Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Another Victim of the google redirect virus.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Another Victim of the google redirect virus.

Unread postby MACKtheMOST » January 3rd, 2010, 6:55 pm

At first I had both the redirect virus and the "Security 2010" virus. I think I removed the "Security 2010" virus since it hasn't popped up since I manually deleted the files/registries relating to that virus. I tried to do the same with the Google redirect virus but haven't found any luck. I believe I got the virus from me clicking on fake websites when I was searching for things via google. I know trying that to delete files and registries yourself aren't recommended but I didn't know about that until after I found forums like these. Any help would be much appreciated.

The main problems that I know of..

- Firefox and Malwarebytes Anti-Malware won't open. Firefox gives me a message about it Crashing and MBAM just won't open. [Running an AVG scan in safe mode temporarily solves the Firefox problem for a coupled of days. I tried to rename MBAM and run it in compatibility mode but wasn't sure if I didn't do it right or it just didn't work]

-Clicking on any google search link redirects me to another site along with a pop up problem. [I click the "cached" option to get to the page]

-I noticed there's suspicious Scheduled tasks that I'm guessing keep reinstalling the malware

-Sometimes when I try to delete a file [via Killbox] it tells me that the file that the other programs detected doesn't exist.

My HijackThis Log

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 2:28:44 PM, on 1/3/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\S3trayp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [yifojoluz] Rundll32.exe "c:\windows\system32\buvoyaki.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Windows Defender.lnk = C:\plugins\Server.jar
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save YouTube Video - res://C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP4.htm
O8 - Extra context menu item: Save YouTube Video as MP3 - res://C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O21 - SSODL: yuyaruzot - {c5aca147-9777-4d9e-8e84-98cee0d204c0} - (no file)
O21 - SSODL: yuviyokum - {f621787c-a3c7-4767-94b4-549082b98601} - c:\windows\system32\buvoyaki.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: kupuhivus - {f621787c-a3c7-4767-94b4-549082b98601} - c:\windows\system32\buvoyaki.dll (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6610 bytes

My Uninstall List

7-Zip 4.65
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9
Adobe Shockwave Player 11.5
Ahead DVD Ripper 3.4.2
AIM 6
Allok Video Joiner 4.4.0103
Apple Mobile Device Support
Apple Software Update
a-squared Free 4.5
AVG Free 8.5
AviSynth 2.5
Bonjour
Cablenut 4.08
Cheat Engine 5.5
cladDVD.NET v3.5.7
DiskAid 3.11
DivX Plus Web Player
DVD Decrypter (Remove Only)
ExplorerXP (remove only)
ffdshow
Free YouTube Download 2.3
Free YouTube to Mp3 Converter version 3.2
High Definition Audio Driver Package - KB888111
HiJackThis
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Extended Capabilities 4.7
HP Image Zone 4.7
HP Product Detection
HP PSC & OfficeJet 4.7
HP Software Update
iPhoneBrowser
iTunes
Java(TM) 6 Update 14
JDownloader
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office Professional Edition 2003
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 Redistributable
Mosaic Creator 3.1
Mozilla Firefox (3.5.6)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Nero OEM
PowerDVD
QuickTime
Realtek High Definition Audio Driver
Seagate Manager Installer
Seagate Manager Installer
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB976325)
Uninstall 1.0.0.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB898461)
Update for Windows XP (KB925720)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
VC80CRTRedist - 8.0.50727.4053
VIA Chrome9 HC IGP Family Display 6.14.10.0156
Videora iPod Converter 5.03
Viewpoint Media Player
WBFS Manager 3.0
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Player Firefox Plugin
WinZip 12.1
Xvid 1.2.2 final uninstall
MACKtheMOST
Active Member
 
Posts: 9
Joined: January 3rd, 2010, 6:26 pm
Advertisement
Register to Remove

Re: Another Victim of the google redirect virus.

Unread postby xixo_12 » January 6th, 2010, 10:48 am

Hello and Welcome to Malware Removal Forums.
  • My name is xixo_12 and I will guide you to encounter the problem that you have now.
  • We will work together and I need your attention to read all those instruction carefully.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • You may wish to print them off or copy the instruction into Notepad.
  • If you have any question please don't hesitate to ask.
  • The instructions that I will give to you are specific to your current problem and shouldn't be used on other systems.
  • If you are receiving help or have received help on this problem elsewhere, please let us know.
  • Please post your replies to this thread only and keep interact with me until your computer is clean.

Everything I post to you will be review by MRU Teacher. This process will impact my response time to you. Be patient. ;)
Please! If you need more time to do all the instructions, let me know before 72hours is done. Otherwise, your thread will be closed

Please make sure you have done your reading on this topic : How to get help at this forum

I will back to you soon ;)
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Another Victim of the google redirect virus.

Unread postby MACKtheMOST » January 6th, 2010, 1:07 pm

Thank you very much
MACKtheMOST
Active Member
 
Posts: 9
Joined: January 3rd, 2010, 6:26 pm

Re: Another Victim of the google redirect virus.

Unread postby xixo_12 » January 6th, 2010, 6:03 pm

Hi,

***Important :
  • You're advised to reply one log per post.
    Please have a look on the Checklist. area to know what is the logs that I'm looking for.
  • While I am helping you with your computer, please don't Install, Uninstall, remove or change anything unless I ask.


First,
Msconfig in auto mode.
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

Msconfig in your sytem running in /auto mode which means that you removed some item to startup automatically. This is very dangerous if it's really a malware.
Now :
  • Click on Start > run.
  • Type msconfig > Hit on enter.
  • Windows will popup > Click on startup tab.
  • Put check for each entry.
  • Click OK.
Note: Please Do not restart, if you prompt to do so.

Next,
Multiple Anti-virus Programs
  • Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer.
  • Having two or more anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.
  • Installed antivirus on your system:
    a-squared Free 4.5
    AVG Free 8.5
  • Please remove the others and leave only one antivirus running now.

Next,
Reboot.

Next,
MGADiag.
Please download from HERE and save to the desktop.
  • Double click on MGADiag.exe to run it.
  • Click Continue.
  • The program will run. It takes a while to finish the diagnosis, please be patient.
  • Once done, click on Copy.
  • Open Notepad and paste the contents in. Save this file MGADiag.txt and post it in your next reply.

Next,
RSIT by random/random.
Please download from HERE and save to the desktop.
  • Double-click on RSIT.exe to run the tool.
  • Click Continue at the disclaimer screen.
  • Once it finishes, two logs will open.
    • log.txt will be opened maximized
    • info.txt will be opened minimized
  • Please post the contents of both logs in your next post.
***You can find manually the log at C:\rsit

Next,
GMER.
Please download from HERE and save to the desktop.
  • Unzip/extract the file to its own folder.
  • Disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan,click NO.
  • Click on >>> symbol and choose on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..

Next,
Checklist.
Please post.
  • Content of MGADiag.txt
  • Content of log.txt and info.txt (Find both in c:\rsit)
  • Content of GMER.txt
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Another Victim of the google redirect virus.

Unread postby MACKtheMOST » January 7th, 2010, 7:01 pm

I've done all these steps but the last one. Any internet browser I use won't open or crashes. So then my girlfriend ran a scan with AVG. Is that going to be a problem? Would you want a new hijackthis log?
MACKtheMOST
Active Member
 
Posts: 9
Joined: January 3rd, 2010, 6:26 pm

Re: Another Victim of the google redirect virus.

Unread postby xixo_12 » January 8th, 2010, 8:35 am

Hi,

First,
Discussion.
I've done all these steps but the last one.

Please explain in detail. I can't interpret what you mean by "the last one".

Any internet browser I use won't open or crashes. So then my girlfriend ran a scan with AVG.Is that going to be a problem?

Previous instruction doesn't need you to do any browsing. Just click to download the tools.
Who is the owner of this laptop? You?

I need to bring this sentences to your attention again.
  • Refrain from running self fixes as this will hinder the malware removal process.


Would you want a new hijackthis log?

Currently no need.

Please provide any logs listed as below (If you able to run the tools)
If not, let me know about it.
Checklist.
Please post.
  • Content of MGADiag.txt
  • Content of log.txt and info.txt (Find both in c:\rsit)
  • Content of GMER.txt


Next,
Checklist.
Please post.
  • Explanation from you.
  • Any content of the logs as listed above.
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Another Victim of the google redirect virus.

Unread postby MACKtheMOST » January 9th, 2010, 12:04 am

I was trying to tell you that my browser keeps crashing so it will be hard for me to post all the info but here.

MGAD

Diagnostic Report (1.9.0011.0):
-----------------------------------------
WGA Data-->
Validation Status: Validation Control not Installed
Validation Code: 0

Cached Validation Code: N/A
Windows Product Key: *****-*****-9P8FJ-XJC7H-QHHKB
Windows Product Key Hash: mnDK2er9mNAxHy7FeUuh8RVwq7Y=
Windows Product ID: 76477-OEM-2141231-27156
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 5.1.2600.2.00010300.2.0.hom
ID: {F3B05177-D5D3-491E-92E1-42639E26905D}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-8009_E2AD56EA-766-2ee7_E2AD56EA-148-80004005_16E0B333-89-80004005_78155E4D-232-80004005
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 114 Blocked VLK 2
Microsoft Office Professional Edition 2003 - 114 Blocked VLK 2
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{F3B05177-D5D3-491E-92E1-42639E26905D}</UGUID><Version>1.9.0011.0</Version><OS>5.1.2600.2.00010300.2.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-QHHKB</PKey><PID>76477-OEM-2141231-27156</PID><PIDType>3</PIDType><SID>S-1-5-21-2025429265-220523388-725345543</SID><SYSTEM><Manufacturer>BIOSTAR Group</Manufacturer><Model>P4M90-M4</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>6.00 PG</Version><SMBIOSVersion major="2" minor="4"/><Date>20071221000000.000000+000</Date><SLPBIOS>Compaq,Hewlett,Hewlett,Compaq</SLPBIOS></BIOS><HWID>020337C701842063</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>114</Result><Products><Product GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>114</LegitResult><Name>Microsoft Office Professional Edition 2003</Name><Ver>11</Ver><Val>59D1605114E3500</Val><Hash>vfZmaSmFPIYrLWTcZSZErUQg+Fo=</Hash><Pid>73931-640-0000106-57348</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="11" Result="114"/><App Id="16" Version="11" Result="114"/><App Id="18" Version="11" Result="114"/><App Id="19" Version="11" Result="114"/><App Id="1A" Version="11" Result="114"/><App Id="1B" Version="11" Result="114"/><App Id="44" Version="11" Result="114"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: no
Marker string from BIOS: N/A
Marker string from OEMBIOS.DAT: Compaq,Hewlett,Hewlett,Compaq

OEM Activation 2.0 Data-->
N/A
MACKtheMOST
Active Member
 
Posts: 9
Joined: January 3rd, 2010, 6:26 pm

Re: Another Victim of the google redirect virus.

Unread postby MACKtheMOST » January 9th, 2010, 12:07 am

Logfile of random's system information tool 1.06 (written by random/random)
Run by USER at 2010-01-06 23:37:01
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 34 GB (60%) free of 57 GB
Total RAM: 958 MB (49% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37:42 PM, on 1/6/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\S3trayp.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Documents and Settings\USER\Desktop\avprep\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\USER.exe

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [yifojoluz] Rundll32.exe "c:\windows\system32\pawajinu.dll",a
O4 - HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [Kwatehisuketomiv] rundll32.exe "C:\WINDOWS\orixozoquq.dll",Startup
O4 - HKLM\..\Run: [CarboniteSetupLite] "C:\Program Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [iPhone PC Suite] C:\Program Files\NetDragon\91 Mobile\iPhone\iPhone PC Suite.exe /start
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Windows Defender.lnk = C:\plugins\Server.jar
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save YouTube Video - res://C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP4.htm
O8 - Extra context menu item: Save YouTube Video as MP3 - res://C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: yuyaruzot - {c5aca147-9777-4d9e-8e84-98cee0d204c0} - (no file)
O21 - SSODL: yuviyokum - {f621787c-a3c7-4767-94b4-549082b98601} - c:\windows\system32\buvoyaki.dll (file missing)
O21 - SSODL: wiwebugow - {870f52c7-777c-48e1-b805-19d5c542f039} - c:\windows\system32\wotuzapi.dll (file missing)
O21 - SSODL: hemodokor - {b5973627-f664-4bdf-9636-5410786c46fd} - c:\windows\system32\yuhodose.dll (file missing)
O21 - SSODL: timumuwok - {8b709785-59ae-4b96-863b-1949a8823acb} - c:\windows\system32\pawajinu.dll
O22 - SharedTaskScheduler: kupuhivus - {f621787c-a3c7-4767-94b4-549082b98601} - c:\windows\system32\buvoyaki.dll (file missing)
O22 - SharedTaskScheduler: gahurihor - {870f52c7-777c-48e1-b805-19d5c542f039} - c:\windows\system32\wotuzapi.dll (file missing)
O22 - SharedTaskScheduler: mujuzedij - {b5973627-f664-4bdf-9636-5410786c46fd} - c:\windows\system32\yuhodose.dll (file missing)
O22 - SharedTaskScheduler: gahurihor - {8b709785-59ae-4b96-863b-1949a8823acb} - c:\windows\system32\pawajinu.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8159 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-12-11 1111320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
AVG Security Toolbar BHO - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll [2009-11-25 1230080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-09-04 41368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-09-04 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - AVG Security Toolbar - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll [2009-11-25 1230080]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2003-10-31 32768]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"VTTimer"=C:\WINDOWS\system32\VTTimer.exe [2008-05-16 94208]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-10-16 16855552]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-12-11 2043160]
"HP Software Update"=c:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2004-09-13 49152]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-05-26 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-07-13 292128]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-09-04 148888]
"S3Trayp"=C:\WINDOWS\system32\S3trayp.exe [2008-05-20 204800]
"yifojoluz"=c:\windows\system32\pawajinu.dll [65535-65535-31889 94208]
"winupdate86.exe"=C:\WINDOWS\system32\winupdate86.exe []
"MaxMenuMgr"=C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe [2009-09-25 185640]
"Kwatehisuketomiv"=C:\WINDOWS\orixozoquq.dll,Startup []
"CarboniteSetupLite"=C:\Program Files\Carbonite\CarbonitePreinstaller.exe [2009-08-04 318096]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"NBJ"=C:\Program Files\Ahead\Nero BackItUp\NBJ.exe [2005-08-09 1961984]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-08-04 1667584]
"iPhone PC Suite"=C:\Program Files\NetDragon\91 Mobile\iPhone\iPhone PC Suite.exe /start []
"HijackThis startup scan"=C:\Program Files\Trend Micro\HijackThis\HijackThis.exe [2009-12-28 396288]
"Aim6"=C:\Program Files\AIM6\aim6.exe [2009-07-09 49968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
Windows Defender.lnk - C:\plugins\Server.jar

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\system32\kbdsock.dll,hikorajo.dll c:\windows\system32\pawajinu.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-08-28 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
yuyaruzot - {c5aca147-9777-4d9e-8e84-98cee0d204c0}
yuviyokum - {f621787c-a3c7-4767-94b4-549082b98601} - c:\windows\system32\buvoyaki.dll []
wiwebugow - {870f52c7-777c-48e1-b805-19d5c542f039} - c:\windows\system32\wotuzapi.dll []
hemodokor - {b5973627-f664-4bdf-9636-5410786c46fd} - c:\windows\system32\yuhodose.dll []
timumuwok - {8b709785-59ae-4b96-863b-1949a8823acb} - c:\windows\system32\pawajinu.dll [65535-65535-31889 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
kupuhivus - {f621787c-a3c7-4767-94b4-549082b98601} - c:\windows\system32\buvoyaki.dll []
gahurihor - {870f52c7-777c-48e1-b805-19d5c542f039} - c:\windows\system32\wotuzapi.dll []
mujuzedij - {b5973627-f664-4bdf-9636-5410786c46fd} - c:\windows\system32\yuhodose.dll []
gahurihor - {8b709785-59ae-4b96-863b-1949a8823acb} - c:\windows\system32\pawajinu.dll [65535-65535-31889 94208]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
humoyofa.dll
falefula.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"C:\Program Files\Java\jre6\bin\java.exe"="C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Documents and Settings\USER\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe"="C:\Documents and Settings\USER\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe:*:Enabled:Octoshape add-in for Adobe Flash Player"
"C:\Program Files\Java\jre6\bin\javaw.exe"="C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\Program Files\iPhoneBrowser\iPhoneBrowser.exe"="C:\Program Files\iPhoneBrowser\iPhoneBrowser.exe:*:Enabled:iPhoneBrowser"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4581e1e8-89be-11de-817e-00e04d8bcd38}]
shell\AutoRun\command - F:\.\Vado\Vado.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa33dfbf-8904-11de-82ff-00e04d8bcd38}]
shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa33dfdb-8904-11de-82ff-00e04d8bcd38}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.exe
shell\Explore\command - autorun.exe
shell\Open\command - autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5ed345c-8946-11de-817d-00e04d8bcd38}]
shell\AutoRun\command - F:\RUNDLL32.EXE


======List of files/folders created in the last 1 months======

65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\wimatiku.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\wazuloro.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\vuyivose.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\vipafiyu.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\vijogojo.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\vidinesa.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\tugaroni.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\soyabodu.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\samorasa.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\pawajinu.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\papamesu.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\midogiru.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\luruvube.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\kodesalo.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\kiviyehi.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\kijafigo.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\jojubasa.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\hikorajo.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\fidetiga.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\falefula.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\dosakoha.dll
2010-01-06 23:37:01 ----D---- C:\rsit
2010-01-06 23:30:32 ----D---- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2010-01-06 23:30:04 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2010-01-06 22:35:39 ----D---- C:\Program Files\HW Monitor
2010-01-06 22:21:25 ----D---- C:\Program Files\BIOS Update
2010-01-06 21:08:32 ----A---- C:\WINDOWS\2512406.exe
2010-01-06 11:27:55 ----SH---- C:\WINDOWS\system32\niwogepi.dll
2010-01-05 10:34:43 ----SH---- C:\WINDOWS\system32\habebesi.dll
2010-01-04 18:31:35 ----D---- C:\Documents and Settings\USER\Application Data\vlc
2010-01-04 18:29:47 ----D---- C:\Program Files\VideoLAN
2010-01-03 22:15:56 ----A---- C:\WINDOWS\system32\PR19.DLL
2010-01-03 13:18:10 ----D---- C:\Program Files\TrendMicro
2009-12-31 06:16:59 ----D---- C:\Program Files\ExplorerXP
2009-12-31 06:16:21 ----D---- C:\!KillBox
2009-12-31 06:13:32 ----D---- C:\Program Files\a-squared Free
2009-12-30 15:55:10 ----A---- C:\WINDOWS\system32\flags.ini
2009-12-30 14:06:27 ----A---- C:\cleanup.exe
2009-12-30 14:06:27 ----A---- C:\cleanup.bat
2009-12-29 15:41:23 ----D---- C:\WINDOWS\pss
2009-12-29 15:14:08 ----A---- C:\WINDOWS\system32\svchost.exe.exp.log
2009-12-28 21:39:17 ----D---- C:\Program Files\Trend Micro
2009-12-28 17:05:03 ----A---- C:\WINDOWS\ntbtlog.txt
2009-12-28 16:50:16 ----D---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-12-28 16:37:15 ----SHD---- C:\Documents and Settings\USER\Application Data\SystemProc
2009-12-26 12:22:42 ----RSHD---- C:\plugins
2009-12-26 11:46:11 ----D---- C:\Program Files\Common Files\NetDragon
2009-12-26 11:43:23 ----D---- C:\Program Files\NetDragon
2009-12-26 11:13:03 ----D---- C:\Program Files\DigiDNA
2009-12-22 20:01:29 ----D---- C:\Program Files\iPhoneBrowser
2009-12-22 19:49:24 ----D---- C:\Documents and Settings\USER\Application Data\DiskAid
2009-12-18 12:05:00 ----D---- C:\Program Files\JDownloader
2009-12-18 10:48:53 ----D---- C:\Program Files\Seagate
2009-12-18 10:48:53 ----D---- C:\Documents and Settings\All Users\Application Data\Seagate
2009-12-18 10:46:25 ----D---- C:\Program Files\Carbonite
2009-12-18 10:46:24 ----SHD---- C:\WINDOWS\ftpcache
2009-12-16 20:50:43 ----D---- C:\Program Files\AviSynth 2.5
2009-12-16 20:50:22 ----D---- C:\Program Files\Red Kawa
2009-12-15 14:33:01 ----D---- C:\WINDOWS\system32\NtmsData
2009-12-15 03:02:31 ----HDC---- C:\WINDOWS\$NtUninstallKB961118$
2009-12-15 03:01:20 ----HDC---- C:\WINDOWS\$NtUninstallKB925720$
2009-12-15 02:07:52 ----D---- C:\Program Files\WBFS
2009-12-14 03:09:54 ----D---- C:\WINDOWS\system32\XPSViewer
2009-12-14 03:09:42 ----D---- C:\Program Files\MSBuild
2009-12-14 03:09:37 ----D---- C:\WINDOWS\system32\en-US
2009-12-14 03:09:19 ----D---- C:\Program Files\Reference Assemblies
2009-12-14 03:08:26 ----A---- C:\WINDOWS\system32\prntvpt.dll
2009-12-14 03:08:25 ----A---- C:\WINDOWS\system32\xpssvcs.dll
2009-12-14 03:08:25 ----A---- C:\WINDOWS\system32\xpsshhdr.dll
2009-12-14 03:08:24 ----D---- C:\fe4c64ab2e063b63773958deafcd0c
2009-12-14 03:02:09 ----HDC---- C:\WINDOWS\$NtUninstallWIC$
2009-12-14 03:02:01 ----D---- C:\Program Files\MSXML 6.0
2009-12-13 19:23:18 ----A---- C:\WINDOWS\system32\TubeFinder.exe
2009-12-13 19:23:15 ----A---- C:\WINDOWS\system32\VB6STKIT.DLL
2009-12-13 19:23:15 ----A---- C:\WINDOWS\system32\VB6FR.DLL
2009-12-13 19:23:15 ----A---- C:\WINDOWS\system32\PCCLPFR.DLL
2009-12-13 19:23:14 ----A---- C:\WINDOWS\system32\MSCMCFR.DLL
2009-12-13 19:23:13 ----D---- C:\Documents and Settings\USER\Application Data\FreeFLVConverter
2009-12-13 19:23:13 ----A---- C:\WINDOWS\system32\CMDLGFR.DLL
2009-12-11 18:36:16 ----A---- C:\WINDOWS\system32\ptpusb.dll
2009-12-11 18:36:08 ----A---- C:\WINDOWS\system32\ptpusd.dll
2009-12-10 03:02:22 ----HDC---- C:\WINDOWS\$NtUninstallKB970430$
2009-12-10 03:02:04 ----HDC---- C:\WINDOWS\$NtUninstallKB974318$
2009-12-10 03:01:31 ----HDC---- C:\WINDOWS\$NtUninstallKB976325$
2009-12-10 03:01:08 ----HDC---- C:\WINDOWS\$NtUninstallKB973904$
2009-12-10 03:00:58 ----HDC---- C:\WINDOWS\$NtUninstallKB974392$
2009-12-10 03:00:44 ----HDC---- C:\WINDOWS\$NtUninstallKB971737$

======List of files/folders modified in the last 1 months======

2010-01-06 23:36:46 ----D---- C:\WINDOWS\Prefetch
2010-01-06 23:30:34 ----D---- C:\WINDOWS\system32\CatRoot2
2010-01-06 23:02:30 ----D---- C:\Program Files\Mozilla Firefox
2010-01-06 22:36:28 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-01-06 22:35:39 ----RD---- C:\Program Files
2010-01-06 22:35:38 ----HD---- C:\Program Files\InstallShield Installation Information
2010-01-06 22:27:19 ----D---- C:\WINDOWS
2010-01-06 22:27:14 ----RSH---- C:\boot.ini
2010-01-06 22:21:58 ----D---- C:\WINDOWS\system32\drivers
2010-01-06 21:40:52 ----D---- C:\WINDOWS\Temp
2010-01-06 21:14:49 ----D---- C:\WINDOWS\system32
2010-01-06 21:14:21 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2010-01-06 21:12:36 ----A---- C:\WINDOWS\win.ini
2010-01-06 21:12:36 ----A---- C:\WINDOWS\system.ini
2010-01-06 15:04:48 ----D---- C:\Program Files\Common Files
2010-01-06 15:04:30 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-01-06 13:43:38 ----HD---- C:\$AVG8.VAULT$
2010-01-05 17:51:21 ----A---- C:\WINDOWS\NeroDigital.ini
2010-01-04 13:08:19 ----D---- C:\WINDOWS\system32\Restore
2010-01-03 13:18:12 ----SHD---- C:\WINDOWS\Installer
2010-01-03 13:18:12 ----HD---- C:\Config.Msi
2010-01-03 09:49:30 ----SD---- C:\WINDOWS\Tasks
2010-01-03 06:49:10 ----SHD---- C:\RECYCLER
2010-01-01 00:13:23 ----D---- C:\Program Files\Internet Explorer
2009-12-31 19:51:03 ----SHD---- C:\System Volume Information
2009-12-31 17:26:19 ----D---- C:\WINDOWS\security
2009-12-30 15:34:56 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-12-29 23:57:46 ----HDC---- C:\WINDOWS\$NtUninstallKB944338-v2$
2009-12-29 14:41:23 ----A---- C:\WINDOWS\ODBC.INI
2009-12-29 01:24:27 ----D---- C:\WINDOWS\PeerNet
2009-12-28 19:00:13 ----D---- C:\WINDOWS\Media
2009-12-28 17:05:38 ----D---- C:\Documents and Settings
2009-12-18 10:45:35 ----HD---- C:\WINDOWS\inf
2009-12-17 15:54:15 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-12-16 14:52:01 ----D---- C:\Program Files\Cheat Engine
2009-12-15 03:54:24 ----RSD---- C:\WINDOWS\assembly
2009-12-15 03:47:09 ----D---- C:\WINDOWS\Microsoft.NET
2009-12-15 03:14:02 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-12-15 03:12:45 ----D---- C:\WINDOWS\WinSxS
2009-12-15 03:05:05 ----A---- C:\WINDOWS\imsins.BAK
2009-12-15 03:04:51 ----D---- C:\WINDOWS\system32\CatRoot
2009-12-15 03:02:28 ----HD---- C:\WINDOWS\$hf_mig$
2009-12-14 03:09:33 ----RSD---- C:\WINDOWS\Fonts
2009-12-14 03:08:53 ----D---- C:\WINDOWS\system32\spool
2009-12-13 19:21:01 ----D---- C:\Program Files\Common Files\DVDVideoSoft
2009-12-12 19:07:00 ----D---- C:\Documents and Settings\USER\Application Data\Apple Computer
2009-12-11 18:36:40 ----D---- C:\Documents and Settings\All Users\Application Data\Apple
2009-12-10 17:21:12 ----D---- C:\WINDOWS\Minidump
2009-12-08 21:40:06 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-08-28 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-08-28 27784]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-08-14 108552]
R1 BIOS;BIOS; \??\C:\WINDOWS\system32\drivers\BIOS.sys []
R1 BS_I2cIo;BS_I2cIo; \??\C:\WINDOWS\system32\drivers\BS_I2cIo.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
R3 BS_Flash;BS_Flash; \??\C:\Program Files\BIOS Update\Award\BS_Flash.sys []
R3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2004-10-27 138240]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2004-12-14 51120]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2004-12-14 16496]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2004-12-14 21744]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-10-16 4615168]
R3 ltmodem5;Lucent Modem Driver; C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys [2003-03-31 625537]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
R3 S3GIGP;S3GIGP; C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2008-08-28 529920]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S3 EverestDriver;Lavalys EVEREST Kernel Driver; \??\F:\everestultimate500\kerneld.wnt []
S3 ndisdrv;ndisdrv; \??\C:\WINDOWS\system32\ndisdrv.sys []
S3 RimUsb;BlackBerry Smartphone; C:\WINDOWS\System32\Drivers\RimUsb.sys [2008-04-16 22784]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-07-09 39424]
S3 winsts;winsts; \??\C:\WINDOWS\system32\winsts.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-07-09 144712]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-08-28 297752]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 FreeAgentGoNext Service;Seagate Service; C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-09-25 189736]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-09-04 152984]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-09-29 69632]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-07-13 542496]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------
MACKtheMOST
Active Member
 
Posts: 9
Joined: January 3rd, 2010, 6:26 pm

Re: Another Victim of the google redirect virus.

Unread postby MACKtheMOST » January 9th, 2010, 12:07 am

info.txt logfile of random's system information tool 1.06 2010-01-06 23:38:16

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.65-->"C:\Program Files\7-Zip\Uninstall.exe"
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
Adobe Shockwave Player 11.5-->"C:\WINDOWS\system32\Adobe\Shockwave 11\uninstaller.exe"
Ahead DVD Ripper 3.4.2-->"C:\Program Files\Ahead DVD Ripper\unins000.exe"
AIM 6-->C:\Program Files\AIM6\uninst.exe
Allok Video Joiner 4.4.0103-->"C:\Program Files\Allok Video Joiner\unins000.exe"
Apple Mobile Device Support-->MsiExec.exe /I{C337BDAF-CB4E-47E2-BE1A-CB31BB7DD0E3}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
AVG Free 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
AviSynth 2.5-->"C:\Program Files\AviSynth 2.5\Uninstall.exe"
BIOS Update-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E8626A59-FD0E-449C-A23A-C52FC0733629}\setup.exe"
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Cablenut 4.08-->C:\Program Files\Cablenut\uninst-cablenut.exe
Cheat Engine 5.5-->"C:\Program Files\Cheat Engine\unins000.exe"
cladDVD.NET v3.5.7-->MsiExec.exe /I{29391B62-5DC8-4EAC-8ED7-7DDD5CFEFCAD}
DiskAid 3.11-->"C:\Program Files\DigiDNA\DiskAid\unins000.exe"
DivX Plus Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Decrypter (Remove Only)-->"C:\Program Files\DVD Decrypter\uninstall.exe"
ExplorerXP (remove only)-->C:\Program Files\ExplorerXP\Uninst.exe
ffdshow-->"C:\Program Files\ffdshow\uninstall.exe"
Free YouTube Download 2.3-->"C:\Program Files\DVDVideoSoft\Free YouTube Download\unins000.exe"
Free YouTube to Mp3 Converter version 3.2-->"C:\Program Files\DVDVideoSoft\Free YouTube to Mp3 Converter\unins000.exe"
High Definition Audio Driver Package - KB888111-->C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HiJackThis-->MsiExec.exe /X{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows XP (KB935448)-->"C:\WINDOWS\$NtUninstallKB935448$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
HP Extended Capabilities 4.7-->C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Image Zone 4.7-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Product Detection-->MsiExec.exe /X{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}
HP PSC & OfficeJet 4.7-->"C:\Program Files\HP\Digital Imaging\{342C7C88-D335-4bc2-8CF1-281857629CE2}\setup\hpzscr01.exe" -datfile hposcr05.dat
HP Software Update-->MsiExec.exe /X{64FC0C98-B035-4530-B15D-3D30610B6DF1}
HW Monitor-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CEA20FED-A903-46A2-B197-789B4456B508}\setup.exe"
iPhoneBrowser-->MsiExec.exe /I{495B6040-801F-474C-ADB8-309F132CF5F9}
iTunes-->MsiExec.exe /I{99ECF41F-5CCA-42BD-B8B8-A8333E2E2944}
Java(TM) 6 Update 14-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216014FF}
JDownloader-->C:\Program Files\JDownloader\uninstall.exe
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft VC9 runtime libraries-->MsiExec.exe /I{C4124E95-5061-4776-8D5D-E3D931C778E1}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mosaic Creator 3.1-->"C:\Program Files\MosaicCreator\unins000.exe"
Mozilla Firefox (3.5.7)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
MSXML 6 Service Pack 2 (KB973686)-->MsiExec.exe /I{56EA8BC0-3751-4B93-BC9D-6651CC36E5AA}
Nero OEM-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime-->MsiExec.exe /I{C78EAC6F-7A73-452E-8134-DBB2165C5A68}
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Seagate Manager Installer-->"C:\Program Files\InstallShield Installation Information\{2A30052B-831C-41D3-8044-3C0388066350}\setup.exe" -runfromtemp -l0x0409 -removeonly
Seagate Manager Installer-->MsiExec.exe /X{2A30052B-831C-41D3-8044-3C0388066350}
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9L$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901190)-->"C:\WINDOWS\$NtUninstallKB901190$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944338-v2)-->"C:\WINDOWS\$NtUninstallKB944338-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958470)-->"C:\WINDOWS\$NtUninstallKB958470$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371-v2)-->"C:\WINDOWS\$NtUninstallKB961371-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972260)-->"C:\WINDOWS\$NtUninstallKB972260$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974455)-->"C:\WINDOWS\$NtUninstallKB974455$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Security Update for Windows XP (KB976325)-->"C:\WINDOWS\$NtUninstallKB976325$\spuninst\spuninst.exe"
Uninstall 1.0.0.1-->"C:\Program Files\Common Files\DVDVideoSoft\unins000.exe"
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB925720)-->"C:\WINDOWS\$NtUninstallKB925720$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Update for Windows XP (KB976749)-->"C:\WINDOWS\$NtUninstallKB976749$\spuninst\spuninst.exe"
VC80CRTRedist - 8.0.50727.4053-->MsiExec.exe /I{5EE7D259-D137-4438-9A5F-42F432EC0421}
VIA Chrome9 HC IGP Family Display 6.14.10.0156-->C:\PROGRA~1\S3\Chrome9HC\s3minset.exe /u Chrome9HC.uns
Videora iPod Converter 5.03-->C:\Program Files\Red Kawa\Video Converter App\uninstaller.exe
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
VLC media player 0.9.2-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
WinZip 12.1-->MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B8}
Xvid 1.2.2 final uninstall-->"C:\Program Files\Xvid\unins000.exe"

======Hosts File======

127.0.0.1 localhost

======Security center information======

AV: AVG Anti-Virus Free

======System event log======

Computer Name: USER-FCDFC8742B
Event Code: 10005
Message: DCOM got error "%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Record Number: 4583
Source Name: DCOM
Time Written: 20091228173803.000000-480
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: USER-FCDFC8742B
Event Code: 7026
Message: The following boot-start or system-start driver(s) failed to load:
AFD
AvgLdx86
AvgMfx86
AvgTdiX
BIOS
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip

Record Number: 4582
Source Name: Service Control Manager
Time Written: 20091228171344.000000-480
Event Type: error
User:

Computer Name: USER-FCDFC8742B
Event Code: 7001
Message: The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
A device attached to the system is not functioning.


Record Number: 4581
Source Name: Service Control Manager
Time Written: 20091228171344.000000-480
Event Type: error
User:

Computer Name: USER-FCDFC8742B
Event Code: 7001
Message: The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
A device attached to the system is not functioning.


Record Number: 4580
Source Name: Service Control Manager
Time Written: 20091228171344.000000-480
Event Type: error
User:

Computer Name: USER-FCDFC8742B
Event Code: 7001
Message: The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
A device attached to the system is not functioning.


Record Number: 4579
Source Name: Service Control Manager
Time Written: 20091228171344.000000-480
Event Type: error
User:

=====Application event log=====

Computer Name: USER-FCDFC8742B
Event Code: 1517
Message: Windows saved user USER-FCDFC8742B\USER registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 41
Source Name: Userenv
Time Written: 20090814030605.000000-420
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: USER-FCDFC8742B
Event Code: 5603
Message: A provider, OffProv11, has been registered in the WMI namespace, Root\MSAPPS11, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 40
Source Name: WinMgmt
Time Written: 20090813201833.000000-420
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: USER-FCDFC8742B
Event Code: 5603
Message: A provider, OffProv11, has been registered in the WMI namespace, Root\MSAPPS11, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 39
Source Name: WinMgmt
Time Written: 20090813201833.000000-420
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: USER-FCDFC8742B
Event Code: 1005
Message: Your Windows product has not been activated with Microsoft yet. Please use the Product Activation Wizard within 30 days.


Record Number: 24
Source Name: Windows Product Activation
Time Written: 20090813185653.000000-420
Event Type: warning
User:

Computer Name: USER-FCDFC8742B
Event Code: 63
Message: A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 11
Source Name: WinMgmt
Time Written: 20090813184221.000000-420
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Ulead Systems\MPEG
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0204
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------
MACKtheMOST
Active Member
 
Posts: 9
Joined: January 3rd, 2010, 6:26 pm

Re: Another Victim of the google redirect virus.

Unread postby MACKtheMOST » January 9th, 2010, 12:12 am

GMER LOG

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-08 19:01:46
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\USER\LOCALS~1\Temp\pwqyyfob.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF76A23A4]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[812] ntdll.dll!NtCreateKey 7C90D0EE 5 Bytes JMP 10006209 C:\WINDOWS\system32\kbdsock.dll (Windows Socket Layer/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[812] ntdll.dll!NtDeleteKey 7C90D24E 5 Bytes JMP 1000643A C:\WINDOWS\system32\kbdsock.dll (Windows Socket Layer/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[812] ntdll.dll!NtDeleteValueKey 7C90D26E 5 Bytes JMP 100063EB C:\WINDOWS\system32\kbdsock.dll (Windows Socket Layer/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[812] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 1000624F C:\WINDOWS\system32\kbdsock.dll (Windows Socket Layer/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[812] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 10006461 C:\WINDOWS\system32\kbdsock.dll (Windows Socket Layer/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[812] ntdll.dll!NtQueryValueKey 7C90D96E 5 Bytes JMP 10006289 C:\WINDOWS\system32\kbdsock.dll (Windows Socket Layer/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[812] ntdll.dll!NtSetValueKey 7C90DDCE 5 Bytes JMP 1000635F C:\WINDOWS\system32\kbdsock.dll (Windows Socket Layer/Microsoft Corporation)
.text C:\Documents and Settings\USER\Desktop\avprep\gmer\gmer.exe[1080] ntdll.dll!NtCreateKey 7C90D0EE 5 Bytes JMP 10006209 C:\WINDOWS\system32\kbdsock.dll (Windows Socket Layer/Microsoft Corporation)
.text C:\Documents and Settings\USER\Desktop\avprep\gmer\gmer.exe[1080] ntdll.dll!NtDeleteKey 7C90D24E 5 Bytes JMP 1000643A C:\WINDOWS\system32\kbdsock.dll (Windows Socket Layer/Microsoft Corporation)
.text C:\Documents and Settings\USER\Desktop\avprep\gmer\gmer.exe[1080] ntdll.dll!NtDeleteValueKey 7C90D26E 5 Bytes JMP 100063EB C:\WINDOWS\system32\kbdsock.dll (Windows Socket Layer/Microsoft Corporation)
.text C:\Documents and Settings\USER\Desktop\avprep\gmer\gmer.exe[1080] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 1000624F C:\WINDOWS\system32\kbdsock.dll (Windows Socket Layer/Microsoft Corporation)
.text C:\Documents and Settings\USER\Desktop\avprep\gmer\gmer.exe[1080] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 10006461 C:\WINDOWS\system32\kbdsock.dll (Windows Socket Layer/Microsoft Corporation)
.text C:\Documents and Settings\USER\Desktop\avprep\gmer\gmer.exe[1080] ntdll.dll!NtQueryValueKey 7C90D96E 5 Bytes JMP 10006289 C:\WINDOWS\system32\kbdsock.dll (Windows Socket Layer/Microsoft Corporation)
.text C:\Documents and Settings\USER\Desktop\avprep\gmer\gmer.exe[1080] ntdll.dll!NtSetValueKey 7C90DDCE 5 Bytes JMP 1000635F C:\WINDOWS\system32\kbdsock.dll (Windows Socket Layer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device -> \Driver\atapi \Device\Harddisk0\DR0 866A4618

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\USER\Application Data\Macromedia\Flash Player\#SharedObjects\3855QBK8\www.ikea.com\ms 0 bytes
File C:\Documents and Settings\USER\Application Data\Macromedia\Flash Player\#SharedObjects\3855QBK8\www.ikea.com\ms\flash 0 bytes
File C:\Documents and Settings\USER\Application Data\Macromedia\Flash Player\#SharedObjects\3855QBK8\www.ikea.com\ms\flash\rooms_ideas 0 bytes
File C:\Documents and Settings\USER\Application Data\Macromedia\Flash Player\#SharedObjects\3855QBK8\www.ikea.com\ms\flash\rooms_ideas\mpa2 0 bytes
File C:\Documents and Settings\USER\Application Data\Macromedia\Flash Player\#SharedObjects\3855QBK8\www.ikea.com\ms\flash\rooms_ideas\mpa2\MPA2.swf 0 bytes
File C:\Documents and Settings\USER\Application Data\Macromedia\Flash Player\#SharedObjects\3855QBK8\www.ikea.com\ms\flash\rooms_ideas\mpa2\MPA2.swf\IKEA_MPA2.sol 320 bytes
File C:\Documents and Settings\USER\config 0 bytes
File C:\Documents and Settings\USER\config\backgroundmusic 0 bytes
File C:\Documents and Settings\USER\config\GXGlobal.cfg 50 bytes
File C:\Documents and Settings\USER\config\language 0 bytes
File C:\Documents and Settings\USER\config\language\english.lang 17287 bytes
File C:\Documents and Settings\USER\My Documents\My Pictures\Mack\Wii Hack\Roms\Wii\config 0 bytes
File C:\Documents and Settings\USER\My Documents\My Pictures\Mack\Wii Hack\Roms\Wii\config\backgroundmusic 0 bytes
File C:\Documents and Settings\USER\My Documents\My Pictures\Mack\Wii Hack\Roms\Wii\config\gametitles.txt 288 bytes
File C:\Documents and Settings\USER\My Documents\My Pictures\Mack\Wii Hack\Roms\Wii\config\GXGameFavorites.cfg 659 bytes
File C:\Documents and Settings\USER\My Documents\My Pictures\Mack\Wii Hack\Roms\Wii\config\GXGameSettings.cfg 289 bytes
File C:\Documents and Settings\USER\My Documents\My Pictures\Mack\Wii Hack\Roms\Wii\config\GXGlobal.cfg 1139 bytes
File C:\Documents and Settings\USER\My Documents\My Pictures\Mack\Wii Hack\Roms\Wii\config\language 0 bytes
File C:\Documents and Settings\USER\My Documents\My Pictures\Mack\Wii Hack\Roms\Wii\config\language\english.lang 17287 bytes
File C:\Program Files\JDownloader\config 0 bytes
File C:\Program Files\JDownloader\config\database.properties 434 bytes
File C:\Program Files\JDownloader\config\database.script 211942 bytes
File C:\Program Files\JDownloader\config\version.cfg 4 bytes
File C:\Program Files\VideoLAN\VLC\locale\co 0 bytes
File C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES 0 bytes
File C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\vlc.mo 689 bytes
File C:\Program Files\VideoLAN\VLC\locale\ms 0 bytes
File C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES 0 bytes
File C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo 322045 bytes
File C:\WINDOWS\system32\kbdsock.dll 33280 bytes executable
File C:\WINDOWS\system32\mshlps.dll 40448 bytes executable
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----
MACKtheMOST
Active Member
 
Posts: 9
Joined: January 3rd, 2010, 6:26 pm

Re: Another Victim of the google redirect virus.

Unread postby xixo_12 » January 9th, 2010, 6:08 pm

Hi,

Cracks / Keygens / Warez / Illegal softwares detected!!!
While going through your log, it's indicates the presence and usage of one or more of the above. Very likely your computer got infected due to the illegal softwares or the illegitimate websites you visited to get them.

Right now, your computer has a Volume Licensing edition of Microsoft Office Professional Edition 2003 installed and that installation was done with a now-blocked Volume Licensing Key (VLK) (Line 2). VLKs are blocked by Microsoft at the request of the original keyholder for such reasons as the key was lost, stolen, compromised, misused, or expired. Also, MS may have blocked the key if it notices a pattern of misuse, ie, more installations of software using that key than authorized.

As a rule, VLk editions of software should not be sold to individual consumers. Large corporations, Large Schools and Governments normally use VL editions for flexibility in installing on many computers. Also, Volume Licenses for Windows software are Upgrade licenses ONLY and cannot be used as the original or base license for a new computer.

More bad news: Your Office Pro installation is showing as Non-Genuine (Office status=114 means non-Genuine).

This forum's policy says we will not help people who use cracked or pirated software.
Illegal Copies of Software

In order to get our advice:
  • I suggest you purchase a legal copy of the software.
  • Remove the cracked software from your computer.
NOTE: If you told me that the software has been removed & I find it has not (the tools we use can & will detect it) then I will have no choice but to have this thread closed.

Please decide what you are going to do & let me know.
Ask any questions if you have any.
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Another Victim of the google redirect virus.

Unread postby MACKtheMOST » January 9th, 2010, 6:31 pm

I understand and respect the rules so I will remove the illegal software I installed. The office pro problem stumps me because I bought my computer from a store with the program already installed. I'm guessing that when I took my computer in to get it fixed at a repair place locally that he installed and sold me illegal software. Am I wrong for assuming this? What can I do about the office pro problem?
MACKtheMOST
Active Member
 
Posts: 9
Joined: January 3rd, 2010, 6:26 pm

Re: Another Victim of the google redirect virus.

Unread postby xixo_12 » January 10th, 2010, 8:15 pm

Hi,

First,
Validation.
Please visit this website
  • Follow the instructions to Validate Windows.

Next,
Informations.
  • In order to comply the policy, you need to follow the next instruction to uninstall the pirated software.
  • If you wish to continue using MS Office software you will have to purchase a copy and install it.
  • Another options is to use the below freeware version as an alternative :

Next,
Remove programs.
Please Click on Start > Control Panel > Add/Remove Programs
Remove the listed program(s) by clicking Remove
Microsoft Office Professional Edition 2003


Next,
MGADiag.
Please run this tool again.
MGADiag.
Please download from HERE and save to the desktop.
  • Double click on MGADiag.exe to run it.
  • Click Continue.
  • The program will run. It takes a while to finish the diagnosis, please be patient.
  • Once done, click on Copy.
  • Open Notepad and paste the contents in. Save this file MGADiag.txt and post it in your next reply.


Next,
Checklist.
Please post.
  • Content of MGADiag.txt
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Another Victim of the google redirect virus.

Unread postby xixo_12 » January 13th, 2010, 6:25 pm

Hello :),

Reminder.
It's 72 hours since my last reply.
Please let me know if you have any problem to understand my instruction or you need extra time.
In order to maintain our policy,
You have next 24 hours to reply at this topic, otherwise it will be closed as inactive.

Regards,
xixo_12
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Another Victim of the google redirect virus.

Unread postby jmw3 » January 14th, 2010, 9:52 pm

Due to lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 42 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware