Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Suspected Google Redirect Virus - Logs

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Suspected Google Redirect Virus - Logs

Unread postby Nealaus » April 18th, 2011, 6:03 pm

Hello MR people.

I have suspected Google Redirect Virus.

When selecting urls on Google search page they "redirect" me to advertiser sites.

The Top link in the listing does the redirect; if I cut and paste the stated actual url (in green) at the bottom of the listing into my browser the redirect does not take place.

I would like to "remove the virus"

I have followed the instructions from the forum notes and placed the two logs below.

A stepped removal process would be appreciated.

My system details are:

win xp prof 32bit sp3
2.4 ghtz processor; 2.5G RAM
DSL
on a LAN
Trend Micro Titanium 2011 updated as security (it failed to recognise the virus)
(when getting an update advice from Trend for the new Titanium..they asked me to remove ALL malware progs...I thought that meant they had beefed up their detection abilities - not so.. :( I get a bit jack of them not detecting these things esp when the ones I had in placed worked like a charm...))

Many thanks.

Regards

N

#### The Logs ###
DDS
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 7:45:57.09 on Tue 19/04/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.1798 [GMT 10:00]
.
AV: Trend Micro Titanium Maximum Security *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Trend Micro\Titanium\plugin\TMAS\TMAS_OE\TMAS_OEMon.exe
svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Trend Micro\Titanium\plugin\TMAS\TMAS_OL\TMAS_OL.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\TM-Titanium\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uSearch Bar =
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\1.5.1464\6.6.1079\TmIEPlg.dll
BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll
BHO: {7e853d72-626a-48ec-a868-ba8d5e23e045} - No File
BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - c:\program files\trend micro\amsp\module\20002\6.5.1234\6.5.1234\TmBpIe32.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll
TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [IE Privacy Keeper] "c:\program files\unh solutions\ie privacy keeper\IEPrivacyKeeper.exe" -startup
uRun: [OE] "c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe"
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
mRun: [Run StartupMonitor] StartupMonitor.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon]
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Trend Micro Titanium] "c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe" -set Silent "1" SplashURL ""
mRun: [OE] "c:\program files\trend micro\titanium\plugin\tmas\tmas_oe\TMAS_OEMon.exe"
mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: google.com.au\www
Trusted Zone: microsoft.com
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: windowsupdate.com
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/Dcode/ActiveX/MSDcode.cab
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.caminova.net/ja/downloads/ge ... px?lang=en
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDow ... ab_nvd.cab
DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} - hxxp://h50203.www5.hp.com/HPISWeb/Custo ... anager.CAB
DPF: {5BCC24A7-7D3F-4CC9-AC86-4380FCD68D1E} - hxxp://esupport.trendmicro.com/_layouts ... PCInfo.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://cdn.smugmug.com/photos/activex/I ... 082608.cab
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Comp ... eQuery.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftup ... 3523190062
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwar ... TSUEng.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftup ... 3523170656
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDow ... rtScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex ... 0-29-0.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/s ... wflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwar ... /CTPID.cab
DPF: {FAB2BB9D-91E9-457E-9D42-75A7FCCBBC00} - hxxp://www.ppiwidget.com/campaigns/star ... taller.exe
DPF: {FC6703A7-5B7E-4f58-BE6D-2693AA3906AE} - hxxp://h30299.www3.hp.com/ediags/hpnar/ ... b?1,0,0,94
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - c:\program files\trend micro\amsp\module\20002\6.5.1234\6.5.1234\TmBpIe32.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\1.5.1464\6.6.1079\TmIEPlg.dll
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll
Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - c:\program files\trend micro\titanium\uiframework\ProToolbarIMRatingActiveX.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2011-3-22 188272]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2011-3-22 64080]
R2 WebCamDV;WebCamDV DV to Webcam Converter;c:\windows\system32\drivers\WebCamDV.sys [2004-9-17 212608]
R3 WCDV_Aud;WevCamDV WDM Virtual Audio Device;c:\windows\system32\drivers\wcdvaud.sys [2004-9-17 12672]
S1 9655a116;9655a116;c:\windows\system32\drivers\9655a116.sys --> c:\windows\system32\drivers\9655a116.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-8 135664]
S4 Media Jukebox 14 Service;Media Jukebox 14 Service;c:\program files\j river\media jukebox 14\JRService.exe [2010-9-12 379400]
S4 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\trend micro\trendsecure\securityactivitydashboard\tmarsvc.exe --> c:\program files\trend micro\trendsecure\securityactivitydashboard\tmarsvc.exe [?]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-8-24 92008]
.
=============== Created Last 30 ================
.
2011-04-18 21:36:44 388096 ----a-r- c:\docume~1\owner\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-04-17 04:12:48 -------- d-----w- c:\program files\iPod
2011-04-17 04:11:59 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-04-17 04:11:59 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-04-17 04:11:59 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-04-17 04:11:59 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-04-17 04:11:59 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-04-17 04:11:58 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-04-17 04:11:58 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2011-04-01 06:57:42 122880 --sha-r- c:\windows\system32\sqlsrv32C.dll
2011-03-21 21:30:40 92112 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2011-03-21 21:30:39 80464 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2011-03-21 21:30:39 64080 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2011-03-21 21:30:39 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
.
==================== Find3M ====================
.
2011-03-27 22:23:16 11264 ----a-w- c:\windows\DCEBoot.exe
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ------w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ------w- c:\windows\system32\html.iec
2011-02-18 06:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 10:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 08:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-21 02:17:42 72080 ----a-w- c:\documents and settings\owner\g2mdlhlpx.exe
.
============= FINISH: 7:46:48.35 ===============


Attach

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 23/06/2007 3:37:11 PM
System Uptime: 19/04/2011 3:32:09 AM (4 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | GA-8ST800
Processor: Intel(R) Pentium(R) 4 CPU 2.40GHz | Socket 478 | 2411/133mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 112 GiB total, 63.383 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 75 GiB total, 58.833 GiB free.
G: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
Description: Photosmart C8100 series
Device ID: ROOT\IMAGE\0000
Manufacturer: HP
Name: HP Photosmart C8100
PNP Device ID: ROOT\IMAGE\0000
Service: StillCam
.
Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: Photosmart C8100 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart C8100 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
==== System Restore Points ===================
.
RP1: 2/04/2011 8:28:16 AM - System Checkpoint
RP2: 3/04/2011 10:19:39 AM - System Checkpoint
RP3: 4/04/2011 3:00:07 PM - System Checkpoint
RP4: 5/04/2011 3:34:18 PM - System Checkpoint
RP5: 6/04/2011 3:51:43 PM - System Checkpoint
RP6: 7/04/2011 5:36:53 PM - System Checkpoint
RP7: 8/04/2011 6:56:10 PM - System Checkpoint
RP8: 9/04/2011 7:43:49 PM - System Checkpoint
RP9: 11/04/2011 2:27:31 PM - System Checkpoint
RP10: 12/04/2011 3:59:13 PM - System Checkpoint
RP11: 13/04/2011 4:18:18 PM - System Checkpoint
RP12: 14/04/2011 4:42:10 PM - System Checkpoint
RP13: 14/04/2011 8:00:27 PM - Software Distribution Service 3.0
RP14: 15/04/2011 12:00:14 PM - TITANUIMRES[0x10001101]
RP15: 16/04/2011 12:35:22 PM - System Checkpoint
RP16: 17/04/2011 1:16:29 PM - Removed iTunes
RP17: 17/04/2011 2:12:28 PM - Installed iTunes
RP18: 18/04/2011 3:00:01 PM - System Checkpoint
RP19: 19/04/2011 7:36:41 AM - Installed HiJackThis
.
==== Installed Programs ======================
.
.
@BIOS
32 Bit HP CIO Components Installer
3ivx MPEG-4 5.0.3 (remove only)
AAC Decoder
ACT!
Add/Remove Pro (Freeware)
Adobe Acrobat 5.0
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Help Center 2.1
Adobe Photoshop Elements 5.0
Adobe Reader 8.2.6
Adobe Shockwave Player
Agere Systems PCI Soft Modem
AIO_Scan
Alt-Tab Task Switcher Powertoy for Windows XP
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 1.3.12 (Unicode)
AudibleManager
AutoUpdate
Bonjour
BufferChm
C8100
C8100_Help
Calculator Powertoy for Windows XP
Camtasia Studio 6
Cards_Calendar_OrderGift_DoMorePlugout
ClearType Tuning Control Panel Applet
Copy
Creative MediaSource 5
Creative Removable Disk Manager
Creative System Information
Creative ZEN V Series (R2)
Critical Update for Windows Media Player 11 (KB959772)
CustomerResearchQFolder
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DivX Converter
DivX Version Checker
DocProc
DocProcQFolder
eSupportQFolder
Fax
FFmpeg for Audacity on Windows
FlipShare
Genline FamilyFinder
Google Earth
Google Photos Screensaver
Google Update Helper
GoToMeeting 4.5.0.457
GPBaseService
H.264 Decoder
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HiJackThis
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for MSXML 2 (KB887606)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Customer Participation Program 10.0
HP Imaging Device Functions 10.0
HP Photosmart All-In-One Driver Software 10.0 Rel .2
HP Photosmart Essential 2.5
HP Smart Web Printing
HP Solution Center 10.0
HP Update
HPPhotoSmartDiscLabel_PaperLabel
HPPhotoSmartDiscLabel_PrintOnDisc
HPPhotoSmartDiscLabelContent1
hpphotosmartdisclabelplugin
HPPhotoSmartPhotobookWebPack1
HPProductAssistant
HPSSupply
HTML Link Validator
HTML Slideshow Powertoy for Windows XP
IE Privacy Keeper
ieSpell
Image Resizer Powertoy for Windows XP
ImgBurn
iTunes
Java Auto Updater
Java(TM) 6 Update 2
Java(TM) 6 Update 24
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1
LAME v3.98.2 for Audacity
LightScribe 1.4.142.1
LizardTech DjVu Control
LizardTech DjVu Control (autoinstall)
Magnifier Powertoy for Windows XP
MarketResearch
Media Jukebox 12
Media Jukebox 14
MergeMaster! Pro for ACT!
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
MKV Splitter
MSVCSetup
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
MYOB Accounting Plus v17
MYOB Accounting v17
MYOB ODBC Direct v7
MYOB Premier Accounting 2006 (v15)
Nero 7 Ultra Edition
NetComm NB1300 USB Network Adapter
NetDeviceManager
NVIDIA Drivers
OCR Software by I.R.I.S. 10.0
OGA Notifier 2.0.0048.0
OLYMPUS Digital Camera Updater
PanoStandAlone
PersonalBrain 5
Postcodes for ACT!TM
PS_AIO_02_ProductContext
PS_AIO_02_Software
PS_AIO_02_Software_Min
PSSWCORE
Purepage OEM
QuickTime
Realtek AC'97 Audio
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
RoxioShim
RssReader
Samsung PC Studio 3
Scan
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Encoder (KB2447961)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Encoder (KB979332)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Send to SmugMug
Skype™ 5.0
Slideshow Generator Powertoy for Windows XP
SmartFTP Client
SmartSound Quicktracks Plugin
SmartWebPrintingOC
Software Update for Web Folders
SolutionCenter
Sony USB Driver
StartupMonitor
Status
SyncToy
System Requirements Lab
The KMPlayer (remove only)
Timershot Powertoy for Windows XP
TomTom HOME 2.7.6.2056
TomTom HOME Visual Studio Merge Modules
Toolbox
Total Immersion D'Fusion Web Plugin
TranslatorBar_1 Toolbar
TranslatorBar_1.2 Toolbar
TrayApp
Trend Micro Titanium Maximum Security
Trend Micro™ Titanium™ Maximum Security
UltraWipe
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.762
VCRedistSetup
VideoToolkit01
Virtual Desktop Manager Powertoy for Windows XP
WebReg
Windows 7 Upgrade Advisor
Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)
Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)
Windows Driver Package - OLYMPUS IMAGING CORP. Camera Communication Driver Package (09/09/2009 1.0.0.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Messenger
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Hotfix - KB895181
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WinFast(R) Display Driver
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
XP Codec Pack
XP Royale Theme
XviD MPEG-4 Video Codec
ZENcast Organizer
.
==== Event Viewer Messages From Past Week ========
.
19/04/2011 3:32:46 AM, error: Dhcp [1002] - The IP address lease 192.168.0.7 for the Network Card with network address 00E04C1271FC has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
18/04/2011 10:19:59 AM, error: Dhcp [1002] - The IP address lease 192.168.0.2 for the Network Card with network address 00E04C1271FC has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
17/04/2011 4:44:10 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.0.2 with the system having network hardware address A4:67:06:6E:81:B1. Network operations on this system may be disrupted as a result.
17/04/2011 4:43:45 PM, error: Dhcp [1002] - The IP address lease 192.168.0.3 for the Network Card with network address 00E04C1271FC has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
16/04/2011 9:10:49 AM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
14/04/2011 9:31:13 AM, error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
12/04/2011 5:12:14 AM, error: Dhcp [1002] - The IP address lease 192.168.0.4 for the Network Card with network address 00E04C1271FC has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
12/04/2011 11:32:34 PM, error: Service Control Manager [7034] - The Trend Micro Solution Platform service terminated unexpectedly. It has done this 1 time(s).
.
==== End Of File ===========================
Nealaus
Active Member
 
Posts: 13
Joined: April 18th, 2011, 5:41 pm
Advertisement
Register to Remove

Re: Suspected Google Redirect Virus - Logs

Unread postby Dakeyras » April 19th, 2011, 6:24 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post the appropriate logs in the Malware Removal forum and wait for help.

Hi and welcome to Malware Removal. :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Next:

Out of date Adobe and Java installations pose a security risk. They can be used by malware as a means to infect a computer and or re-infect. We will update both in due course.

Now please go to Start >> Control Panel >> Add/Remove Programs and remove the following (if present):

Adobe Reader 8.2.6
Java(TM) 6 Update 2
Java(TM) 6 Update 24
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1


To do so, click once on each of the above in turn to highlight and then click on the Remove button.

Scan with TDSSKiller:

Please download TDSSKiller.zip and extract (unzip) it to your Desktop.

  • Double click on TDSSKiller.exe to launch it.
  • Click on Start Scan, the scan will run.
  • When the scan has finished, if it finds anything please click on the drop down arrow next to Cure and select Skip
  • Now click on Report to open the log file created by TDSSKiller in your root directory C:\
  • To find the log go to Start > Computer > C:
  • Post the contents of that log in your next reply please.

Note: Do not have TDSSKiller remove anything if found at this point in time!
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Suspected Google Redirect Virus - Logs

Unread postby Nealaus » April 19th, 2011, 10:35 am

Hello Dakeyras,

Glad you are on the task. Thanks.

Attached is the TDSS log

Rgds

N
You do not have the required permissions to view the files attached to this post.
Nealaus
Active Member
 
Posts: 13
Joined: April 18th, 2011, 5:41 pm

Re: Suspected Google Redirect Virus - Logs

Unread postby Nealaus » April 19th, 2011, 10:38 am

I think these forums prefer this approach to "Post the contents of that log in your next reply"

Here it is....

2011/04/20 00:27:32.0531 1556 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/20 00:27:33.0765 1556 ================================================================================
2011/04/20 00:27:33.0765 1556 SystemInfo:
2011/04/20 00:27:33.0796 1556
2011/04/20 00:27:33.0796 1556 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/20 00:27:33.0796 1556 Product type: Workstation
2011/04/20 00:27:33.0796 1556 ComputerName: INSIDE HOUSE
2011/04/20 00:27:33.0796 1556 UserName: Owner
2011/04/20 00:27:33.0796 1556 Windows directory: C:\WINDOWS
2011/04/20 00:27:33.0796 1556 System windows directory: C:\WINDOWS
2011/04/20 00:27:33.0796 1556 Processor architecture: Intel x86
2011/04/20 00:27:33.0796 1556 Number of processors: 1
2011/04/20 00:27:33.0796 1556 Page size: 0x1000
2011/04/20 00:27:33.0796 1556 Boot type: Normal boot
2011/04/20 00:27:33.0796 1556 ================================================================================
2011/04/20 00:27:35.0250 1556 Initialize success
2011/04/20 00:27:41.0312 1804 ================================================================================
2011/04/20 00:27:41.0312 1804 Scan started
2011/04/20 00:27:41.0312 1804 Mode: Manual;
2011/04/20 00:27:41.0312 1804 ================================================================================
2011/04/20 00:27:47.0281 1804 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys
2011/04/20 00:27:48.0250 1804 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/20 00:27:48.0656 1804 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/04/20 00:27:49.0421 1804 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/04/20 00:27:50.0046 1804 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/04/20 00:27:50.0437 1804 AgereSoftModem (994a42d273c35b43ee9d1e8a5d8bc639) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2011/04/20 00:27:52.0984 1804 ALCXWDM (b786825902bd49232ba3b7df485ad9a4) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2011/04/20 00:27:55.0375 1804 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/04/20 00:27:56.0968 1804 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/20 00:27:57.0187 1804 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/20 00:27:57.0593 1804 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/20 00:27:57.0828 1804 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/20 00:27:58.0468 1804 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys
2011/04/20 00:27:58.0859 1804 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/20 00:27:59.0875 1804 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/20 00:28:00.0484 1804 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/04/20 00:28:01.0312 1804 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/20 00:28:02.0171 1804 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/20 00:28:02.0937 1804 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/20 00:28:05.0093 1804 CnxTrLan (35c33e581dac178f29940ddda020fe76) C:\WINDOWS\system32\DRIVERS\CnxTrLan.sys
2011/04/20 00:28:05.0875 1804 CnxTrUsb (72a878d58658671a272f33ada20a3f25) C:\WINDOWS\system32\DRIVERS\CnxTrUsb.sys
2011/04/20 00:28:06.0531 1804 CO_Mon (6be1d6403727bdd8a2b2568dbe6bfb8b) C:\WINDOWS\system32\Drivers\CO_Mon.sys
2011/04/20 00:28:09.0296 1804 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/20 00:28:10.0750 1804 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/20 00:28:12.0484 1804 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/20 00:28:13.0484 1804 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/20 00:28:14.0546 1804 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/20 00:28:16.0562 1804 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/20 00:28:18.0156 1804 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/20 00:28:18.0984 1804 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/04/20 00:28:19.0359 1804 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/20 00:28:19.0562 1804 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/04/20 00:28:19.0812 1804 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/04/20 00:28:20.0156 1804 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/20 00:28:20.0328 1804 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/20 00:28:20.0468 1804 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2011/04/20 00:28:20.0578 1804 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/04/20 00:28:20.0812 1804 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/20 00:28:20.0968 1804 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/20 00:28:21.0234 1804 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/04/20 00:28:21.0750 1804 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/04/20 00:28:22.0468 1804 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/04/20 00:28:23.0375 1804 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/20 00:28:25.0171 1804 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/20 00:28:26.0062 1804 imagedrv (25edd75e23c5ef6b33d0fbcce125a601) C:\WINDOWS\system32\Drivers\imagedrv.sys
2011/04/20 00:28:27.0375 1804 imagesrv (9c4bbacf4e9b9543c3ce23f1fe556941) C:\WINDOWS\system32\DRIVERS\imagesrv.sys
2011/04/20 00:28:28.0125 1804 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/20 00:28:30.0281 1804 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/04/20 00:28:31.0156 1804 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/04/20 00:28:32.0109 1804 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/04/20 00:28:33.0031 1804 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/20 00:28:33.0765 1804 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/20 00:28:34.0453 1804 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/20 00:28:35.0296 1804 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/20 00:28:36.0796 1804 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/20 00:28:37.0843 1804 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/20 00:28:39.0062 1804 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/04/20 00:28:40.0453 1804 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/20 00:28:41.0609 1804 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/20 00:28:43.0156 1804 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/20 00:28:44.0250 1804 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/20 00:28:45.0046 1804 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/20 00:28:46.0015 1804 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/04/20 00:28:46.0812 1804 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/20 00:28:48.0296 1804 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/20 00:28:49.0437 1804 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/20 00:28:50.0750 1804 MSDV (1477849772712bac69c144dcf2c9ce81) C:\WINDOWS\system32\DRIVERS\msdv.sys
2011/04/20 00:28:51.0906 1804 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/20 00:28:53.0281 1804 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/20 00:28:54.0437 1804 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/20 00:28:55.0312 1804 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/20 00:28:55.0968 1804 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/20 00:28:56.0812 1804 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/04/20 00:28:58.0171 1804 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/20 00:28:58.0843 1804 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/04/20 00:28:59.0750 1804 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/20 00:29:00.0812 1804 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/04/20 00:29:01.0671 1804 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/20 00:29:02.0109 1804 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/20 00:29:02.0890 1804 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/20 00:29:03.0515 1804 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/20 00:29:04.0015 1804 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/20 00:29:04.0359 1804 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/20 00:29:05.0078 1804 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/04/20 00:29:06.0453 1804 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/20 00:29:07.0515 1804 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/20 00:29:09.0078 1804 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2011/04/20 00:29:09.0968 1804 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/20 00:29:12.0781 1804 nv (ba1b732c1a70cfea0c1b64f2850bf44f) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/04/20 00:29:17.0156 1804 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/20 00:29:18.0046 1804 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/20 00:29:18.0890 1804 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/04/20 00:29:19.0734 1804 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/04/20 00:29:20.0703 1804 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/20 00:29:21.0453 1804 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/20 00:29:22.0171 1804 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/20 00:29:23.0734 1804 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/04/20 00:29:24.0734 1804 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/04/20 00:29:29.0343 1804 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/20 00:29:30.0171 1804 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/20 00:29:31.0078 1804 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/20 00:29:31.0953 1804 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/04/20 00:29:35.0296 1804 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/20 00:29:36.0046 1804 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/20 00:29:36.0906 1804 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/20 00:29:37.0671 1804 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/20 00:29:38.0421 1804 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/20 00:29:38.0968 1804 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/20 00:29:39.0812 1804 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/04/20 00:29:40.0687 1804 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/20 00:29:41.0515 1804 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/20 00:29:42.0421 1804 rspndr (a3b23fb3f295694091f51865f98588b2) C:\WINDOWS\system32\DRIVERS\rspndr.sys
2011/04/20 00:29:43.0218 1804 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/04/20 00:29:44.0187 1804 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/20 00:29:45.0125 1804 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/04/20 00:29:45.0703 1804 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/04/20 00:29:46.0843 1804 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/20 00:29:47.0734 1804 sisagp (61ca562def09a782d26b3e7edec5369a) C:\WINDOWS\system32\DRIVERS\SISAGPX.sys
2011/04/20 00:29:48.0312 1804 SiSide (b4485881bd8aed9b157a2e6cf43c2d51) C:\WINDOWS\system32\DRIVERS\siside.sys
2011/04/20 00:29:49.0140 1804 sisidex (6225224b8e846ac230f8d9b343635910) C:\WINDOWS\system32\drivers\sisidex.sys
2011/04/20 00:29:49.0890 1804 sisperf (596d4a7052002d2bd344d8937da6f66d) C:\WINDOWS\system32\drivers\sisperf.sys
2011/04/20 00:29:50.0671 1804 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/04/20 00:29:51.0875 1804 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/20 00:29:53.0000 1804 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/20 00:29:54.0281 1804 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/20 00:29:55.0687 1804 StarOpen (306521935042fc0a6988d528643619b3) C:\WINDOWS\system32\drivers\StarOpen.sys
2011/04/20 00:29:56.0656 1804 stillcam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2011/04/20 00:29:57.0421 1804 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/04/20 00:29:58.0718 1804 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/20 00:29:59.0625 1804 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/20 00:30:02.0265 1804 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/20 00:30:03.0015 1804 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/20 00:30:03.0875 1804 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/20 00:30:04.0437 1804 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/20 00:30:05.0406 1804 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/20 00:30:05.0875 1804 tmactmon (de87a23d2ddc7378d1c7ab681e20de47) C:\WINDOWS\system32\DRIVERS\tmactmon.sys
2011/04/20 00:30:06.0625 1804 tmcomm (540c2b5dc47651c572c2804dc72fdda8) C:\WINDOWS\system32\DRIVERS\tmcomm.sys
2011/04/20 00:30:06.0859 1804 tmevtmgr (2de1fa64ebaff376f2c038f64492f62c) C:\WINDOWS\system32\DRIVERS\tmevtmgr.sys
2011/04/20 00:30:07.0937 1804 tmtdi (5a61679b2277b9ad550e30479a69503b) C:\WINDOWS\system32\DRIVERS\tmtdi.sys
2011/04/20 00:30:09.0921 1804 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/20 00:30:12.0437 1804 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/20 00:30:13.0953 1804 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/04/20 00:30:15.0500 1804 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/20 00:30:16.0875 1804 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/20 00:30:18.0843 1804 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/20 00:30:20.0093 1804 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/04/20 00:30:21.0406 1804 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/04/20 00:30:22.0687 1804 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/04/20 00:30:23.0453 1804 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/20 00:30:24.0593 1804 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/04/20 00:30:26.0875 1804 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/20 00:30:28.0375 1804 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/20 00:30:29.0921 1804 WCDV_Aud (3bc8598cd4a09464088664c21964efde) C:\WINDOWS\system32\drivers\wcdvaud.sys
2011/04/20 00:30:30.0937 1804 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/04/20 00:30:31.0468 1804 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/20 00:30:31.0765 1804 WebCamDV (1fc55a99b043e6e0ec1b0d36ca181448) C:\WINDOWS\system32\DRIVERS\WebCamDV.sys
2011/04/20 00:30:33.0750 1804 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/04/20 00:30:34.0828 1804 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/04/20 00:30:35.0156 1804 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/04/20 00:30:35.0953 1804 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/04/20 00:30:37.0484 1804 ================================================================================
2011/04/20 00:30:37.0484 1804 Scan finished
2011/04/20 00:30:37.0484 1804 ================================================================================
Nealaus
Active Member
 
Posts: 13
Joined: April 18th, 2011, 5:41 pm

Re: Suspected Google Redirect Virus - Logs

Unread postby Dakeyras » April 19th, 2011, 6:38 pm

Hi. :)

Glad you are on the task. Thanks.
You're welcome!

I think these forums prefer this approach to "Post the contents of that log in your next reply"
Correct, basically because this is predominately a training forum it is beneficial for students to be able to review all logs etc.

Lets proceed as follows shall we...

Scan with OTL:

Please download OTL and save it to your Desktop.

Alternate downloads are here and here.

  • Double-click on OTL.exe to start OTL.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any further symptoms and or problems encountered?
  • Both OTL logs. <-- Post them individually please, IE: one Log per post/reply.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Suspected Google Redirect Virus - Logs

Unread postby Nealaus » April 19th, 2011, 9:36 pm

As requested....

How is your computer performing now, any further symptoms and or problems encountered?

Nothing extra..the issue still behaves as it always has.

Google search term entered eg: kmart auto lake haven >> ** search** >> select a listing from the top BLUE UNDERLINED result >> browser goes to:
hxxp://www.wyllib.net/?search=kmart%2Ba ... 1303262859 momentarily before >> arriving at a merchant related to, in this case auto products locally.

Cut & Paste the GREEN url at the bottom of each search result produces no issue. As does re-clicking the above BLUE UNDERLINED link a second time or when the browser is refreshed.

Clicking the Cached link is also problem free.


#### OTL LOG ####

OTL logfile created on: 20/04/2011 10:52:35 AM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Owner\Desktop\TM-Titanium
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 70.00% Memory free
6.00 Gb Paging File | 6.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 4092 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 69.69 Gb Free Space | 62.34% Space Free | Partition Type: NTFS
Drive F: | 74.52 Gb Total Space | 58.83 Gb Free Space | 78.95% Space Free | Partition Type: NTFS

Computer Name: BUSINESS | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Owner\Desktop\TM-Titanium\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Trend Micro\Titanium\plugin\TMAS\TMAS_OL\TMAS_OL.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\Titanium\plugin\TMAS\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiWatchDog.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiSeAgnt.exe (Trend Micro Inc.)
PRC - C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)
PRC - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe ()
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe (UnH Solutions)
PRC - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe (Adobe Systems Inc.)
PRC - C:\WINDOWS\StartupMonitor.exe ()


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Owner\Desktop\TM-Titanium\OTL.exe (OldTimer Tools)
MOD - C:\Program Files\Trend Micro\Titanium\plugin\TMAS\TMAS_OE\TMAS_OEHook.dll ()
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
MOD - C:\Program Files\J River\Media Jukebox 14\Plugins\msscript.ocx (Microsoft Corporation)
MOD - C:\WINDOWS\system32\framedyn.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (Security Activity Dashboard Service) -- File not found
SRV - (getPlusHelper) getPlus(R) -- File not found
SRV - (Amsp) -- C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe (Trend Micro Inc.)
SRV - (TomTomHOMEService) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe (TomTom)
SRV - (Media Jukebox 14 Service) -- C:\Program Files\J River\Media Jukebox 14\JRService.exe (J. River, Inc.)
SRV - (FlipShare Service) -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe ()
SRV - (AdobeActiveFileMonitor5.0) -- C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe ()
SRV - (IDriverT) -- C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation)


========== Driver Services (SafeList) ==========

DRV - (tmcomm) -- C:\WINDOWS\system32\drivers\tmcomm.sys (Trend Micro Inc.)
DRV - (tmtdi) -- C:\WINDOWS\system32\drivers\tmtdi.sys (Trend Micro Inc.)
DRV - (tmactmon) -- C:\WINDOWS\system32\drivers\tmactmon.sys (Trend Micro Inc.)
DRV - (tmevtmgr) -- C:\WINDOWS\system32\drivers\tmevtmgr.sys (Trend Micro Inc.)
DRV - (StarOpen) -- C:\WINDOWS\System32\drivers\StarOpen.sys ()
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (CO_Mon) -- C:\WINDOWS\system32\drivers\CO_Mon.sys ()
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\alcxwdm.sys (Realtek Semiconductor Corp.)
DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems)
DRV - (imagesrv) -- C:\WINDOWS\system32\DRIVERS\imagesrv.sys (Ahead Software AG)
DRV - (imagedrv) -- C:\WINDOWS\System32\Drivers\imagedrv.sys (Ahead Software AG)
DRV - (rtl8139) Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)
DRV - (WebCamDV) -- C:\WINDOWS\system32\drivers\WebCamDV.sys (OrangeWare, Inc.)
DRV - (WCDV_Aud) -- C:\WINDOWS\system32\drivers\wcdvaud.sys (OrangeWare, Inc.)
DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\SISAGPX.sys (Silicon Integrated Systems Corporation)
DRV - (SiSide) -- C:\WINDOWS\system32\DRIVERS\siside.sys (Silicon Integrated Systems Corp.)
DRV - (sisidex) -- C:\WINDOWS\system32\drivers\sisidex.sys (Windows (R) 2000 DDK provider)
DRV - (sisperf) -- C:\WINDOWS\system32\drivers\sisperf.sys (Silicon Integrated Systems Corp.)
DRV - (CnxTrLan) -- C:\WINDOWS\system32\drivers\CnxTrLan.sys (Conexant)
DRV - (CnxTrUsb) -- C:\WINDOWS\system32\drivers\CnxTrUsb.sys (Conexant)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-796845957-746137067-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKU\S-1-5-21-796845957-746137067-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/
IE - HKU\S-1-5-21-796845957-746137067-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ninemsn.com.au/?ocid=iehp
IE - HKU\S-1-5-21-796845957-746137067-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-au
IE - HKU\S-1-5-21-796845957-746137067-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = A4 32 93 2E A9 B4 CB 01 [binary data]
IE - HKU\S-1-5-21-796845957-746137067-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: MapShare-status@tomtom.com:1.7
FF - prefs.js..extensions.enabledItems: baseTheme@tomtom.com:1.0.2

FF - HKLM\software\mozilla\Firefox\extensions\\{22181a4d-af90-4ca3-a569-faed9118d6bc}: C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\firefoxextension [2011/03/22 07:29:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{22C7F6C6-8D67-4534-92B5-529A0EC09405}: C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1079\firefoxextension\ [2011/04/12 23:32:08 | 000,000,000 | ---D | M]

[2009/01/09 12:51:28 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2009/01/09 12:51:28 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions\home2@tomtom.com
[2010/09/08 11:40:32 | 000,000,000 | ---D | M] (Map status indicator) -- C:\PROGRAM FILES\TOMTOM HOME 2\XUL\EXTENSIONS\MAPSHARE-STATUS@TOMTOM.COM

O1 HOSTS File: ([2008/10/06 09:54:22 | 000,000,848 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (TmIEPlugInBHO Class) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\module\20004\1.5.1464\6.6.1079\TmIEPlg.dll (Trend Micro Inc.)
O2 - BHO: (TSToolbarBHO) - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll (Trend Micro Inc.)
O2 - BHO: (no name) - {7e853d72-626a-48ec-a868-ba8d5e23e045} - No CLSID value found.
O2 - BHO: (TmBpIeBHO Class) - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\module\20002\6.5.1234\6.5.1234\TmBpIe32.dll (Trend Micro Inc.)
O3 - HKLM\..\Toolbar: (Trend Micro Toolbar) - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll (Trend Micro Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-796845957-746137067-725345543-1003\..\Toolbar\WebBrowser: (no name) - {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No CLSID value found.
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [hpqSRMon] File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [OE] C:\Program Files\Trend Micro\Titanium\plugin\TMAS\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [Run StartupMonitor] C:\WINDOWS\StartupMonitor.exe ()
O4 - HKLM..\Run: [Trend Micro Client Framework] C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [Trend Micro Titanium] C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe (Trend Micro Inc.)
O4 - HKU\S-1-5-21-796845957-746137067-725345543-1003..\Run: [IE Privacy Keeper] C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe (UnH Solutions)
O4 - HKU\S-1-5-21-796845957-746137067-725345543-1003..\Run: [OE] File not found
O4 - HKU\S-1-5-21-796845957-746137067-725345543-1003..\Run: [TomTomHOME.exe] C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe (Adobe Systems Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-796845957-746137067-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O9 - Extra Button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra Button: @shdoclc.dll,-866 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm ()
O9 - Extra 'Tools' menuitem : @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-796845957-746137067-725345543-1003\..Trusted Domains: google.com.au ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-796845957-746137067-725345543-1003\..Trusted Domains: microsoft.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-796845957-746137067-725345543-1003\..Trusted Domains: microsoft.com ([*.windowsupdate] https in Trusted sites)
O15 - HKU\S-1-5-21-796845957-746137067-725345543-1003\..Trusted Domains: microsoft.com ([update] https in Trusted sites)
O15 - HKU\S-1-5-21-796845957-746137067-725345543-1003\..Trusted Domains: windowsupdate.com ([]https in Trusted sites)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://support.microsoft.com/Dcode/ActiveX/MSDcode.cab (Microsoft Data Collection Control)
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} http://www.caminova.net/ja/downloads/ge ... px?lang=en (DjVuCtl Class)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDow ... ab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} http://www.myheritage.com/Genoogle/Comp ... eQuery.dll (CSEQueryObject Object)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftup ... 3523190062 (WUWebControl Class)
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} http://ccfiles.creative.com/Web/softwar ... TSUEng.cab (Creative Software AutoUpdate)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftup ... 3523170656 (MUWebControl Class)
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} http://www.nvidia.com/content/DriverDow ... rtScan.cab (NVIDIA Smart Scan)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/fl ... rashim.cab (Reg Error: Key error.)
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} http://tools.ebayimg.com/eps/wl/activex ... 0-29-0.cab (EPUImageControl Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/get/s ... wflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creative.com/Web/softwar ... /CTPID.cab (Creative Software AutoUpdate Support Package)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\tmbp {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\6.5.1234\6.5.1234\TmBpIe32.dll (Trend Micro Inc.)
O18 - Protocol\Handler\tmpx {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\1.5.1464\6.6.1079\TmIEPlg.dll (Trend Micro Inc.)
O18 - Protocol\Handler\tmtb {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll (Trend Micro Inc.)
O18 - Protocol\Handler\tmtbim {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Titanium\UIFramework\ProToolbarIMRatingActiveX.dll (Trend Micro Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/05/20 14:34:02 | 000,000,008 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{5b7d6261-9225-11de-b8b4-00e04c1271fc}\Shell\AutoRun\command - "" = J:\InstallTomTomHOME.exe
O33 - MountPoints2\{c7bcd430-ddf5-11dd-b798-00e04c1271fc}\Shell\AutoRun\command - "" = H:\InstallTomTomHOME.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (MACHINE BootExecut) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/19 17:24:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/19 17:24:25 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/04/19 17:24:17 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/04/19 17:24:16 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/19 07:36:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\HiJackThis
[2011/04/17 14:13:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2011/04/17 14:12:48 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/04/17 14:11:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickTime
[2011/04/17 14:03:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Apple
[2011/04/17 12:23:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Apple Computer
[2011/04/02 22:49:14 | 001,693,696 | ---- | C] (LEAD Technologies, Inc.) -- C:\WINDOWS\System32\ltclr13n.dll
[2011/04/02 22:49:14 | 000,453,120 | ---- | C] (LEAD Technologies, Inc.) -- C:\WINDOWS\System32\ltkrn13n.dll
[2011/04/02 22:49:14 | 000,445,440 | ---- | C] (LEAD Technologies, Inc.) -- C:\WINDOWS\System32\ltimg13n.dll
[2011/04/02 22:49:14 | 000,388,608 | ---- | C] (LEAD Technologies, Inc.) -- C:\WINDOWS\System32\lfcmp13n.dll
[2011/04/02 22:49:14 | 000,265,216 | ---- | C] (LEAD Technologies, Inc.) -- C:\WINDOWS\System32\ltdis13n.dll
[2011/04/02 22:49:14 | 000,246,272 | ---- | C] (LEAD Technologies, Inc.) -- C:\WINDOWS\System32\lfj2k13n.dll
[2011/04/02 22:49:14 | 000,206,848 | ---- | C] (LEAD Technologies, Inc.) -- C:\WINDOWS\System32\ltefx13n.dll
[2011/04/02 22:49:14 | 000,189,976 | ---- | C] (MyFamily.com, Inc.) -- C:\WINDOWS\System32\mfimgvwr.ocx
[2011/04/02 22:49:14 | 000,154,112 | ---- | C] (LEAD Technologies, Inc.) -- C:\WINDOWS\System32\ltfil13n.dll
[2011/04/02 22:49:14 | 000,142,848 | ---- | C] (LEAD Technologies, Inc.) -- C:\WINDOWS\System32\lftif13n.dll
[2011/04/02 22:49:14 | 000,090,112 | ---- | C] (LEAD Technologies, Inc.) -- C:\WINDOWS\System32\lfjbg13n.dll
[2011/04/02 22:49:14 | 000,073,728 | ---- | C] (LEAD Technologies, Inc.) -- C:\WINDOWS\System32\lffax13n.dll
[2011/04/02 22:49:01 | 000,000,000 | ---D | C] -- C:\Program Files\MFInstall
[2011/03/22 07:31:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\Trend Micro Titanium Maximum Security
[2011/03/22 07:31:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Trend Micro
[2011/03/22 07:30:40 | 000,092,112 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmtdi.sys
[2011/03/22 07:30:39 | 000,189,520 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/03/22 07:30:39 | 000,080,464 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmactmon.sys
[2011/03/22 07:30:39 | 000,064,080 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmevtmgr.sys
[2011/03/22 07:30:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Trend Micro
[2011/03/22 07:23:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\TM-Titanium
[2004/11/25 05:25:52 | 000,335,872 | ---- | C] ( ) -- C:\WINDOWS\System32\drvc.dll
[4 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[33 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/20 10:52:01 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/20 10:30:41 | 000,000,143 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/04/20 10:08:08 | 000,000,229 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Lohse-Family.url
[2011/04/20 05:01:27 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{91FF4385-41FF-4D41-A4F1-25A5E0ABDD5C}.job
[2011/04/20 05:01:05 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/20 04:59:30 | 000,088,566 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/04/20 04:59:26 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2011/04/20 04:59:24 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/20 04:59:19 | 000,000,312 | -HS- | M] () -- C:\WINDOWS\tasks\Ljujbhv.job
[2011/04/20 04:59:16 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/20 04:59:13 | 2683,887,616 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/20 00:09:43 | 000,000,333 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MalWare Removal • View topic - Suspected Google Redirect Virus - Logs (2).url
[2011/04/20 00:09:24 | 000,000,333 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MalWare Removal • View topic - Suspected Google Redirect Virus - Logs.url
[2011/04/19 19:35:57 | 000,000,910 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\CANSTAR CANNEX - Compare Interest Rates, Home Loans, Credit Cards, Insurance, Savings Accounts.url
[2011/04/19 19:35:42 | 000,000,229 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Cruise Reviews, Cruise Deals and Cruises - Cruise Critic.url
[2011/04/19 19:35:32 | 000,000,268 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\May 14, 2011 - Eastbound TransAtlantic - The DIS Discussion Forums - DISboards.com.url
[2011/04/19 17:37:18 | 000,000,556 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Chartis Travel Insurance, Get your travel insurance quote online.url
[2011/04/19 17:24:26 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/19 17:09:47 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.lnk
[2011/04/19 09:54:08 | 000,000,308 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Re Suspected Google Redirect Virus - Trend Community.url
[2011/04/19 09:12:00 | 000,000,270 | ---- | M] () -- C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job
[2011/04/19 05:06:19 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\housecall.guid.cache
[2011/04/18 17:17:18 | 000,002,001 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Middle-aged are grumpy because happiness is U-shaped - Telegraph.url
[2011/04/17 15:31:37 | 000,142,336 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/17 14:13:51 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/04/17 14:11:32 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2011/04/17 10:35:01 | 000,294,804 | ---- | M] () -- C:\~WipeTmp34.out
[2011/04/16 19:28:59 | 000,000,292 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Water Color.url
[2011/04/16 11:25:46 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2011/04/15 08:22:28 | 000,001,207 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Walker dead after being hit by car pulling out of driveway.url
[2011/04/15 06:43:06 | 000,200,936 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/14 20:09:25 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/04/14 20:07:18 | 000,453,380 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/04/14 20:07:18 | 000,075,464 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/04/10 16:32:59 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2011/04/10 16:04:14 | 000,001,247 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\The Best Web Apps of 2010.url
[2011/04/09 18:14:03 | 000,000,223 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SmugMug Coupon for 20-50% Off All Coupons Here Work!.url
[2011/04/09 17:25:51 | 000,000,292 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Bluehost Rebate » ProPhoto Blogs.url
[2011/04/09 08:58:16 | 000,000,380 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Ted & Michelle Married! Giverny, France » JACKIE WONDERS PHOTOGRAPHER.url
[2011/04/08 04:51:07 | 000,000,339 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\COUPONS.url
[2011/04/05 14:10:15 | 000,001,674 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Speed Test on ZDNet Australia.url
[2011/04/05 12:38:30 | 000,000,318 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Join an Irish clan and win an amzing trip for 2 to Ireland.url
[2011/04/03 14:42:21 | 000,000,596 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\50 really useful iPad tips and tricks News TechRadar UK.url
[2011/04/03 10:56:01 | 000,000,289 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Loving the 1920s My words, My freedom, My speech.url
[2011/04/03 02:49:00 | 000,000,448 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\delifrank eBay.url
[2011/04/01 16:57:42 | 000,122,880 | RHS- | M] () -- C:\WINDOWS\System32\sqlsrv32C.dll
[2011/04/01 09:24:48 | 000,000,426 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\10.00 € - Taxi fare from roma termini to piazza navona in Rome.url
[2011/03/31 14:59:35 | 000,001,514 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Dell iPad Fine For Robinson Crusoe, Not Real World - Smarthouse.url
[2011/03/30 18:26:22 | 000,000,541 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Rome Hotels, Rome Hotel reservations Venere.com.url
[2011/03/30 12:42:24 | 000,000,152 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Rome.info Rome tourist information, Ancient Rome travel guide.url
[2011/03/29 13:21:37 | 000,000,241 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Self Improvement from SelfGrowth.com.url
[2011/03/29 10:33:13 | 000,000,390 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Streetscapes - 113 Jane Street - Popeye Slept Here and Now Olive Oyl Can, Too - NYTimes.com.url
[2011/03/29 07:27:24 | 000,001,474 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Australian working mothers spend 15 hours a week with their children Herald Sun.url
[2011/03/28 08:23:16 | 000,011,264 | ---- | M] () -- C:\WINDOWS\DCEBoot.exe
[2011/03/27 15:52:48 | 000,001,197 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\iTWire - The best top 10 reasons to buy an iPad 2.url
[2011/03/27 15:51:47 | 000,001,190 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\iTWire - 10 more top 10 reasons to buy an iPad 2.url
[2011/03/25 20:42:50 | 000,000,538 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Philippe Calderon - IMDb.url
[2011/03/24 06:22:24 | 000,001,410 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Stress wrongly blamed for breast cancer.url
[2011/03/22 17:58:14 | 010,873,889 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Walking%20Trails.pdf
[2011/03/22 15:38:50 | 000,000,269 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\CAGenWeb Santa Clara County, CA - Genealogy History.url
[2011/03/22 07:32:00 | 000,000,932 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Trend Micro Titanium Maximum Security.lnk
[2011/03/22 07:27:17 | 000,189,520 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/03/22 07:27:17 | 000,092,112 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmtdi.sys
[2011/03/22 07:27:17 | 000,080,464 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmactmon.sys
[2011/03/22 07:27:17 | 000,064,080 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmevtmgr.sys
[4 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[33 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/20 00:09:43 | 000,000,333 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MalWare Removal • View topic - Suspected Google Redirect Virus - Logs (2).url
[2011/04/20 00:09:24 | 000,000,333 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MalWare Removal • View topic - Suspected Google Redirect Virus - Logs.url
[2011/04/19 19:35:56 | 000,000,910 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\CANSTAR CANNEX - Compare Interest Rates, Home Loans, Credit Cards, Insurance, Savings Accounts.url
[2011/04/19 19:35:42 | 000,000,229 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Cruise Reviews, Cruise Deals and Cruises - Cruise Critic.url
[2011/04/19 19:35:30 | 000,000,268 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\May 14, 2011 - Eastbound TransAtlantic - The DIS Discussion Forums - DISboards.com.url
[2011/04/19 17:37:18 | 000,000,556 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Chartis Travel Insurance, Get your travel insurance quote online.url
[2011/04/19 17:24:26 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/19 09:54:08 | 000,000,308 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Re Suspected Google Redirect Virus - Trend Community.url
[2011/04/19 05:21:58 | 000,002,447 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.lnk
[2011/04/19 04:59:42 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\housecall.guid.cache
[2011/04/18 17:17:18 | 000,002,001 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Middle-aged are grumpy because happiness is U-shaped - Telegraph.url
[2011/04/17 14:13:51 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/04/17 14:11:32 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2011/04/16 19:28:59 | 000,000,292 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Water Color.url
[2011/04/16 11:17:38 | 000,294,804 | ---- | C] () -- C:\~WipeTmp34.out
[2011/04/15 08:22:27 | 000,001,207 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Walker dead after being hit by car pulling out of driveway.url
[2011/04/10 16:04:13 | 000,001,247 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\The Best Web Apps of 2010.url
[2011/04/09 18:14:02 | 000,000,223 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SmugMug Coupon for 20-50% Off All Coupons Here Work!.url
[2011/04/09 17:25:51 | 000,000,292 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Bluehost Rebate » ProPhoto Blogs.url
[2011/04/08 13:31:24 | 000,000,380 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Ted & Michelle Married! Giverny, France » JACKIE WONDERS PHOTOGRAPHER.url
[2011/04/05 12:38:30 | 000,000,318 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Join an Irish clan and win an amzing trip for 2 to Ireland.url
[2011/04/04 14:11:34 | 000,000,339 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\COUPONS.url
[2011/04/03 10:56:01 | 000,000,289 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Loving the 1920s My words, My freedom, My speech.url
[2011/04/03 02:49:00 | 000,000,448 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\delifrank eBay.url
[2011/04/01 18:15:44 | 000,000,596 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\50 really useful iPad tips and tricks News TechRadar UK.url
[2011/04/01 16:57:43 | 000,000,312 | -HS- | C] () -- C:\WINDOWS\tasks\Ljujbhv.job
[2011/04/01 16:57:42 | 000,122,880 | RHS- | C] () -- C:\WINDOWS\System32\sqlsrv32C.dll
[2011/04/01 09:24:48 | 000,000,426 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\10.00 € - Taxi fare from roma termini to piazza navona in Rome.url
[2011/03/31 14:59:35 | 000,001,514 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Dell iPad Fine For Robinson Crusoe, Not Real World - Smarthouse.url
[2011/03/30 18:26:22 | 000,000,541 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Rome Hotels, Rome Hotel reservations Venere.com.url
[2011/03/30 12:42:24 | 000,000,152 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Rome.info Rome tourist information, Ancient Rome travel guide.url
[2011/03/29 13:21:37 | 000,000,241 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Self Improvement from SelfGrowth.com.url
[2011/03/29 10:33:13 | 000,000,390 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Streetscapes - 113 Jane Street - Popeye Slept Here and Now Olive Oyl Can, Too - NYTimes.com.url
[2011/03/29 07:27:24 | 000,001,474 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Australian working mothers spend 15 hours a week with their children Herald Sun.url
[2011/03/27 15:52:48 | 000,001,197 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\iTWire - The best top 10 reasons to buy an iPad 2.url
[2011/03/27 15:51:47 | 000,001,190 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\iTWire - 10 more top 10 reasons to buy an iPad 2.url
[2011/03/25 20:42:49 | 000,000,538 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Philippe Calderon - IMDb.url
[2011/03/24 06:22:23 | 000,001,410 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Stress wrongly blamed for breast cancer.url
[2011/03/22 17:58:07 | 010,873,889 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Walking%20Trails.pdf
[2011/03/22 15:38:49 | 000,000,269 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\CAGenWeb Santa Clara County, CA - Genealogy History.url
[2011/03/22 07:31:58 | 000,000,932 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Trend Micro Titanium Maximum Security.lnk
[2011/03/16 06:52:43 | 000,164,879 | ---- | C] () -- C:\WINDOWS\hpoins21.dat
[2011/03/16 06:52:43 | 000,007,262 | ---- | C] () -- C:\WINDOWS\hpomdl21.dat
[2011/01/26 10:13:32 | 000,562,450 | ---- | C] () -- C:\WINDOWS\hpoins21.dat.temp
[2011/01/26 10:13:32 | 000,007,262 | ---- | C] () -- C:\WINDOWS\hpomdl21.dat.temp
[2011/01/09 08:51:35 | 000,000,022 | ---- | C] () -- C:\WINDOWS\kodakpcd.Owner.ini
[2010/12/25 10:06:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2010/12/13 06:55:55 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI
[2010/11/27 09:50:29 | 000,041,888 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/08/05 14:29:15 | 000,000,012 | ---- | C] () -- C:\WINDOWS\Recorder.dat
[2010/05/06 18:22:39 | 000,077,374 | ---- | C] () -- C:\WINDOWS\hpqins05.dat
[2010/04/25 18:03:35 | 000,003,654 | ---- | C] () -- C:\WINDOWS\System32\drivers\Sonyhcp.dll
[2010/04/12 11:34:38 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LauncherAccess.dt
[2010/04/12 11:30:08 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2010/02/01 08:16:11 | 000,000,019 | ---- | C] () -- C:\WINDOWS\SoundConverter.INI
[2009/08/21 09:27:24 | 000,005,846 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\pic18.exe
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/05/15 10:01:43 | 000,011,264 | ---- | C] () -- C:\WINDOWS\DCEBoot.exe
[2009/04/30 09:20:22 | 000,000,038 | ---- | C] () -- C:\WINDOWS\AviSplitter.INI
[2009/04/28 14:53:04 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\adistres.dll
[2009/03/20 08:59:03 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/02/08 18:58:55 | 000,046,456 | R--- | C] () -- C:\WINDOWS\System32\exitwx.exe
[2008/12/20 01:15:58 | 004,338,246 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2008/12/18 03:41:18 | 000,884,237 | ---- | C] () -- C:\WINDOWS\System32\ff_x264.dll
[2008/12/18 03:22:58 | 000,093,184 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll
[2008/12/18 03:22:48 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/12/18 03:17:34 | 000,239,247 | ---- | C] () -- C:\WINDOWS\System32\ff_theora.dll
[2008/12/18 02:59:54 | 000,560,802 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2008/10/07 09:56:06 | 000,002,560 | ---- | C] () -- C:\WINDOWS\_MSRSTRT.EXE
[2008/09/20 14:30:06 | 000,019,484 | ---- | C] () -- C:\WINDOWS\hpqins13.dat.temp
[2008/08/04 14:39:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2008/07/07 10:57:07 | 000,002,389 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/06/18 17:33:10 | 000,019,518 | ---- | C] () -- C:\WINDOWS\hpqins13.dat
[2008/06/17 13:52:21 | 000,000,038 | ---- | C] () -- C:\WINDOWS\System32\llbiirc.dll
[2008/06/13 07:46:19 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2008/05/20 14:34:02 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2008/03/26 13:09:44 | 000,000,663 | ---- | C] () -- C:\WINDOWS\openrda.ini
[2008/03/24 12:57:02 | 000,000,121 | ---- | C] () -- C:\WINDOWS\SwDrvs.ini
[2008/03/24 12:54:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\drvxl32.INI
[2008/03/24 12:54:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\drvwd32.INI
[2008/03/05 12:56:23 | 000,000,265 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2008/02/29 09:09:06 | 000,000,472 | ---- | C] () -- C:\WINDOWS\pbviewer.ini
[2008/02/29 08:16:43 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2008/02/23 16:37:59 | 000,761,856 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/02/23 16:37:59 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/02/19 16:33:34 | 000,446,352 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
[2008/02/02 18:55:52 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2008/01/14 16:55:22 | 000,571,320 | ---- | C] () -- C:\WINDOWS\HPISExe.dat
[2008/01/14 16:54:04 | 000,099,712 | ---- | C] () -- C:\WINDOWS\HPBroker.dll
[2008/01/05 11:00:05 | 000,000,026 | ---- | C] () -- C:\WINDOWS\dvdSanta.INI
[2007/12/23 18:33:46 | 000,000,099 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/12/17 11:33:11 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2007/11/09 06:11:09 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\drivers\CO_Mon.sys
[2007/10/05 12:04:02 | 000,000,149 | ---- | C] () -- C:\WINDOWS\ka.ini
[2007/09/01 15:23:21 | 000,000,143 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/08/08 10:21:34 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2007/07/27 14:50:46 | 000,000,240 | ---- | C] () -- C:\WINDOWS\ActiveAct.INI
[2007/07/27 14:20:06 | 000,000,240 | ---- | C] () -- C:\WINDOWS\ActiveActG.INI
[2007/07/27 13:53:36 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\EmailShared.dll
[2007/07/27 13:43:09 | 000,217,088 | ---- | C] () -- C:\WINDOWS\System32\LPng.dll
[2007/07/23 14:29:02 | 000,142,336 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/07/16 15:01:45 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll
[2007/07/07 16:43:33 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/06/23 16:46:18 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2007/06/23 16:45:38 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2007/06/23 15:37:17 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2007/06/23 15:05:21 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2007/06/23 05:31:38 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/06/23 05:30:21 | 000,200,936 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/04/10 09:20:20 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/12/13 23:01:36 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
[2006/12/13 23:01:36 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2006/11/03 02:10:16 | 000,080,912 | ---- | C] () -- C:\WINDOWS\System32\sherlock2.exe
[2006/10/22 11:22:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/10/22 11:22:00 | 001,622,016 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2006/10/22 11:22:00 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/10/22 11:22:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2006/10/22 11:22:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/10/22 11:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/10/22 11:22:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/10/22 11:22:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2006/10/22 11:22:00 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2006/10/22 11:22:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/10/22 11:22:00 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/05/05 17:26:00 | 000,335,872 | ---- | C] () -- C:\WINDOWS\System32\ctreestd.dll
[2006/02/28 22:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/02/28 22:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/02/28 22:00:00 | 000,453,380 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/02/28 22:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/02/28 22:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/02/28 22:00:00 | 000,075,464 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/02/28 22:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/02/28 22:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/02/28 22:00:00 | 000,018,005 | ---- | C] () -- C:\WINDOWS\System32\aarvbt.dll
[2006/02/28 22:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/02/28 22:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/02/28 22:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2006/02/28 22:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/10/27 08:39:05 | 003,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
[2004/10/04 03:50:54 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\ff_mpeg2enc.dll
[2002/03/21 15:39:02 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\UNACEV2.DLL
[2002/03/19 18:30:00 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\mag.dll
[2002/03/19 17:30:00 | 000,216,576 | ---- | C] () -- C:\WINDOWS\System32\PowerCalc.exe
[2002/03/19 17:30:00 | 000,141,824 | ---- | C] () -- C:\WINDOWS\System32\msvdm.dll
[2002/03/19 17:30:00 | 000,045,632 | ---- | C] () -- C:\WINDOWS\System32\TaskSwitch.exe
[2000/05/20 17:23:48 | 000,086,016 | ---- | C] () -- C:\WINDOWS\StartupMonitor.exe
[2000/01/31 08:02:00 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\Wh2Robo.dll

< End of report >
Nealaus
Active Member
 
Posts: 13
Joined: April 18th, 2011, 5:41 pm

Re: Suspected Google Redirect Virus - Logs

Unread postby Nealaus » April 19th, 2011, 9:39 pm

AS requested....

#### EXTRAs LOG ####

OTL Extras logfile created on: 20/04/2011 10:52:35 AM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Owner\Desktop\TM-Titanium
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 70.00% Memory free
6.00 Gb Paging File | 6.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 4092 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 69.69 Gb Free Space | 62.34% Space Free | Partition Type: NTFS
Drive F: | 74.52 Gb Total Space | 58.83 Gb Free Space | 78.95% Space Free | Partition Type: NTFS

Computer Name: BUSINESS | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-796845957-746137067-725345543-1003\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"Disable Config" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe:*:Enabled:hpqpse.exe -- (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe" = C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe:*:Enabled:hpqphotocrm.exe -- (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe:*:Enabled:hpqsudi.exe -- (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe:*:Enabled:hpqpsapp.exe -- (Hewlett-Packard Development Co. L.P.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\ACT\ActUpdt.exe" = C:\Program Files\ACT\ActUpdt.exe:*:Enabled:ACT! Update -- (Interact Commerce Corporation)
"C:\Program Files\Yahoo!\UPnP\yupnpsrv.exe" = C:\Program Files\Yahoo!\UPnP\yupnpsrv.exe:*:Enabled:Yahoo! UPnP AV Media Server
"C:\Program Files\VideoLAN\VLC\vlc.exe" = C:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player
"C:\Documents and Settings\Owner\Application Data\Facebook\facebook.exe" = C:\Documents and Settings\Owner\Application Data\Facebook\facebook.exe:127.0.0.1/255.255.255.255:Enabled:Facebook
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\GIGABYTE\@BIOS\gwflash.exe" = C:\Program Files\GIGABYTE\@BIOS\gwflash.exe:*:Enabled:gwflash -- ()
"C:\Program Files\GIGABYTE\@BIOS\update.exe" = C:\Program Files\GIGABYTE\@BIOS\update.exe:*:Enabled:update -- ()
"C:\Program Files\Common Files\Ahead\Nero Web\SetupX.exe" = C:\Program Files\Common Files\Ahead\Nero Web\SetupX.exe:*:Enabled:Nero ProductSetup -- (Nero AG)
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe
"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe
"C:\Program Files\Nero\Nero 7\Nero ShowTime\ShowTime.exe" = C:\Program Files\Nero\Nero 7\Nero ShowTime\ShowTime.exe:*:Enabled:Nero ShowTime -- (Nero AG)
"C:\Program Files\SmartFTP Client\SmartFTP.exe" = C:\Program Files\SmartFTP Client\SmartFTP.exe:*:Enabled:SmartFTP Client 3.0 -- (SmartSoft Ltd.)
"C:\Program Files\Azureus\Azureus.exe" = C:\Program Files\Azureus\Azureus.exe:*:Disabled:Azureus
"C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" = C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:*:Enabled:Veoh Web Player
"C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe:*:Enabled:hpqpse.exe -- (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe" = C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe:*:Enabled:hpqphotocrm.exe -- (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe:*:Enabled:hpqsudi.exe -- (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe:*:Enabled:hpqpsapp.exe -- (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe
"D:\setup\HPZNUI01.EXE" = D:\setup\HPZNUI01.EXE:*:Enabled:hpznui01.exe
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)
"C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth -- (Google)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0394cdc8-fabd-4ed8-b104-03393876dfdf}" = Roxio Creator Tools
"{03B7F3F1-5A2C-4FC8-A4C1-AF6FE3F8E9AA}" = Genline FamilyFinder
"{0d397393-9b50-4c52-84d5-77e344289f87}" = Roxio Creator Data
"{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox
"{105CFC7C-6992-11D5-BD9D-000102C10FD8}" = LizardTech DjVu Control
"{11f93b4b-48f0-4a4e-ae77-dfa96a99664b}" = Roxio Creator EasyArchive
"{12A76360-388E-4B27-ABEB-D5FC5378DD2A}" = HPPhotoSmartPhotobookWebPack1
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{18669FF9-C8FE-407a-9F70-E674896B1DB4}" = GPBaseService
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{195f2c6c-a343-4b10-b1a4-3f00ab9e9dd9}" = Fax
"{1CB92574-96F2-467B-B793-5CEB35C40C29}" = Image Resizer Powertoy for Windows XP
"{20B30DC1-E423-4939-B51D-05C58B0F9BBB}" = HP Photosmart All-In-One Driver Software 10.0 Rel .2
"{235BBFC6-D863-4066-A01A-3BD504C31033}" = Nero 7 Ultra Edition
"{25569723-DC5A-4467-A639-79535BF01B71}" = Adobe Help Center 2.1
"{2614F54E-A828-49FA-93BA-45A3F756BFAA}" = 32 Bit HP CIO Components Installer
"{2A697B53-0DE3-42DA-B41D-C3F804B1C538}" = iTunes
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{2DC94AFD-A6E2-4AB4-9132-4A3F8E07B386}" = Apple Application Support
"{2FBF04DC-404C-4FA4-BA28-99903080D2B9}" = Magnifier Powertoy for Windows XP
"{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE
"{35e1ec43-d4fc-4e4a-aab3-20dda27e8bb0}" = Roxio Activation Module
"{36FDBE6E-6684-462b-AE98-9A39A1B200CC}" = HPProductAssistant
"{3700194C-C5DD-439A-BE06-A66960CA4C70}" = MSVCSetup
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{3a6f8a27-fa78-48a4-bbd1-399b000bcc9a}" = C8100_Help
"{3E5B0764-4527-4913-A11D-E4C19E1A86C1}" = MYOB Accounting v17
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{481E9852-DA0C-403B-ADA4-05D86C8BF9A9}" = Google Photos Screensaver
"{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"{4ACBE725-9800-54D0-4B4B-4B1BD3E97E7E}" = FlipShare
"{4CACFCD9-F71B-413A-8DF5-1A6419D5CDC6}" = Cards_Calendar_OrderGift_DoMorePlugout
"{4E475FD4-4513-4B1D-8DDA-43912B068C99}" = HTML Slideshow Powertoy for Windows XP
"{5109C064-813E-4e87-B0DE-C8AF7B5BC02B}" = SmartWebPrintingOC
"{52A69E11-7CEB-4a7d-9607-68BA4F39A89B}" = DeviceDiscovery
"{571700F0-DB9D-4B3A-B03D-35A14BB5939F}" = Windows Live Messenger
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5ACE69F0-A3E8-44eb-88C1-0A841E700180}" = TrayApp
"{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}" = Sony USB Driver
"{612F4E20-3661-4D44-AD79-823F1B613FB3}" = HP Update
"{619cdd8a-14b6-43a1-ab6c-0f4ee48ce048}" = Roxio Creator Copy
"{6675ca7f-e51b-4f6a-99d4-f8f0124c6eaa}" = Roxio Express Labeler 3
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{679EC478-3FF9-4987-B2FF-C2C2B27532A2}" = DocProc
"{687fef8a-8597-40b4-832c-297ea3f35817}" = BufferChm
"{6B437F94-056F-4791-AF2C-0D10E2706AF0}" = PanoStandAlone
"{6F23C1A3-9F62-470C-BD12-B83F04E67865}" = SmartFTP Client
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{76EFAC4F-1712-401F-B2AE-590B170C9BCE}" = StartupMonitor
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{798CA202-699B-49CC-95EE-BD01411A42E4}" =
"{7CBEA175-8D35-4343-8A47-DBF36F86C033}" = MYOB Premier Accounting 2006 (v15)
"{7CC978FD-AE31-419D-A7AB-2A137689AE1F}" = OLYMPUS Digital Camera Updater
"{7CCEBC24-62DB-4280-A8EC-BFA49F167920}" = Software Update for Web Folders
"{80533B67-C407-485D-8B5D-63BB8ED9D878}" = Scan
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83ffcfc7-88c6-41c6-8752-958a45325c82}" = Roxio Creator Audio
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}" = MYOB Accounting Plus v17
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8a85dead-7c1f-4368-881c-72ac74cb2e91}" = UnloadSupport
"{8D445B72-D4AB-4769-A5AF-5056D9D019BD}" = Send to SmugMug
"{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{91110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{91B7CEB3-4331-427B-AA7A-2898BE8F9DC6}" = Samsung PC Studio 3
"{938b1cd7-7c60-491e-aa90-1f1888168240}" = Roxio MyDVD Basic v9
"{9862E0CB-4727-4FFC-963A-E22A9E9EC10C}" = Creative ZEN V Series (R2)
"{A07840FC-CE63-4CB8-8030-EF4B9805925A}" = HPPhotoSmartDiscLabel_PaperLabel
"{A0B9F8DF-C949-45ed-9808-7DC5C0C19C81}" = Status
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A589DA26-51BD-475D-8C32-E19E34145842}" = Camtasia Studio 6
"{A5AB9D5E-52E2-440e-A3ED-9512E253C81A}" = SolutionCenter
"{A7050037-F0EA-4BAB-BCD5-FC05507D6147}" = Alt-Tab Task Switcher Powertoy for Windows XP
"{A743BBCC-3438-4BB3-8397-6C9D9AC125A6}" = Timershot Powertoy for Windows XP
"{A7B609FB-83D8-4FC3-8477-1BC65ECFE85B}" = Adobe Photoshop Elements 5.0
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}" = Windows 7 Upgrade Advisor
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{ABBD4BA8-6703-40D2-AB1E-5BB1F7DB49A4}" = Trend Micro Titanium Maximum Security
"{ABBD4BA9-6703-40D2-AB1E-5BB1F7DB49A4}" = Trend Micro™ Titanium™ Maximum Security
"{ACDE260A-602B-4cfb-A650-D0DBA6FFAD85}" = NetDeviceManager
"{ADFB9653-F44C-460C-BF58-189CC552DFFE}" = hpphotosmartdisclabelplugin
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B2DC3F08-2EB2-49A5-AA24-15DFC8B1CB83}" = @BIOS
"{B37C842A-B624-46B8-A727-654E72F1C91A}" = Calculator Powertoy for Windows XP
"{B4E91E95-A5BA-4E50-A465-DB7EFEB176E8}" = HPPhotoSmartDiscLabel_PrintOnDisc
"{B5688129-7595-4E5B-9990-CEF981A31264}" = SyncToy
"{b8dbed1e-8bc3-4d08-b94a-f9d7d88e9bbf}" = HPSSupply
"{b9be267c-e096-4cce-a4fd-f24eec004938}" = PS_AIO_02_ProductContext
"{BAD0FA60-09CF-4411-AE6A-C2844C8812FA}" = HP Photosmart Essential 2.5
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}" = Creative MediaSource 5
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C39DE425-6CCF-4B12-A101-3CB5CF3AF3AD}" = Slideshow Generator Powertoy for Windows XP
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{c4549405-195f-4450-8865-6be9dc5ad136}" = PS_AIO_02_Software_Min
"{C71F2873-3229-4A9E-A2A2-F14DCBF63F56}" = MYOB ODBC Direct v7
"{c8b0680b-cdae-4809-9f91-387b6de00f7c}" = Roxio Creator Basic v9
"{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}" = ClearType Tuning Control Panel Applet
"{CACAEB5F-174D-4C7C-AC56-A33289A807CA}" = Apple Mobile Device Support
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg
"{cd0b9359-b716-4fd0-8e0a-09b3e312e8a4}" = PS_AIO_02_Software
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE386A4E-D0DA-4208-8235-BCE43275C694}" = LightScribe 1.4.142.1
"{D2E0F0CC-6BE0-490b-B08B-9267083E34C9}" = MarketResearch
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{D88857C8-B36B-42CE-AC26-9FFFEEDB181A}" = RssReader
"{D99A8E3A-AE5A-4692-8B19-6F16D454E240}" = Destination Component
"{DD3C88A0-C53C-41D0-A21B-6D021981D23E}" = HPPhotoSmartDiscLabelContent1
"{DDAC27F9-8293-465f-A4B0-011F1D38BBA1}" = RoxioShim
"{DFB304E2-3D5A-11D5-86CA-E9609B6FB645}" = MergeMaster! Pro for ACT!
"{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.0
"{EF3F9770-CA7B-4c5d-8A98-49AB97216546}" = C8100
"{F251B999-08A9-4704-999C-9962F0DFD88E}" = Virtual Desktop Manager Powertoy for Windows XP
"{F42CD69D-E393-47c8-B2CD-B139C4ADA9A8}" = Copy
"{F69FD33C-8815-46BF-9134-A643DE68F3C0}" = WinFast(R) Display Driver
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"3ivx MPEG-4 5.0.3" = 3ivx MPEG-4 5.0.3 (remove only)
"6194C28A8F62DD817EA1B918E6E46E806A21B452" = Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)
"65B6FE5418CE28F4D72543FB2D964C3CEC83F161" = Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)
"ACT!" = ACT!
"Add/Remove Pro (Freeware)_is1" = Add/Remove Pro (Freeware)
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player Plugin
"Adobe Photoshop Elements 5" = Adobe Photoshop Elements 5.0
"Adobe Shockwave Player" = Adobe Shockwave Player
"Agere Systems Soft Modem" = Agere Systems PCI Soft Modem
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.12 (Unicode)
"AudibleManager" = AudibleManager
"Creative Removable Disk Manager" = Creative Removable Disk Manager
"D'Fusion @Home Web Plug-In" = Total Immersion D'Fusion Web Plugin
"DjVu" = LizardTech DjVu Control (autoinstall)
"E77704EF5E71F4F18CADFBFA68595AFE036D5D97" = Windows Driver Package - OLYMPUS IMAGING CORP. Camera Communication Driver Package (09/09/2009 1.0.0.0)
"FFmpeg for Audacity on Windows_is1" = FFmpeg for Audacity on Windows
"HijackThis" = HijackThis 2.0.2
"HP Imaging Device Functions" = HP Imaging Device Functions 10.0
"HP Photosmart Essential" = HP Photosmart Essential 2.5
"HP Smart Web Printing" = HP Smart Web Printing
"HP Solution Center & Imaging Support Tools" = HP Solution Center 10.0
"HPExtendedCapabilities" = HP Customer Participation Program 10.0
"HPOCR" = OCR Software by I.R.I.S. 10.0
"html link validator" = HTML Link Validator
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"IE Privacy Keeper" = IE Privacy Keeper
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"ieSpell" = ieSpell
"ImgBurn" = ImgBurn
"InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"InstallShield_{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}" = MYOB Accounting Plus v17
"InstallShield_{C71F2873-3229-4A9E-A2A2-F14DCBF63F56}" = MYOB ODBC Direct v7
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Media Jukebox 12" = Media Jukebox 12
"Media Jukebox 14" = Media Jukebox 14
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NetComm USB Network" = NetComm NB1300 USB Network Adapter
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"personalbrain 5" = PersonalBrain 5
"Purepage OEM" = Purepage OEM
"RoyaleTheme" = XP Royale Theme
"ST6UNST #1" = Postcodes for ACT!TM
"SysInfo" = Creative System Information
"SystemRequirementsLab" = System Requirements Lab
"The KMPlayer" = The KMPlayer (remove only)
"TomTom HOME" = TomTom HOME 2.7.6.2056
"TranslatorBar_1 Toolbar" = TranslatorBar_1 Toolbar
"TranslatorBar_1.2 Toolbar" = TranslatorBar_1.2 Toolbar
"UltraWipe" = UltraWipe
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WIC" = Windows Imaging Component
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XP Codec Pack" = XP Codec Pack
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"XviD_is1" = XviD MPEG-4 Video Codec
"ZENcast Organizer" = ZENcast Organizer

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-796845957-746137067-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting 4.5.0.457

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/04/2011 7:00:20 AM | Computer Name = BUSINESS | Source = ESENT | ID = 490
Description = svchost (964) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 12/04/2011 7:00:22 AM | Computer Name = BUSINESS | Source = ESENT | ID = 490
Description = svchost (964) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 12/04/2011 7:35:51 AM | Computer Name = BUSINESS | Source = ESENT | ID = 490
Description = svchost (964) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 12/04/2011 7:35:54 AM | Computer Name = BUSINESS | Source = ESENT | ID = 490
Description = svchost (964) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 12/04/2011 8:01:19 AM | Computer Name = BUSINESS | Source = ESENT | ID = 490
Description = svchost (964) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 12/04/2011 8:01:22 AM | Computer Name = BUSINESS | Source = ESENT | ID = 490
Description = svchost (964) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 12/04/2011 8:41:51 AM | Computer Name = BUSINESS | Source = ESENT | ID = 490
Description = svchost (964) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 12/04/2011 8:41:54 AM | Computer Name = BUSINESS | Source = ESENT | ID = 490
Description = svchost (964) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 12/04/2011 9:17:21 AM | Computer Name = BUSINESS | Source = ESENT | ID = 490
Description = svchost (964) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 12/04/2011 9:17:23 AM | Computer Name = BUSINESS | Source = ESENT | ID = 490
Description = svchost (964) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

[ System Events ]
Error - 17/04/2011 2:44:10 AM | Computer Name = BUSINESS | Source = Tcpip | ID = 4199
Description = The system detected an address conflict for IP address 192.168.0.2
with the system having network hardware address A4:67:06:6E:81:B1. Network operations
on this system may be disrupted as a result.

Error - 17/04/2011 4:57:47 PM | Computer Name = BUSINESS | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 17/04/2011 8:19:59 PM | Computer Name = BUSINESS | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.2 for the Network Card with network
address 00E04C1271FC has been denied by the DHCP server 192.168.0.1 (The DHCP Server
sent a DHCPNACK message).

Error - 18/04/2011 6:36:10 AM | Computer Name = BUSINESS | Source = DCOM | ID = 10010
Description = The server {657C7A59-4FEC-4C06-A354-607B1EB184FB} did not register
with DCOM within the required timeout.

Error - 18/04/2011 1:32:46 PM | Computer Name = BUSINESS | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.7 for the Network Card with network
address 00E04C1271FC has been denied by the DHCP server 192.168.0.1 (The DHCP Server
sent a DHCPNACK message).

Error - 18/04/2011 1:34:28 PM | Computer Name = BUSINESS | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 19/04/2011 10:27:01 AM | Computer Name = BUSINESS | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 19/04/2011 10:27:01 AM | Computer Name = BUSINESS | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 19/04/2011 2:59:18 PM | Computer Name = BUSINESS | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.2 for the Network Card with network
address 00E04C1271FC has been denied by the DHCP server 192.168.0.1 (The DHCP Server
sent a DHCPNACK message).

Error - 19/04/2011 3:01:00 PM | Computer Name = BUSINESS | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.


< End of report >
Nealaus
Active Member
 
Posts: 13
Joined: April 18th, 2011, 5:41 pm

Re: Suspected Google Redirect Virus - Logs

Unread postby Dakeyras » April 20th, 2011, 4:26 am

Hi,

Is this machine used for business related activities and or personal use only?
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Suspected Google Redirect Virus - Logs

Unread postby Nealaus » April 20th, 2011, 6:49 am

Thanks for the question..

It was set up as a business machine back in 2003. The business, public speaking, wound up in 2007. It was always a shared use machine (30% businees 70% personal / family)

It is used solely for personal / family use now.

I'm aware of the regulations of the forum and the stated " no business use" will be assited.

The BUSINESS label is a legacy of times gone by, not an indicator of current activity in any way.

Hope this answers your question.

NL
Nealaus
Active Member
 
Posts: 13
Joined: April 18th, 2011, 5:41 pm

Re: Suspected Google Redirect Virus - Logs

Unread postby Dakeyras » April 20th, 2011, 4:22 pm

Hi and thank you for the clarification. :)

Lets proceed as follows shall we...Do you recognise this folder at all?

C:\~WipeTmp34.out

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please go here and download ERUNT.
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double-click on erunt-setup.exe to Install ERUNT by following the prompts.
  • Use the default install settings but say No to the portion that asks you to add ERUNT to the Start-Up folder.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.

Note: If it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Reset SP3 Firewall:

Click on Start >> Run... and cut/paste in the following and click on OK

Code: Select all
firewall.cpl
Click on the Advanced tab >> Restore Defaults >> At the prompt click on Yes >> OK

Now click on the General tab >> select On(recommended) >> OK.

Custom OTL Script:

  • Double-click OTL.exe to start the program.
  • Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code: Select all
:OTL
SRV - (Security Activity Dashboard Service) -- File not found
SRV - (getPlusHelper) getPlus(R) -- File not found
O2 - BHO: (no name) - {7e853d72-626a-48ec-a868-ba8d5e23e045} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-796845957-746137067-725345543-1003\..\Toolbar\WebBrowser: (no name) - {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No CLSID value found.
O4 - HKLM..\Run: [hpqSRMon] File not found
O4 - HKU\S-1-5-21-796845957-746137067-725345543-1003..\Run: [OE] File not found
O9 - Extra Button: @shdoclc.dll,-866 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm ()
O9 - Extra 'Tools' menuitem : @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm ()
O15 - HKU\S-1-5-21-796845957-746137067-725345543-1003\..Trusted Domains: google.com.au ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-796845957-746137067-725345543-1003\..Trusted Domains: microsoft.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-796845957-746137067-725345543-1003\..Trusted Domains: microsoft.com ([*.windowsupdate] https in Trusted sites)
O15 - HKU\S-1-5-21-796845957-746137067-725345543-1003\..Trusted Domains: microsoft.com ([update] https in Trusted sites)
O15 - HKU\S-1-5-21-796845957-746137067-725345543-1003\..Trusted Domains: windowsupdate.com ([]https in Trusted sites)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/fl ... rashim.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
[4 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[33 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2011/04/20 04:59:19 | 000,000,312 | -HS- | M] () -- C:\WINDOWS\tasks\Ljujbhv.job
[2011/04/01 16:57:42 | 000,122,880 | RHS- | M] () -- C:\WINDOWS\System32\sqlsrv32C.dll

:Files 
ipconfig /flushdns /c 
%systemroot%\prefetch\*.* 

:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
"DisableMonitoring" = 0

:Commands
[Purity]
[ResetHosts]
[EmptyFlash]
[EmptyTemp]
[CreateRestorePoint]
[Reboot]
  • Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
  • Then click the red Run Fix button.
  • Let the program run unhindered.
  • If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.

Note: The logfile can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.

Next:

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and select then follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post that log in your next reply.

The log can also be found here:

  1. Launch Malwarebytes' Anti-Malware
  2. Click on the Logs radio tab.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any further symptoms and or problems encountered?
  • Answer to my folder query.
  • OTL Log from the Custom Script.
  • Malwarebytes Anti-Malware Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Suspected Google Redirect Virus - Logs

Unread postby Nealaus » April 20th, 2011, 8:18 pm

Q1: How is your computer performing now, any further symptoms and or problems encountered?

There is a great improvement in the direction the link goes when I select from the search results.
I have tested 20 different key word combos - even ones i used before - and they all go direct to the target.

THe only difference is a slowness of ie 8 to get to where it needs to go. I found the link to this forum from the email you send each time you post VERY VERY slow to load.

Q2: Answer to my folder query.

I do not recognise this folder at all.

It get there but it takes a long time, maybe 1.5 -- 2 minutes.
Nealaus
Active Member
 
Posts: 13
Joined: April 18th, 2011, 5:41 pm

Re: Suspected Google Redirect Virus - Logs

Unread postby Nealaus » April 20th, 2011, 8:20 pm

Q3: OTL Log from the Custom Script

All processes killed
========== OTL ==========
Service Security Activity Dashboard Service stopped successfully!
Service Security Activity Dashboard Service deleted successfully!
File File not found not found.
Error: No service named getPlusHelper) getPlus(R was found to stop!
Service\Driver key getPlusHelper) getPlus(R not found.
File File not found not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7e853d72-626a-48ec-a868-ba8d5e23e045}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7e853d72-626a-48ec-a868-ba8d5e23e045}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_USERS\S-1-5-21-796845957-746137067-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\hpqSRMon deleted successfully.
Registry value HKEY_USERS\S-1-5-21-796845957-746137067-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run\\OE deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c95fe080-8f5d-11d2-a20b-00aa003c157a}\ not found.
C:\WINDOWS\Web\related.htm moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c95fe080-8f5d-11d2-a20b-00aa003c157a}\ not found.
File C:\WINDOWS\Web\related.htm not found.
Registry key HKEY_USERS\S-1-5-21-796845957-746137067-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\google.com.au\www\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-796845957-746137067-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\microsoft.com\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-796845957-746137067-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\microsoft.com\*.windowsupdate\ not found.
Invalid CLSID key: *.windowsupdate
Registry key HKEY_USERS\S-1-5-21-796845957-746137067-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\microsoft.com\update\ not found.
Registry key HKEY_USERS\S-1-5-21-796845957-746137067-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\windowsupdate.com\ deleted successfully.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
C:\WINDOWS\System32\dllcache\OLD388.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\OLD38E.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\OLD391.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\OLD396.tmp deleted successfully.
C:\WINDOWS\003312_.tmp deleted successfully.
C:\WINDOWS\DUMP4006.tmp deleted successfully.
C:\WINDOWS\DUMP4016.tmp deleted successfully.
C:\WINDOWS\DUMP4035.tmp deleted successfully.
C:\WINDOWS\DUMP418d.tmp deleted successfully.
C:\WINDOWS\DUMP419c.tmp deleted successfully.
C:\WINDOWS\DUMP41fa.tmp deleted successfully.
C:\WINDOWS\DUMP41fb.tmp deleted successfully.
C:\WINDOWS\DUMP4229.tmp deleted successfully.
C:\WINDOWS\DUMP4ecb.tmp deleted successfully.
C:\WINDOWS\DUMP5b20.tmp deleted successfully.
C:\WINDOWS\DUMP5b3f.tmp deleted successfully.
C:\WINDOWS\DUMP5b4f.tmp deleted successfully.
C:\WINDOWS\DUMP5b7d.tmp deleted successfully.
C:\WINDOWS\DUMP5b9d.tmp deleted successfully.
C:\WINDOWS\DUMP5bbc.tmp deleted successfully.
C:\WINDOWS\DUMP5bcc.tmp deleted successfully.
C:\WINDOWS\DUMP5bdb.tmp deleted successfully.
C:\WINDOWS\DUMP5bdc.tmp deleted successfully.
C:\WINDOWS\DUMP5beb.tmp deleted successfully.
C:\WINDOWS\DUMP5bfa.tmp deleted successfully.
C:\WINDOWS\DUMP5c1a.tmp deleted successfully.
C:\WINDOWS\DUMP5c39.tmp deleted successfully.
C:\WINDOWS\DUMP5c3a.tmp deleted successfully.
C:\WINDOWS\DUMP5c49.tmp deleted successfully.
C:\WINDOWS\DUMP5c58.tmp deleted successfully.
C:\WINDOWS\DUMP5c77.tmp deleted successfully.
C:\WINDOWS\DUMP5c87.tmp deleted successfully.
C:\WINDOWS\msdownld.tmp folder deleted successfully.
C:\WINDOWS\SET29.tmp deleted successfully.
C:\WINDOWS\SET3.tmp deleted successfully.
C:\WINDOWS\SET4.tmp deleted successfully.
C:\WINDOWS\SET8.tmp deleted successfully.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\System32\SET69.tmp deleted successfully.
C:\WINDOWS\tasks\Ljujbhv.job moved successfully.
C:\WINDOWS\system32\sqlsrv32C.dll moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Owner\Desktop\TM-Titanium\cmd.bat deleted successfully.
C:\Documents and Settings\Owner\Desktop\TM-Titanium\cmd.txt deleted successfully.
C:\WINDOWS\prefetch\ACROBAT.EXE-33FD5B8C.pf moved successfully.
C:\WINDOWS\prefetch\ACRORD32.EXE-356875A2.pf moved successfully.
C:\WINDOWS\prefetch\ACRORD32INFO.EXE-24548733.pf moved successfully.
C:\WINDOWS\prefetch\ADDREMPR.EXE-1AFF468A.pf moved successfully.
C:\WINDOWS\prefetch\ADOBEARM.EXE-2D1B11BF.pf moved successfully.
C:\WINDOWS\prefetch\ADOBEUPDATER.EXE-1AB51BCE.pf moved successfully.
C:\WINDOWS\prefetch\ALG.EXE-0F138680.pf moved successfully.
C:\WINDOWS\prefetch\AOM.EXE-363508CD.pf moved successfully.
C:\WINDOWS\prefetch\AUDIBLEDOWNLOADHELPER.EXE-306BEAB6.pf moved successfully.
C:\WINDOWS\prefetch\BSPATCH.EXE-21418B16.pf moved successfully.
C:\WINDOWS\prefetch\CLEANMGR.EXE-1F86EA8E.pf moved successfully.
C:\WINDOWS\prefetch\CMD.EXE-087B4001.pf moved successfully.
C:\WINDOWS\prefetch\CSCRIPT.EXE-1C26180C.pf moved successfully.
C:\WINDOWS\prefetch\DDS.SCR-1A247A1D.pf moved successfully.
C:\WINDOWS\prefetch\DEFRAG.EXE-273F131E.pf moved successfully.
C:\WINDOWS\prefetch\DFRGNTFS.EXE-269967DF.pf moved successfully.
C:\WINDOWS\prefetch\DUMPREP.EXE-1B46F901.pf moved successfully.
C:\WINDOWS\prefetch\ERUNT-SETUP.EXE-0F03B762.pf moved successfully.
C:\WINDOWS\prefetch\ERUNT.EXE-10F447C7.pf moved successfully.
C:\WINDOWS\prefetch\EXCEL.EXE-2C971FD7.pf moved successfully.
C:\WINDOWS\prefetch\FIND.EXE-0EC32F1E.pf moved successfully.
C:\WINDOWS\prefetch\FINDSTR.EXE-0CA6274B.pf moved successfully.
C:\WINDOWS\prefetch\GOOGLECRASHHANDLER.EXE-34C2B2F4.pf moved successfully.
C:\WINDOWS\prefetch\GOOGLEUPDATE.EXE-1E123D86.pf moved successfully.
C:\WINDOWS\prefetch\HCPACKAGE.EXE.TMP-14175EF4.pf moved successfully.
C:\WINDOWS\prefetch\HELPSVC.EXE-2878DDA2.pf moved successfully.
C:\WINDOWS\prefetch\HIJACKTHIS.EXE-34A0FC79.pf moved successfully.
C:\WINDOWS\prefetch\HJTINSTALL.EXE-00F93EE0.pf moved successfully.
C:\WINDOWS\prefetch\HOUSECALL.BIN-29FB101C.pf moved successfully.
C:\WINDOWS\prefetch\HOUSECALLLAUNCHER.EXE-21641F05.pf moved successfully.
C:\WINDOWS\prefetch\HPQBAM08.EXE-1ED43757.pf moved successfully.
C:\WINDOWS\prefetch\HPQGPC01.EXE-271E6A7F.pf moved successfully.
C:\WINDOWS\prefetch\HPQSTE08.EXE-18A7280B.pf moved successfully.
C:\WINDOWS\prefetch\HPQUSGL.EXE-1A66A7E1.pf moved successfully.
C:\WINDOWS\prefetch\HPRBLOG.EXE-16B72A6F.pf moved successfully.
C:\WINDOWS\prefetch\IEXPLORE.EXE-27122324.pf moved successfully.
C:\WINDOWS\prefetch\IMAPI.EXE-0BF740A4.pf moved successfully.
C:\WINDOWS\prefetch\IPCONFIG.EXE-2395F30B.pf moved successfully.
C:\WINDOWS\prefetch\IPODSERVICE.EXE-3192DE38.pf moved successfully.
C:\WINDOWS\prefetch\IS-O0A8F.TMP-3B8C8024.pf moved successfully.
C:\WINDOWS\prefetch\JAUREG.EXE-009F59AE.pf moved successfully.
C:\WINDOWS\prefetch\JAVAW.EXE-23A5E92B.pf moved successfully.
C:\WINDOWS\prefetch\JAVAW.EXE-2DC32ABC.pf moved successfully.
C:\WINDOWS\prefetch\JAVAWS.EXE-1625C0DD.pf moved successfully.
C:\WINDOWS\prefetch\JQS.EXE-1D781F77.pf moved successfully.
C:\WINDOWS\prefetch\JUSCHED.EXE-0F4A509D.pf moved successfully.
C:\WINDOWS\prefetch\JUSCHED.EXE-2F6337D1.pf moved successfully.
C:\WINDOWS\prefetch\KMPLAYER.EXE-0236E43A.pf moved successfully.
C:\WINDOWS\prefetch\Layout.ini moved successfully.
C:\WINDOWS\prefetch\LOGONUI.EXE-0AF22957.pf moved successfully.
C:\WINDOWS\prefetch\MANAGER.EXE-321411E1.pf moved successfully.
C:\WINDOWS\prefetch\MBAM-SETUP-1.50.1.1100.EXE-397C9D37.pf moved successfully.
C:\WINDOWS\prefetch\MBAM-SETUP-1.50.1.1100.TMP-188C745D.pf moved successfully.
C:\WINDOWS\prefetch\MBAM-SETUP-1.50.1.1100[1].EXE-20D43877.pf moved successfully.
C:\WINDOWS\prefetch\MBAM.EXE-0BEE0439.pf moved successfully.
C:\WINDOWS\prefetch\MBAMGUI.EXE-1286D63B.pf moved successfully.
C:\WINDOWS\prefetch\MBR.DAT-102277CE.pf moved successfully.
C:\WINDOWS\prefetch\MSFEEDSSYNC.EXE-25E13438.pf moved successfully.
C:\WINDOWS\prefetch\MSI996.TMP-0327CA3A.pf moved successfully.
C:\WINDOWS\prefetch\MSIEXEC.EXE-2F8A8CAE.pf moved successfully.
C:\WINDOWS\prefetch\NOTEPAD.EXE-189578DA.pf moved successfully.
C:\WINDOWS\prefetch\NOTEPAD.EXE-336351A9.pf moved successfully.
C:\WINDOWS\prefetch\NTOSBOOT-B00DFAAD.pf moved successfully.
C:\WINDOWS\prefetch\OTL.EXE-02D52FC8.pf moved successfully.
C:\WINDOWS\prefetch\OUTLOOK.EXE-27D5965C.pf moved successfully.
C:\WINDOWS\prefetch\PATCH.EXE-1A09F363.pf moved successfully.
C:\WINDOWS\prefetch\PATCH.EXE-1EE078A7.pf moved successfully.
C:\WINDOWS\prefetch\PEV.DAT-0AF6ECE0.pf moved successfully.
C:\WINDOWS\prefetch\REGEDIT.EXE-1B606482.pf moved successfully.
C:\WINDOWS\prefetch\REGSVR32.EXE-25EEFE2F.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-119778A1.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-147710F4.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-147CAC4E.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-16471FC2.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-1696A082.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-19B3AED6.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-268BFF96.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-2861F5CB.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-2CD85FD3.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-2CE7D69D.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-2EC34910.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-31D2CC74.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-35A483DA.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-37E51F6C.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-449195CE.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-451FC2C0.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-45E601EC.pf moved successfully.
C:\WINDOWS\prefetch\SED.DAT-260AB592.pf moved successfully.
C:\WINDOWS\prefetch\SETPATH.DAT-1473CB37.pf moved successfully.
C:\WINDOWS\prefetch\SETUP.EXE-0184268E.pf moved successfully.
C:\WINDOWS\prefetch\SETUP.EXE-1F3F242C.pf moved successfully.
C:\WINDOWS\prefetch\SORT.EXE-194AE83C.pf moved successfully.
C:\WINDOWS\prefetch\SSMYPICS.SCR-01C62024.pf moved successfully.
C:\WINDOWS\prefetch\SVCHOST.EXE-3530F672.pf moved successfully.
C:\WINDOWS\prefetch\SWREG.DAT-3B658F8C.pf moved successfully.
C:\WINDOWS\prefetch\TASKMGR.EXE-20256C55.pf moved successfully.
C:\WINDOWS\prefetch\TDSSKILLER.EXE-1AE466A4.pf moved successfully.
C:\WINDOWS\prefetch\TIPREAU.EXE-05EC8E54.pf moved successfully.
C:\WINDOWS\prefetch\TMAS_OEMON.EXE-28CD532B.pf moved successfully.
C:\WINDOWS\prefetch\TMAS_OL.EXE-00EFD65E.pf moved successfully.
C:\WINDOWS\prefetch\TMAS_OLSENTRY.EXE-20E82296.pf moved successfully.
C:\WINDOWS\prefetch\UIWATCHDOG.EXE-1F3C336F.pf moved successfully.
C:\WINDOWS\prefetch\UIWINMGR.EXE-0287642E.pf moved successfully.
C:\WINDOWS\prefetch\ULTRAWIPE.EXE-0D5ED44B.pf moved successfully.
C:\WINDOWS\prefetch\UNSECAPP.EXE-1A95A33B.pf moved successfully.
C:\WINDOWS\prefetch\UPGRADE.EXE-10009074.pf moved successfully.
C:\WINDOWS\prefetch\VERCLSID.EXE-3667BD89.pf moved successfully.
C:\WINDOWS\prefetch\WINRAR.EXE-39C6DAD9.pf moved successfully.
C:\WINDOWS\prefetch\WINWORD.EXE-29F5CB89.pf moved successfully.
C:\WINDOWS\prefetch\WMIPRVSE.EXE-28F301A9.pf moved successfully.
C:\WINDOWS\prefetch\WSCRIPT.EXE-32960AB9.pf moved successfully.
C:\WINDOWS\prefetch\WSCSTATUSCONTROLLER.EXE-33D37F60.pf moved successfully.
C:\WINDOWS\prefetch\WUAUCLT.EXE-399A8E72.pf moved successfully.
C:\WINDOWS\prefetch\WUDFHOST.EXE-215E7549.pf moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus\\"DisableMonitoring" | 0 /E : value set successfully!
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYFLASH]

User: Administrator

User: Administrator.BUSINESS

User: All Users

User: Default User
->Flash cache emptied: 41044 bytes

User: Guest
->Flash cache emptied: 41044 bytes

User: LocalService

User: NetworkService

User: Owner
->Flash cache emptied: 53741 bytes

Total Flash Files Cleaned = 0.00 mb


[EMPTYTEMP]

User: Administrator
->Temporary Internet Files folder emptied: 204550 bytes

User: Administrator.BUSINESS
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 49554 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner
->Temp folder emptied: 402339 bytes
->Temporary Internet Files folder emptied: 53980296 bytes
->Java cache emptied: 7698882 bytes
->Google Chrome cache emptied: 6066110 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 181615 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 28154290 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 1491878 bytes

Total Files Cleaned = 94.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.22.3 log created on 04212011_082207

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DFA90D.tmp not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DFA9BB.tmp not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DFAA83.tmp not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DFAABF.tmp not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DFAC65.tmp not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DFAC92.tmp not found!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\U9URKXI3\viewtopic[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\EJ2BQD23\search[3].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_36c.dat not found!

Registry entries deleted on Reboot...
Nealaus
Active Member
 
Posts: 13
Joined: April 18th, 2011, 5:41 pm

Re: Suspected Google Redirect Virus - Logs

Unread postby Nealaus » April 20th, 2011, 8:28 pm

Q4: Malwarebytes Anti-Malware Log.

A funny story...and a BONUS!!

Dear ol' Malwarebytes...:)

This is the prog I used to sort this stuff out prior to Trend Micro saying: "remove ALL malware and spy ware removal tools" when updating to their Titanium 2011 "offer" 4 -6 weeks ago.

I reloaded Malwarebytes, updated it, and ran a full system scan BEFORE your postings. The log is below.## SCAN ONE ##

After this scan the behaviour of the system was the same re: the google redirect.

I have dutifully stepped through your very succinct but thorough removal processes - I have really enjoyed it - and the recentl Malwarebytes scan log appears below at ## SCAN TWO ##

###########################################

## SCAN ONE ##

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6395

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

19/04/2011 11:34:17 PM
mbam-log-2011-04-19 (23-34-17).txt

Scan type: Full scan (C:\|F:\|)
Objects scanned: 305887
Time elapsed: 3 hour(s), 52 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CEFF6CD-6F08-4E4D-BCCD-FF7415288C3B} (Adware.Alexa) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CEFF6CD-6F08-4E4D-BCCD-FF7415288C3B} (Adware.Alexa) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{F1FABE79-25FC-46DE-8C5A-2C6DB9D64333} (Adware.Alexa) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Value: idstrf -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Value: WINID -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Nealaus
Active Member
 
Posts: 13
Joined: April 18th, 2011, 5:41 pm

Re: Suspected Google Redirect Virus - Logs

Unread postby Nealaus » April 20th, 2011, 8:29 pm

###################################################

## SCAN TWO ##

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6408

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

21/04/2011 9:05:33 AM
mbam-log-2011-04-21 (09-05-33).txt

Scan type: Quick scan
Objects scanned: 184524
Time elapsed: 9 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Nealaus
Active Member
 
Posts: 13
Joined: April 18th, 2011, 5:41 pm

Re: Suspected Google Redirect Virus - Logs

Unread postby Dakeyras » April 21st, 2011, 6:46 am

Hi. :)

A most concise update and thank you! Though in future do please refrain from self fixes as I outlined in my first post to your good self...However no harm done this time.

Custom OTL Script:

  • Double-click OTL.exe to start the program.
  • Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code: Select all
:Files
C:\~WipeTmp34.out

:Commands
[EmptyTemp]
[Reboot]
  • Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
  • Then click the red Run Fix button.
  • Let the program run unhindered.
  • If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.

Note: The logfile can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.

Reset IE8:

  • Please download this Microsoft FixIt and save it to the desktop.
  • Double click on MicrosoftFixit50195.exe select I Agree and click on Next.
  • Follow the on-screen prompts.
  • You may delete MicrosoftFixit50195.exe when finished and or keep it if any problems in the future with IE8.
  • Next time IE8 is launched you will be prompted to reapply settings again, this is normal.

Note: Any add-ons will require to be reapplied after the above reset.

New Adobe Reader Installation:

  • Go here and click on AdbeRdr1001_en_US.exe to download the latest version of Adobe Reader.
  • Save this file to your desktop and run it to install the latest version of Adobe Reader.
  • After the new Reader is installed, Open Adobe Reader X.
  • OK the license.
  • Click on Edit and select Preferences.
  • On the Left, click on the Javascript category and Uncheck Enable Acrobat Javascript.
  • Click on the Security (Enhanced) category and Uncheck Automatically trust sites from my Win OS security zones.
  • Click on the Trust Manager category and Uncheck Allow opening of non-PDF file attachments with external applications.
  • Click the OK button.

New Java Installation:

  • Click here to visit Java's website.
  • Scroll down to Java SE 6 Update 24 (JDK or JRE). Click on Download JRE.
  • Select Windows from the drop-down list for Platform.
  • Check (tick) Java SE Runtime Environment 6u24 with JavaFX License Agreement box and click on Continue.
  • Click on jre-6u24-windows-i586.exe link to download it and save this to a convenient location.
  • Double-click on jre-6u24-windows-i586.exe to install Java.

Note: During installation de-select the option to install McAfee Security Scan Plus if offered.

Next:

Let myself know when completed the above, post the log from the custom OTL script. Also it appears you may be using a Router. Can you confirm for myself if this is the case or not, thank you.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 304 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware