257 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 34 bytes
Total Files Cleaned = 178.00 mb
OTM by OldTimer - Version 3.1.21.0 log created on 08042012_192947
Files moved on Reboot...
File move failed. c:\windows\system32\drivers\etc\hosts scheduled to be moved on reboot.
C:\Users\User\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
Registry entries deleted on Reboot...
Drag HostsXpert to the trash, this may be an updated version. Never had this problem before so have not used this program much
Please download
HostsXpert (http://www.funkytoad.com/index.php?option=com_content&task=view&id=13 )
Unzip HostsXpert to it's own folder in a convenient place such as C:\HostsXpert
Run: HostsXpert.exe
Click: Restore MS Hosts File
Click: Replace
Click: OK
Click: Make ReadOnly
Close HostsXpert.
Note: If a custom Hosts file was in place, you will have to run those programs again to reset detections.
If needed Tutorial
(http://i28.photobucket.com/albums/c227/tetonbob/emoticons/HostsXpert4.jpg)
Dragonzord
2012-08-05, 06:02
Same issues as before:
"Your HOSTS file is marked as a "system file" and can NOT be manipulated. Press OK to remove the system file attribute, Cancel to Quit.
***HostXpert will NOT reset these attributes.***"
If I hit OK:
"Your HOSTS file is marked as a "Hidden file" and can NOT be manipulated. Press OK to remove the hidden file attribute, CANCEL to Quit.
***HostsXpert will NOT reset these attributes.***"
I hit OK again to move on.
Clicking "Restore MS Hosts File" gives the window:
"ERROR: Cannot create file C:\Windows\system32\DRIVERS\ETC\hosts"
Good Morning,
This generally is a pretty straight forward fix, as you stated in your original post that you fooled around with the hosts file so I am not sure exactly what you have done to it to not let it be replaced . Just hang in for a bit I am going to ask a windows guy to take a peak.
Do this in the order listed
Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.
Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOT\*\shell\runas]
[-HKEY_CLASSES_ROOT\Directory\shell\runas]
If you saved the file correctly it should look like this http://i24.photobucket.com/albums/c30/ken545/reg.jpg
Open Notepad and copy and past this in
Unlock: C:\windows\system32\drivers\etc\hosts
C:\windows\system32\drivers\etc\hosts
Save it to your desktop as Fixlist.txt
For x64 bit systems download Farbar Recovery Scan Tool x64 (http://download.bleepingcomputer.com/farbar/FRST64.exe) and save it to your desktop. Make sure its right next to Fixlist.text
Click on the Fix Button and post the results of the log it produces
Open OTL.exe
Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:processes
killallprocesses
:OTL
:files
C:\windows\System32\Drivers\etc\hosts
:Commands
[resethosts]
[emptytemp]
[start explorer]
[Reboot]
Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces
Hi,
I have had all kinds of help with a fix for you and I had to edit it a few times, its now correct so follow the instructions in my last post order please and let me know how it went
Dragonzord
2012-08-05, 22:12
Disco!
I took a peek at the hosts file and it's lookin' pretty.
I just wanted to state that I was fooling around (before I stumbled upon this forum) because I couldn't get anything done with the permissions before. As far as I could tell, the denial of access was not of my doing, and other people have had the same issues.
So this may not be the last you see of this strange problem. :O
So is this the last remnant of the infection(s)?
Both the Fixlog and OTL log are below:
Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 05-08-2012 03
Ran by User at 2012-08-05 13:56:33 Run:1
Running from C:\Users\User\Desktop
ATTENTION: THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.
==============================================
permissions for C:\windows\system32\drivers\etc\hosts restored successfully
C:\windows\system32\drivers\etc\hosts moved successfully.
==== End of Fixlog ====
All processes killed
========== PROCESSES ==========
========== OTL ==========
========== FILES ==========
File\Folder C:\windows\System32\Drivers\etc\hosts not found.
========== COMMANDS ==========
HOSTS file reset successfully
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: DefaultAppPool
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Public
User: User
->Temp folder emptied: 25719952 bytes
->Temporary Internet Files folder emptied: 5927213 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 66345340 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 748 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 375671 bytes
Total Files Cleaned = 94.00 mb
OTL by OldTimer - Version 3.2.55.0 log created on 08052012_135729
Files\Folders moved on Reboot...
C:\Users\User\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
PendingFileRenameOperations files...
File C:\Users\User\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!
Registry entries deleted on Reboot...
Great, things are looking better, how is everything running now ?
Dragonzord
2012-08-05, 22:45
Seas appear to be smooth for miles, Captain.
You're an absolute hero wizard, ken545! Give my thanks your pal(s) too.
So what actions should I take, and what applications should I be running on my computer, to prevent this sort of occurrence in the future?
I imagine there are two categories here: what's best, and what's good & free. :)
- and what's the best way to show my appreciation? Donate to SS&D?
You know what, with the seriousness of your infection lets make sure its all gone, this scan wont take long
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Dragonzord
2012-08-06, 01:54
ComboFix 12-08-05.02 - User 08/05/2012 17:37:27.1.8 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8109.6937 [GMT -5:00]
Running from: c:\users\User\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\LP
c:\program files (x86)\LP\B63F\3469.tmp
c:\program files (x86)\LP\B63F\49EB.tmp
c:\program files (x86)\LP\B63F\4AC6.tmp
c:\program files (x86)\LP\B63F\9DF3.tmp
c:\program files (x86)\LP\B63F\AF13.tmp
c:\program files (x86)\LP\B63F\C541.tmp
c:\program files (x86)\LP\B63F\CB88.tmp
c:\program files (x86)\LP\B63F\D30A.tmp
c:\program files (x86)\LP\B63F\D815.tmp
c:\program files (x86)\LP\B63F\E233.tmp
c:\program files (x86)\LP\B63F\E52F.tmp
c:\program files (x86)\LP\B63F\E5CE.tmp
c:\program files (x86)\LP\B63F\EE34.tmp
c:\programdata\17672385l5n4
c:\windows\assembly\temp\@
c:\windows\assembly\temp\cfg.ini
.
.
((((((((((((((((((((((((( Files Created from 2012-07-05 to 2012-08-05 )))))))))))))))))))))))))))))))
.
.
2012-08-05 22:40 . 2012-08-05 22:40 -------- d-----w- c:\users\DefaultAppPool\AppData\Local\temp
2012-08-05 22:40 . 2012-08-05 22:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-05 22:40 . 2012-08-05 22:40 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-08-05 18:56 . 2012-08-05 18:56 -------- d-----w- C:\FRST
2012-08-05 02:50 . 2012-08-05 02:51 -------- d-----w- C:\HostsXpert
2012-08-05 00:29 . 2012-08-05 00:29 -------- d-----w- C:\_OTM
2012-07-31 02:06 . 2012-07-31 02:06 -------- d-----w- c:\program files (x86)\ERUNT
2012-07-31 01:36 . 2012-07-31 01:36 -------- d-----w- C:\_OTL
2012-07-26 05:48 . 2012-07-26 05:48 -------- d-----w- c:\program files (x86)\MSECache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-03 18:46 . 2012-02-18 05:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-30 06:04 . 2012-06-30 06:04 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-30 06:04 . 2012-06-30 06:04 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-06-02 22:19 . 2012-06-22 15:50 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-22 15:50 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-22 15:50 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-22 15:50 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-22 15:50 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-22 15:50 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-22 15:50 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 20:19 . 2012-06-22 15:50 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:15 . 2012-06-22 15:50 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-05-24 16:57 . 2012-02-28 01:28 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer4"=wdmaud.drv
.
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-04-05 158856]
R3 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-12-27 378472]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2010-11-11 155752]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-01 535656]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2413128680-2735381842-1444654988-1000Core.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-26 02:56]
.
2012-08-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2413128680-2735381842-1444654988-1000UA.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-26 02:56]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62 0.0.0.0
TCP: Interfaces\{E9BBE345-E75A-482D-B4C0-7AD3A469C10B}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\3ch0u0t8.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-84050329.sys
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-08-05 17:48:07 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-05 22:48
.
Pre-Run: 13,216,514,048 bytes free
Post-Run: 16,180,445,184 bytes free
.
- - End Of File - - FD9B566B896302EA696B8EF83202424E
Wonderfull, all ok ?
Sometimes even though things appear to be running ok this infection that you had can sometime fool with windows services, lets check and make sure there ok
Please download Farbar Service Scanner (http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/) and run it on the computer with the issue.
Make sure the following options are checked:
Internet Services
Windows Firewall
System Restore
Security Center
Windows Update
Windows Defender
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.
Dragonzord
2012-08-06, 02:01
Yes. :)
Dragonzord
2012-08-06, 02:15
Farbar Service Scanner Version: 04-08-2012 01
Ran by User (administrator) on 05-08-2012 at 18:14:54
Running from "C:\Users\User\Desktop"
Microsoft Windows 7 Ultimate Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
Windows Firewall:
=============
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Action Center:
============
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
Other Services:
==============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Auto
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
**** End of log ****
:beerbeerb:
Ready to get rid of me ?
All donations big or small just go to research and to help keeping us online, this forum is free and donations are totally optional, thanks for asking
Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.
http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png
Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups, any programs that where not removed you can just drag to the trash.
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/index.php?showtopic=57817)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Safe Surfn
Ken
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.