Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Checking removal of Generic24 / search redirect virus

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Checking removal of Generic24 / search redirect virus

Unread postby UserZero » September 5th, 2011, 3:03 pm

Hi,

I started experiencing Google search redirects to an IP address in Tempe, AZ this AM after a reboot, which was the first reboot in several days. This is on a Win 7 Pro x64 home computer that is completely updated and also completely isolated from any educational or business network.

Prior to this, AVG (which is up-to-date) popped up some warnings on Sunday evening about a virus it had caught and 'fixed' while browsing with Firefox 3.6.x - the site was a legitimate hit from a Google search - either Financial Times or another business site like Business Insider. I immediately shut down the browser, ran a full scan and no infections were found.

I assume that AVG didn't get all the virus' boot files and that one was activated on this morning's reboot. Thereafter, Firefox and Google Chrome were hijacked (Google search results continually redirected). I didn't run IE but kept seeing (and stopping) two iexplore.exe process instances appearing in Task Manager. Re-running AVG, two infected files (e.g., 0.3987393973.exe) were found in the Firefox root directory, both indicated as Trojan Horse Generic24, moved to virus vault and deleted from there.

I shut down, booted from system CD and restored the entire Disk 0 from a Paragon backup image made a month ago.

Upon reboot I have uninstalled the older version of Firefox (without running it) and installed the newest version in a completely different location. Chrome was uninstalled and not reinstalled. IE runs normally and there are no spurious, 'zombie' iexplore.exe processes appearing in Task Manager at this time. No longer experiencing search redirects in Firefox. Re-scanned with AVG and no infections were found.

Please review the DDS and Attach logs below. I'm hoping the disk restore has eradicated this sucker. Please let me know if there's additional info needed.

Thanks in advance...

---------------------------------------------------------------------------------------------------------------------
DDS.txt:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Owner-91030 at 14:35:43 on 2011-09-05
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.12279.9470 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\spool\DRIVERS\x64\3\HP1006MC.EXE
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
E:\Applications\PreSonus\UniversalControl\UniversalControl.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe
C:\Program Files (x86)\AVG\AVG10\avgnsa.exe
C:\Program Files (x86)\AVG\AVG10\avgemca.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\AVG\AVG10\avgtray.exe
C:\Program Files (x86)\AVG\AVG10\avgchsva.exe
C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files (x86)\AVG\AVG10\avgrsa.exe
C:\Program Files (x86)\AVG\AVG10\avgcsrva.exe
E:\Applications\Winamp\winamp.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\AVG\AVG10\avgui.exe
C:\Program Files (x86)\AVG\AVG10\avgscana.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\AVG\AVG10\avgcsrva.exe
C:\Program Files (x86)\AVG\AVG10\avgcsrva.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/?pc=Z039&form=ZGAPHP
uInternet Settings,ProxyServer = http=127.0.0.1:50370
mWinlogon: Userinit=userinit.exe
uWinlogon: Shell=explorer.exe,C:\Users\Owner-91030\AppData\Roaming\Microsoft\Windows\shell.exe
uWindows: Load=C:\Users\OWNER-~1\AppData\Local\Temp\dwm.exe
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - No File
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll
uRun: [Universal Control] E:\Applications\PreSonus\UniversalControl\UniversalControl.exe
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
mRun: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/softwa ... Plugin.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/f ... wflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://berklee.webex.com/client/T27LC/ ... atgpc1.cab
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{81427E03-3948-40BD-9DA6-FC8F0F3C00C7} : DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IFEO: Notepad.exe - "C:\Program Files (x86)\TextPad 5\TextPad.exe" -n
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: Search Toolbar: {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - No File
TB-X64: Search Toolbar: {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll
mRun-x64: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
IFEO-X64: Notepad.exe - "C:\Program Files (x86)\TextPad 5\TextPad.exe" -n
Hosts: 127.0.0.1 http://www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Owner-91030\AppData\Roaming\Mozilla\Firefox\Profiles\u71h8ird.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?pc=Z039&form=ZGAPHP
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z039&form=ZGAADF&q=
FF - prefs.js: network.proxy.type - 4
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files (x86)\PACE Anti-Piracy\iLok\NPPaceILok.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Users\Owner-91030\AppData\Local\Google\Update\1.3.21.65\npGoogleUpdate3.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;C:\Windows\system32\DRIVERS\AVGIDSEH.Sys --> C:\Windows\system32\DRIVERS\AVGIDSEH.Sys [?]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
R0 hotcore3;Hotcore helper;C:\Windows\system32\DRIVERS\hotcore3.sys --> C:\Windows\system32\DRIVERS\hotcore3.sys [?]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2011-4-18 7398752]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe [2011-2-8 269520]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-7-12 2214504]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-7-9 248936]
R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys --> C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys [?]
R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys --> C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys [?]
R3 iLokDrvr;Usb Driver;C:\Windows\system32\DRIVERS\iLokDrvr.sys --> C:\Windows\system32\DRIVERS\iLokDrvr.sys [?]
R3 PaeFireStudio;PreSonus FireStudio;C:\Windows\system32\Drivers\PaeFireStudio.sys --> C:\Windows\system32\Drivers\PaeFireStudio.sys [?]
R3 PaeFireStudioAudio;PreSonus FireStudio Audio;C:\Windows\system32\drivers\PaeFireStudioAudio.sys --> C:\Windows\system32\drivers\PaeFireStudioAudio.sys [?]
R3 PaeFireStudioMidi;PreSonus FireStudio MIDI;C:\Windows\system32\drivers\PaeFireStudioMidi.sys --> C:\Windows\system32\drivers\PaeFireStudioMidi.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 Amazon Download Agent;Amazon Download Agent;C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2010-8-22 401920]
S3 RDID1104;ME-25;C:\Windows\system32\Drivers\rdwm1104.sys --> C:\Windows\system32\Drivers\rdwm1104.sys [?]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010\RpcAgentSrv.exe [2009-12-19 93336]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-06-11 03:07:25 3137536 ----a-w- C:\Windows\System32\win32k.sys
.
============= FINISH: 14:36:10.07 ===============






-----------------------------------------------------------------------------------------------------------

Attach.txt:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/19/2009 7:12:33 AM
System Uptime: 9/5/2011 1:54:05 PM (1 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | P6T SE
Processor: Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz | LGA1366 | 3400/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 137 GiB total, 87.076 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 466 GiB total, 185.625 GiB free.
F: is FIXED (NTFS) - 466 GiB total, 204.596 GiB free.
G: is FIXED (NTFS) - 932 GiB total, 262.149 GiB free.
I: is NetworkDisk (NTFS) - 298 GiB total, 130.04 GiB free.
K: is NetworkDisk (NTFS) - 298 GiB total, 130.04 GiB free.
W: is NetworkDisk (NTFS) - 143 GiB total, 101.132 GiB free.
X: is NetworkDisk (NTFS) - 298 GiB total, 130.04 GiB free.
Z: is NetworkDisk (NTFS) - 298 GiB total, 130.04 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {6bdd1fc1-810f-11d0-bec7-08002be2092f}
Description: 1394 OHCI Compliant Host Controller (Legacy)
Device ID: PCI\VEN_1106&DEV_3403&SUBSYS_83841043&REV_00\4&5E2F093&0&00E3
Manufacturer: 1394 OHCI Compliant Host Controller (Legacy)
Name: 1394 OHCI Compliant Host Controller (Legacy)
PNP Device ID: PCI\VEN_1106&DEV_3403&SUBSYS_83841043&REV_00\4&5E2F093&0&00E3
Service: ohci1394
.
==== System Restore Points ===================
.
RP177: 9/5/2011 2:20:01 PM - Removed Adobe Reader 9.2.
.
==== Installed Programs ======================
.
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Stock Photos 1.0
Amazon Games & Software Downloader
Amazon Kindle For PC
Amazon Unbox Video
Apple Application Support
Apple Software Update
Beatscape 1.0.2
Carrara 8 (64bit)
CDBurnerXP
CyberLink Blu-ray Disc Suite
CyberLink PowerDVD
Dimension Pro 1.5
FileZilla Client 3.5.0
Finale NotePad 2011
FoxTab Video Converter (remove only)
Google Chrome
GPL Ghostscript 8.56
GPL Ghostscript Fonts
H&R Block Connecticut 2010
H&R Block Deluxe + Efile + State 2010
iLok Client Helper
Java Auto Updater
Java(TM) 6 Update 18
LG Tool Kit
ME-25 Librarian
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox 6.0.1 (x86 en-US)
Mozilla Thunderbird (5.0)
Native Instruments Guitar Rig 4
Native Instruments Kontakt 3
Native Instruments Kontakt 3 Factory Content
Native Instruments Kontakt 4
Native Instruments Kontakt 4 Factory Content
Native Instruments Service Center
Native Instruments Session Strings
Neuratron AudioScore Lite
Neuratron PhotoScore Lite
NVIDIA PhysX
NVIDIA Stereoscopic 3D Driver
OpenOffice.org 3.2
QL Pianos Instrument Update 1.0.9
QL RA Instrument Update
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek 8136 8168 8169 Ethernet Driver
Realtek High Definition Audio Driver
RealUpgrade 1.1
SeaTools for Windows
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Sibelius 6.2.0.88
Sibelius Scorch (ActiveX Only)
Sibelius Scorch (Firefox, Opera, Netscape only)
Sibelius Sounds Essentials for Sibelius 6
Skype Toolbars
Skype™ 5.3
SONAR 8.5 Producer
SONAR 8.5 Producer x64
SONAR X1 Producer x64
Spybot - Search & Destroy
System Requirements Lab
TextPad 5
Unreal Tournament – Game of the Year Edition
Visual C++ 8.0 Runtime Setup Package (x64)
Visual Studio 2008 x64 Redistributables
Vue 8
WebEx
Winamp
Winamp Detector Plug-in
WinZip 14.0
WinZip Command Line Support Add-On 3.2
.
==== End Of File ===========================
UserZero
Active Member
 
Posts: 6
Joined: September 5th, 2011, 2:09 pm
Advertisement
Register to Remove

Re: Checking removal of Generic24 / search redirect virus

Unread postby Alander » September 7th, 2011, 3:47 am

Hello, I Am Alander :)

Welcome to the Malware Removal forums.

I would be glad to take a look at your log and help you with solving any malware problems.

DDS logs can take a while to research so please be patient while I work on your log and I will post back here with any recommendations.

As I am still training, everything that I post to you, must be checked by an Admin or Moderator.

Thus, there may be a tiny bit of a delay between posts. While it shouldn't be too long, you can be assured you will get the best possible advice.


  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
User avatar
Alander
Regular Member
 
Posts: 1599
Joined: September 15th, 2007, 2:04 pm
Location: Singapore

Re: Checking removal of Generic24 / search redirect virus

Unread postby UserZero » September 7th, 2011, 11:06 am

Alander wrote:Hello, I Am Alander :)
Hi Alander - thanks for checking. Please let me know if you see anything odd.

So far it looks like the disk image restore has worked. I've been periodically running Anti-Malware with good results and have seen no mysterious behavior since the restore. I've also switched to the latest version of Firefox.

Going forward I plan to thoroughly test for infections after each new product installation, and then do a disk 0 image backup, in case this problem comes along again.

One interesting thing to pass along: Anti-Malware doesn't seem to like the way TextPad 5 sets itself up as a replacement for Notepad (when requested, via TextPad's preferences). That entry in the Registry gets flagged (erroneously?). Just something to know about.

cheers!

U0
UserZero
Active Member
 
Posts: 6
Joined: September 5th, 2011, 2:09 pm

Re: Checking removal of Generic24 / search redirect virus

Unread postby Alander » September 10th, 2011, 1:38 pm

Hi :) Sorry for the delay

I have noted that you have restored your computer to a previous setting you have saved one month ago..

Step 1.
Create a System Restore Point (Vista - W7)
  1. Right-click on Computer ... select Properties.
  2. In the left pane under Tasks ... click System protection.
    If UAC prompts for an administrator password or approval, type the password or give your "permission to continue".
  3. Select System Protection ...then choose Create.
  4. In the System Restore dialog box, type a description for the restore point ... click Create, again.
    A window will pop up with "The Restore Point was created successfully" confirmation message.
  5. Click OK ...then close the System Restore dialog.

Unless you use some other method to create system restore points...
Please leave the System Restore function "turned on" until we are finished and I give you the 'all clean' sign.

If you have successfully created a System Restore Point...we can proceed.
If you have NOT successfully created a System Restore Point...do not go any further!
Please post back so we can determine why it was unsuccessful.


Step 2.
Spybot S&D Teatimer

From your log i can see this that you are running a Spybot S&D Teatimer. This might interfere with fixes we are about to do so we need to disable it.

Disable Spybot's TeaTimer. This is a two step process.
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.

Step 3.
Run CKScanner
  • Please download CKScanner from Here
  • Important: - Save it to your desktop.
  • Right-click CKScanner.exe > select " Run as administrator " then click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Step 4.
Upload File/Files for testing

Please go to jotti.org or Virustotal

Copy/paste this file and path into the white box at the top:
1. C:\Users\Owner-91030\AppData\Roaming\Microsoft\Windows\shell.exe
2. C:\Users\OWNER-~1\AppData\Local\Temp\dwm.exe
3. C:\Windows\system32\Drivers\rdwm1104.sys

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the permalink (web address) in your next response.
Example of web address :
Image
Repeat the steps for each of the files listed in the box, you should come back with 3 links


Step 5.
Please download OTL by Old Timer and save it to your Desktop.
  • Right click on OTL.exe And select Run as administrator to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
      Extra.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

Step 6.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. CKFiles.txt from step 3
  3. permalink (web address) of the 3 files to be scanned from step 4
  4. OTL.txt and Extra.txt (Please post these logs in a seperate post as they can be long)
Thanks
User avatar
Alander
Regular Member
 
Posts: 1599
Joined: September 15th, 2007, 2:04 pm
Location: Singapore

Re: Checking removal of Generic24 / search redirect virus

Unread postby UserZero » September 10th, 2011, 7:41 pm

Hi Alander - thanks for the follow-up.

I'm optimistic so far - the results look good to me.

1. Any problem executing the instructions?

The only problem was that two of the files to be scanned did not exist any longer: shell.exe and dwm.exe. I have run Windows Update since the image restore, as well as multiple passes of Anti-Malware. Something apparently removed them. All other instructions went fine.

2. CKFiles.txt from step 3

CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\common files\native instruments\kontakt 4\presets\effects\convolution\05 drum reverbs\0.4s firecracker snare orven.nkp
c:\program files (x86)\common files\native instruments\kontakt 3\presets\effects\convolution\02 drum reverbs\0_4s_firecrackersnare_orven.nkp
scanner sequence 3.LB.11.AQNAKL
----- EOF -----

This .nkp file belongs to my Kontakt sampling synthesizer.


3. permalink (web address) of the 3 files to be scanned from step 4

Only got one, for Rdwm1104.sys - all of the Jotti Scanners "Found Nothing":

http://virusscan.jotti.org/en/scanresul ... 7c485055a3


4. OTL.txt and Extra.txt (Please post these logs in a seperate post as they can be long)

See the following posts...

thanks!!!
UserZero
Active Member
 
Posts: 6
Joined: September 5th, 2011, 2:09 pm

Re: Checking removal of Generic24 / search redirect virus

Unread postby UserZero » September 10th, 2011, 7:42 pm

OTL.txt -

OTL logfile created on: 9/10/2011 7:28:36 PM - Run 1
OTL by OldTimer - Version 3.2.27.0 Folder = C:\Users\Owner-91030\Desktop
64bit- An unknown product Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

11.99 Gb Total Physical Memory | 9.87 Gb Available Physical Memory | 82.29% Memory free
20.98 Gb Paging File | 18.82 Gb Available in Paging File | 89.70% Paging File free
Paging file location(s): c:\pagefile.sys 9202 9202 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 137.17 Gb Total Space | 81.19 Gb Free Space | 59.19% Space Free | Partition Type: NTFS
Drive D: | 599.34 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 465.76 Gb Total Space | 183.09 Gb Free Space | 39.31% Space Free | Partition Type: NTFS
Drive F: | 465.76 Gb Total Space | 204.60 Gb Free Space | 43.93% Space Free | Partition Type: NTFS
Drive G: | 931.51 Gb Total Space | 262.15 Gb Free Space | 28.14% Space Free | Partition Type: NTFS
Drive I: | 298.09 Gb Total Space | 104.70 Gb Free Space | 35.12% Space Free | Partition Type: NTFS
Drive K: | 298.09 Gb Total Space | 104.70 Gb Free Space | 35.12% Space Free | Partition Type: NTFS
Drive W: | 142.64 Gb Total Space | 101.06 Gb Free Space | 70.85% Space Free | Partition Type: NTFS
Drive X: | 298.09 Gb Total Space | 104.70 Gb Free Space | 35.12% Space Free | Partition Type: NTFS
Drive Z: | 298.09 Gb Total Space | 104.70 Gb Free Space | 35.12% Space Free | Partition Type: NTFS

Computer Name: AUDIO2 | User Name: Owner-91030 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Owner-91030\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files (x86)\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe ()
PRC - C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - E:\Applications\PreSonus\UniversalControl\UniversalControl.exe ()
PRC - C:\Program Files (x86)\TextPad 5\TextPad.exe (Helios Software Solutions)
PRC - C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe ()
PRC - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)


========== Modules (No Company Name) ==========

MOD - C:\Program Files (x86)\Mozilla Firefox\mozjs.dll ()
MOD - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
MOD - C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe ()
MOD - E:\Applications\PreSonus\UniversalControl\UniversalControl.exe ()


========== Win32 Services (SafeList) ==========

SRV:64bit: - (SandraAgentSrv) -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010\RpcAgentSrv.exe (SiSoftware)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (nvUpdatusService) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe (NVIDIA Corporation)
SRV - (AVGIDSAgent) -- C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
SRV - (avgwd) -- C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (ADVService) -- C:\Program Files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe (Amazon.com)
SRV - (Stereo Service) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (Amazon Download Agent) -- C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe (Amazon.com)
SRV - (NMSAccessU) -- C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe ()
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (IAANTMON) Intel(R) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)


========== Driver Services (SafeList) ==========

DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\drivers\Rt64win7.sys (Realtek )
DRV:64bit: - (AVGIDSDriver) -- C:\Windows\SysNative\drivers\AVGIDSDriver.sys (AVG Technologies CZ, s.r.o. )
DRV:64bit: - (Avgtdia) -- C:\Windows\SysNative\drivers\avgtdia.sys (AVG Technologies CZ, s.r.o.)
DRV:64bit: - (Avgrkx64) -- C:\Windows\SysNative\drivers\avgrkx64.sys (AVG Technologies CZ, s.r.o.)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (Avgmfx64) -- C:\Windows\SysNative\drivers\avgmfx64.sys (AVG Technologies CZ, s.r.o.)
DRV:64bit: - (AVGIDSEH) -- C:\Windows\SysNative\drivers\AVGIDSEH.sys (AVG Technologies CZ, s.r.o. )
DRV:64bit: - (AVGIDSFilter) -- C:\Windows\SysNative\drivers\AVGIDSFilter.sys (AVG Technologies CZ, s.r.o. )
DRV:64bit: - (PaeFireStudio) -- C:\Windows\SysNative\drivers\PaeFireStudio.sys (PreSonus Audio Electronics)
DRV:64bit: - (PaeFireStudioMidi) -- C:\Windows\SysNative\drivers\PaeFireStudioMidi.sys (PreSonus Audio Electronics)
DRV:64bit: - (PaeFireStudioAudio) -- C:\Windows\SysNative\drivers\PaeFireStudioAudio.sys (PreSonus Audio Electronics)
DRV:64bit: - (Avgldx64) -- C:\Windows\SysNative\drivers\avgldx64.sys (AVG Technologies CZ, s.r.o.)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (iLokDrvr) -- C:\Windows\SysNative\drivers\iLokDrvr.sys ()
DRV:64bit: - (Tpkd) -- C:\Windows\SysNative\drivers\Tpkd.sys (PACE Anti-Piracy, Inc.)
DRV:64bit: - (StarOpen) -- C:\Windows\SysNative\drivers\StarOpen.sys ()
DRV:64bit: - (RDID1104) -- C:\Windows\SysNative\drivers\Rdwm1104.sys (Roland Corporation)
DRV:64bit: - (SANDRA) -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010\WNt500x64\sandra.sys (SiSoftware)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:64bit: - (iaStor) -- C:\Windows\SysNative\drivers\iaStor.sys (Intel Corporation)
DRV:64bit: - (UimBus) -- C:\Windows\SysNative\drivers\uimx64.sys (Windows (R) 2000 DDK provider)
DRV:64bit: - (hotcore3) -- C:\Windows\SysNative\drivers\hotcore3.sys (Paragon Software Group)
DRV:64bit: - (MTsensor) -- C:\Windows\SysNative\drivers\ASACPI.sys ()
DRV - (StarOpen) -- C:\Windows\SysWow64\drivers\StarOpen.sys ()
DRV - ({95808DC4-FA4A-4C74-92FE-5B863F82066B}) -- C:\Program Files (x86)\CyberLink\PowerDVD\000.fcl (CyberLink Corp.)
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm






IE - HKU\S-1-5-21-599480282-1703417149-2220395402-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z039&form=ZGAPHP
IE - HKU\S-1-5-21-599480282-1703417149-2220395402-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-599480282-1703417149-2220395402-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-599480282-1703417149-2220395402-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 9D 04 F7 84 B9 FA CB 01 [binary data]
IE - HKU\S-1-5-21-599480282-1703417149-2220395402-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.bing.com/?pc=Z039&form=ZGAPHP"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.9
FF - prefs.js..extensions.enabledItems: {af79f858-4b25-4ca4-822b-b5db1be628fc}:0.3.2
FF - prefs.js..extensions.enabledItems: firebug@software.joehewitt.com:1.7.3
FF - prefs.js..extensions.enabledItems: en-US@dictionaries.addons.mozilla.org:5.0.1
FF - prefs.js..keyword.URL: "http://www.bing.com/search?pc=Z039&form=ZGAADF&q="
FF - prefs.js..network.proxy.type: 4

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@ilok.com/iLokHelper,version=3.1.0.7: C:\Program Files (x86)\PACE Anti-Piracy\iLok\NPPaceILok.dll ( PACE Anti-Piracy, Inc)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\4.0.60310.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.609: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.609: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.609: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.609: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Owner-91030\AppData\Local\Google\Update\1.3.21.65\npGoogleUpdate3.dll File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Owner-91030\AppData\Local\Google\Update\1.3.21.65\npGoogleUpdate3.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/09/06 14:39:26 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 6.0.2\extensions\\Components: E:\Applications\Mozilla Thunderbird\components [2011/08/19 01:49:46 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 6.0.2\extensions\\Plugins: E:\Applications\Mozilla Thunderbird\plugins

[2010/09/03 13:24:24 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Owner-91030\AppData\Roaming\mozilla\Extensions
[2010/09/03 13:24:24 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Owner-91030\AppData\Roaming\mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2011/09/08 14:33:14 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Owner-91030\AppData\Roaming\mozilla\Firefox\Profiles\u71h8ird.default\extensions
[2010/06/24 18:18:42 | 000,000,000 | ---D | M] (BBCodeXtra) -- C:\Users\Owner-91030\AppData\Roaming\mozilla\Firefox\Profiles\u71h8ird.default\extensions\{af79f858-4b25-4ca4-822b-b5db1be628fc}
[2011/07/03 09:09:19 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Owner-91030\AppData\Roaming\mozilla\Firefox\Profiles\u71h8ird.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/10/29 18:08:55 | 000,000,000 | ---D | M] (United States English Spellchecker) -- C:\Users\Owner-91030\AppData\Roaming\mozilla\Firefox\Profiles\u71h8ird.default\extensions\en-US@dictionaries.addons.mozilla.org
[2011/05/05 17:38:02 | 000,001,919 | ---- | M] () -- C:\Users\Owner-91030\AppData\Roaming\Mozilla\Firefox\Profiles\u71h8ird.default\searchplugins\bing-zugo.xml
[2010/08/03 08:29:43 | 000,000,931 | ---- | M] () -- C:\Users\Owner-91030\AppData\Roaming\Mozilla\Firefox\Profiles\u71h8ird.default\searchplugins\dictionary.xml
[2010/08/03 08:27:54 | 000,001,635 | ---- | M] () -- C:\Users\Owner-91030\AppData\Roaming\Mozilla\Firefox\Profiles\u71h8ird.default\searchplugins\firefox-add-ons.xml
[2010/02/03 21:14:38 | 000,012,670 | ---- | M] () -- C:\Users\Owner-91030\AppData\Roaming\Mozilla\Firefox\Profiles\u71h8ird.default\searchplugins\imdb.xml
[2010/04/28 13:49:59 | 000,001,623 | ---- | M] () -- C:\Users\Owner-91030\AppData\Roaming\Mozilla\Firefox\Profiles\u71h8ird.default\searchplugins\isgd.xml
[2010/02/03 20:00:34 | 000,000,998 | ---- | M] () -- C:\Users\Owner-91030\AppData\Roaming\Mozilla\Firefox\Profiles\u71h8ird.default\searchplugins\netflixcom.xml
[2010/02/22 12:05:26 | 000,004,153 | ---- | M] () -- C:\Users\Owner-91030\AppData\Roaming\Mozilla\Firefox\Profiles\u71h8ird.default\searchplugins\youtube.xml
[2011/09/05 14:24:41 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2011/09/06 14:39:26 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2011/08/30 15:41:02 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/05/18 14:05:18 | 000,434,608 | R--- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 http://www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 http://www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 http://www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 http://www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 http://www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 http://www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 http://www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 http://www.100888290cs.com
O1 - Hosts: 127.0.0.1 http://www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 http://www.10sek.com
O1 - Hosts: 127.0.0.1 http://www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 123fporn.info
O1 - Hosts: 14955 more lines...
O2:64bit: - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
O3 - HKU\S-1-5-21-599480282-1703417149-2220395402-1000\..\Toolbar\WebBrowser: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
O4:64bit: - HKLM..\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-599480282-1703417149-2220395402-1000..\Run: [Universal Control] E:\Applications\PreSonus\UniversalControl\UniversalControl.exe ()
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\S-1-5-21-599480282-1703417149-2220395402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} http://www.sibelius.com/download/softwa ... Plugin.cab (ScorchPlugin Class)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/f ... wflash.cab (Reg Error: Key error.)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://berklee.webex.com/client/T27LC/ ... atgpc1.cab (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{81427E03-3948-40BD-9DA6-FC8F0F3C00C7}: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
O18:64bit: - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - Reg Error: Key error. File not found
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O27:64bit: - HKLM IFEO\Notepad.exe: Debugger - C:\Program Files (x86)\TextPad 5\TextPad.exe (Helios Software Solutions)
O27 - HKLM IFEO\Notepad.exe: Debugger - "C:\Program Files (x86)\TextPad 5\TextPad.exe" -n (Helios Software Solutions)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/10/26 14:58:07 | 000,000,000 | ---- | M] () - W:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{89fc9fa6-97a3-11e0-a7b9-e0cb4e075d67}\Shell - "" = AutoRun
O33 - MountPoints2\{89fc9fa6-97a3-11e0-a7b9-e0cb4e075d67}\Shell\AutoRun\command - "" = H:\LaunchU3.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (C:\PROGRA~2\AVG\AVG10\avgchsva.exe /sync) - C:\Program Files (x86)\AVG\AVG10\avgchsva.exe (AVG Technologies CZ, s.r.o.)
O34 - HKLM BootExecute: (C:\PROGRA~2\AVG\AVG10\avgrsa.exe /sync /restart) - C:\Program Files (x86)\AVG\AVG10\avgrsa.exe (AVG Technologies CZ, s.r.o.)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/09/10 19:27:13 | 000,581,120 | ---- | C] (OldTimer Tools) -- C:\Users\Owner-91030\Desktop\OTL.exe
[2011/09/06 09:33:32 | 000,096,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2011/09/06 09:33:32 | 000,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2011/09/06 09:33:27 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2011/09/06 09:33:26 | 002,303,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2011/09/06 09:33:26 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2011/09/06 09:33:26 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2011/09/06 09:33:26 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2011/09/06 09:33:25 | 000,818,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2011/09/06 09:33:25 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2011/09/05 17:07:19 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2011/09/05 16:43:21 | 000,000,000 | ---D | C] -- C:\Users\Owner-91030\AppData\Roaming\Malwarebytes
[2011/09/05 16:43:17 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2011/09/05 16:43:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/09/05 16:43:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/09/05 16:43:13 | 000,025,912 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2011/09/05 16:43:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2011/09/05 14:24:41 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
[2011/09/05 14:03:37 | 000,199,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\xmllite.dll
[2011/09/05 14:03:36 | 000,319,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\odbcjt32.dll
[2011/09/05 14:03:36 | 000,212,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\odbctrac.dll
[2011/09/05 14:03:36 | 000,163,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\odbctrac.dll
[2011/09/05 14:03:36 | 000,163,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\odbccp32.dll
[2011/09/05 14:03:36 | 000,122,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\odbccp32.dll
[2011/09/05 14:03:36 | 000,106,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\odbccu32.dll
[2011/09/05 14:03:36 | 000,106,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\odbccr32.dll
[2011/09/05 14:03:36 | 000,086,016 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\odbccu32.dll
[2011/09/05 14:03:36 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\odbccr32.dll
[2011/09/05 14:03:32 | 001,162,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\kernel32.dll
[2011/09/05 14:03:32 | 000,421,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\KernelBase.dll
[2011/09/05 14:03:32 | 000,338,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\conhost.exe
[2011/09/05 14:03:32 | 000,243,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64.dll
[2011/09/05 14:03:32 | 000,214,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winsrv.dll
[2011/09/05 14:03:31 | 000,362,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64win.dll
[2011/09/05 14:03:31 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\setup16.exe
[2011/09/05 14:03:31 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntvdm64.dll
[2011/09/05 14:03:31 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntvdm64.dll
[2011/09/05 14:03:31 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64cpu.dll
[2011/09/05 14:03:31 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\instnm.exe
[2011/09/05 14:03:31 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
[2011/09/05 14:03:31 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-security-base-l1-1-0.dll
[2011/09/05 14:03:31 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
[2011/09/05 14:03:31 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-file-l1-1-0.dll
[2011/09/05 14:03:31 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wow32.dll
[2011/09/05 14:03:31 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
[2011/09/05 14:03:31 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-threadpool-l1-1-0.dll
[2011/09/05 14:03:31 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
[2011/09/05 14:03:31 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-processthreads-l1-1-0.dll
[2011/09/05 14:03:31 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
[2011/09/05 14:03:31 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-sysinfo-l1-1-0.dll
[2011/09/05 14:03:31 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
[2011/09/05 14:03:31 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-synch-l1-1-0.dll
[2011/09/05 14:03:31 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
[2011/09/05 14:03:31 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
[2011/09/05 14:03:31 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-localregistry-l1-1-0.dll
[2011/09/05 14:03:31 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
[2011/09/05 14:03:31 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-localization-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-rtlsupport-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-processenvironment-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-namedpipe-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-misc-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-memory-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-libraryloader-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-heap-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-xstate-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-util-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-string-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-profile-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-io-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-interlocked-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-handle-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-fibers-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-errorhandling-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-delayload-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-debug-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-datetime-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-console-l1-1-0.dll
[2011/09/05 14:03:31 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-console-l1-1-0.dll
[2011/09/05 14:03:31 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\user.exe
[2011/09/05 14:03:27 | 005,561,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2011/09/05 14:03:27 | 003,967,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
[2011/09/05 14:03:27 | 003,912,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/09/10 19:13:16 | 000,015,040 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/09/10 19:13:16 | 000,015,040 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/09/10 19:11:47 | 000,726,316 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/09/10 19:11:47 | 000,623,940 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/09/10 19:11:47 | 000,106,316 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/09/10 19:05:37 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/09/10 19:05:26 | 1066,725,374 | -HS- | M] () -- C:\hiberfil.sys
[2011/09/10 19:02:54 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\Users\Owner-91030\Desktop\OTL.exe
[2011/09/10 19:02:21 | 000,459,264 | ---- | M] () -- C:\Users\Owner-91030\Desktop\CKScanner.exe
[2011/09/10 19:01:00 | 000,000,932 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-599480282-1703417149-2220395402-1000UA.job
[2011/09/10 18:15:25 | 000,002,061 | ---- | M] () -- C:\Users\Owner-91030\Desktop\Kindle.lnk
[2011/09/10 14:01:00 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-599480282-1703417149-2220395402-1000Core.job
[2011/09/10 06:38:32 | 131,720,957 | ---- | M] () -- C:\Windows\SysNative\drivers\AVG\incavi.avm
[2011/09/08 11:03:21 | 000,002,034 | -H-- | M] () -- C:\Users\Owner-91030\Documents\Default.rdp
[2011/09/08 05:15:54 | 000,288,484 | ---- | M] () -- C:\Windows\SysNative\drivers\AVG\iavichjg.avm
[2011/09/06 22:48:53 | 000,000,909 | ---- | M] () -- C:\Users\Owner-91030\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Thunderbird.lnk
[2011/09/06 14:39:28 | 000,003,804 | ---- | M] () -- C:\Windows\cdplayer.ini
[2011/09/05 21:46:02 | 000,000,830 | ---- | M] () -- C:\Users\Public\Desktop\REAPER (x64).lnk
[2011/09/05 17:07:19 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2011/09/05 16:43:17 | 000,001,111 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/05 15:12:15 | 000,002,021 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
[2011/09/05 14:24:42 | 000,001,140 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2011/09/05 14:02:07 | 000,000,955 | ---- | M] () -- C:\Users\Public\Desktop\AVG 2011.lnk
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/10 19:02:21 | 000,459,264 | ---- | C] () -- C:\Users\Owner-91030\Desktop\CKScanner.exe
[2011/09/10 18:15:25 | 000,002,061 | ---- | C] () -- C:\Users\Owner-91030\Desktop\Kindle.lnk
[2011/09/05 16:43:17 | 000,001,111 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/05 15:12:15 | 000,002,021 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
[2011/09/05 15:12:14 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
[2011/09/05 14:24:42 | 000,001,152 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2011/09/05 14:24:42 | 000,001,140 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010/08/24 13:10:33 | 000,000,334 | ---- | C] () -- C:\Windows\lgfwup.ini
[2010/05/06 14:02:41 | 000,000,056 | -H-- | C] () -- C:\Windows\SysWow64\ezsidmv.dat
[2010/04/30 16:26:34 | 000,023,040 | ---- | C] () -- C:\Users\Owner-91030\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/28 17:10:36 | 000,000,008 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2010/04/22 23:59:44 | 000,003,804 | ---- | C] () -- C:\Windows\cdplayer.ini
[2010/04/17 12:55:29 | 000,000,604 | -H-- | C] () -- C:\Program Files (x86)\STLL Notifier
[2010/04/17 12:20:34 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2010/01/05 14:51:36 | 000,007,168 | ---- | C] () -- C:\Windows\SysWow64\drivers\StarOpen.sys
[2009/12/19 17:38:23 | 014,880,768 | ---- | C] () -- C:\ProgramData\sandra.mda
[2009/12/19 08:17:03 | 000,001,769 | ---- | C] () -- C:\Windows\Language_trs.ini
[2009/07/14 01:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/13 22:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/13 22:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/13 20:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 17:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat

========== Alternate Data Streams ==========

@Alternate Data Stream - 1334 bytes -> C:\Users\Owner-91030\AppData\Local\IewcMpf40H:DP06TOLYJQsNXYxuWZgSboci
@Alternate Data Stream - 1200 bytes -> C:\ProgramData\Microsoft:P8oUNwHvdJgYbae4bZ3jUe
@Alternate Data Stream - 1182 bytes -> C:\ProgramData\Microsoft:t7n1sc8EDpAT2GnHOaEP2580V
@Alternate Data Stream - 1181 bytes -> C:\ProgramData\Microsoft:3c7ag6Z1tVfjvO4zIgvlEUAm
@Alternate Data Stream - 1175 bytes -> C:\Users\Owner-91030\AppData\Local\Ys19yUxyqetc7:bRaOGnrf45BiFQJ6GZChdDiXGs4
@Alternate Data Stream - 1083 bytes -> C:\Program Files (x86)\Common Files\microsoft shared:jnNeGGjZig1n03THJAld1LGd
@Alternate Data Stream - 1063 bytes -> C:\Users\Owner-91030\AppData\Local\Temp:dZiFhkHt6MxhDt8dwYg9cg
@Alternate Data Stream - 1058 bytes -> C:\ProgramData\Microsoft:jx4WXyGPCAuTcEi14HWtjGa97

< End of report >
UserZero
Active Member
 
Posts: 6
Joined: September 5th, 2011, 2:09 pm

Re: Checking removal of Generic24 / search redirect virus

Unread postby UserZero » September 10th, 2011, 7:44 pm

Extras.txt -

OTL Extras logfile created on: 9/10/2011 7:28:36 PM - Run 1
OTL by OldTimer - Version 3.2.27.0 Folder = C:\Users\Owner-91030\Desktop
64bit- An unknown product Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

11.99 Gb Total Physical Memory | 9.87 Gb Available Physical Memory | 82.29% Memory free
20.98 Gb Paging File | 18.82 Gb Available in Paging File | 89.70% Paging File free
Paging file location(s): c:\pagefile.sys 9202 9202 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 137.17 Gb Total Space | 81.19 Gb Free Space | 59.19% Space Free | Partition Type: NTFS
Drive D: | 599.34 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 465.76 Gb Total Space | 183.09 Gb Free Space | 39.31% Space Free | Partition Type: NTFS
Drive F: | 465.76 Gb Total Space | 204.60 Gb Free Space | 43.93% Space Free | Partition Type: NTFS
Drive G: | 931.51 Gb Total Space | 262.15 Gb Free Space | 28.14% Space Free | Partition Type: NTFS
Drive I: | 298.09 Gb Total Space | 104.70 Gb Free Space | 35.12% Space Free | Partition Type: NTFS
Drive K: | 298.09 Gb Total Space | 104.70 Gb Free Space | 35.12% Space Free | Partition Type: NTFS
Drive W: | 142.64 Gb Total Space | 101.06 Gb Free Space | 70.85% Space Free | Partition Type: NTFS
Drive X: | 298.09 Gb Total Space | 104.70 Gb Free Space | 35.12% Space Free | Partition Type: NTFS
Drive Z: | 298.09 Gb Total Space | 104.70 Gb Free Space | 35.12% Space Free | Partition Type: NTFS

Computer Name: AUDIO2 | User Name: Owner-91030 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-599480282-1703417149-2220395402-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00BCC0AD-0699-48B6-9900-3C53BBCD4DAC}" = AVG 2011
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{0B8565BA-BAD5-4732-B122-5FD78EFC50A9}" = Native Instruments Service Center
"{25613C10-27D2-410B-942B-D922D5C3A7BE}" = Interlok driver setup x64
"{350AA351-21FA-3270-8B7A-835434E766AD}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022
"{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
"{43E7798A-248E-4A3D-9969-FEA63543A462}" = Native Instruments Kontakt 4
"{4FFA2088-8317-3B14-93CD-4C699DB37843}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729
"{65B7E38D-10F8-4B1A-8EE3-BF2362CF12AE}" = Native Instruments Kontakt 4 Factory Content
"{67F7DF2B-1B41-4105-807F-CED2CE6188A3}" = WordBuilder PLAY 64 Bit
"{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{71F2CF3C-07C9-4FB9-8B22-8BC411C2E3EE}" = AVG 2011
"{77E8C6BB-D04B-4C4E-9DCB-FFD5242BB2C5}" = Play Complete Composers Collection
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{93717603-233D-446F-AACE-DC6388923267}" = Play Update 2.1.1
"{AFF35EE7-DEA8-4348-BE75-4B075821FF8D}" = Play Update 2.1.2
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 275.33
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 275.33
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.3.5
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{B80954EE-5CA9-4202-BB8C-0DC3E332F47F}" = Native Instruments Kontakt 3
"{C3113E55-7BCB-4de3-8EBF-60E6CE6B2296}_is1" = SiSoftware Sandra Lite 2010
"{C7FAFC98-5ECC-40FC-B440-A5D5FE3A6A6E}" = Native Instruments Guitar Rig 4
"{CED9FF0B-8D06-484E-857F-3584CE167952}" = Native Instruments Session Strings
"{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
"{EB367D86-AC0E-41D1-93AE-6DE1A1C5C383}" = Native Instruments Kontakt 3 Factory Content
"{F2981339-823E-4C62-9C6F-6733BAEE9EF5}" = Paragon Hard Disk Manager™ 2009 Suite
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"AVG" = AVG 2011
"CutePDF Writer Installation" = CutePDF Writer 2.8
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"PreSonus Universal Control_is1" = PreSonus Universal Control 1.2
"REAPER" = REAPER (x64)
"RolandRDID0104" = ME-25 Driver

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{06C89319-FE17-435D-BF51-66F5C15E6CDA}" = ME-25 Librarian
"{10964A8F-21C1-45EA-BC2D-F84B505C3848}" = H&R Block Deluxe + Efile + State 2010
"{10ABE49D-343A-463E-9753-C4C5A05ECEF9}" = Sibelius Scorch (Firefox, Opera, Netscape only)
"{1DA4A6F1-DECD-4143-BD0E-2E331062E155}" = QL Pianos Instrument Update 1.0.9
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink Blu-ray Disc Suite
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 18
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{2FDBBCEA-62DB-45F4-B6E5-0E1FB2A1F29D}" = Visual C++ 8.0 Runtime Setup Package (x64)
"{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{54A4839E-87F8-4BD1-9682-A349E9943F0A}" = Amazon Unbox Video
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{6179550A-3E7C-499E-BCC9-9E8113E0A285}" = LG Tool Kit
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = CyberLink PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6ADD0603-16EF-400D-9F9E-486432835002}" = OpenOffice.org 3.2
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{868291A4-229E-4795-B0B0-E60E87AF53CD}" = Sibelius Scorch (ActiveX Only)
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8136 8168 8169 Ethernet Driver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A809006-C25A-4A3A-9DAB-94659BCDB107}" = NVIDIA PhysX
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{98613C99-1399-416C-A07C-1EE1C585D872}" = SeaTools for Windows
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9E1BAB75-EB78-440D-94C0-A3857BE2E733}" = System Requirements Lab
"{A49F908A-DE33-4E0B-B023-CAAB88D88800}" = QL RA Instrument Update
"{A6F13F58-5E31-42A5-8657-F8CCFDA00D61}" = H&R Block Connecticut 2010
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.0)
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Toolbars
"{B6EC7388-E277-4A5B-8C8F-71067A41BA64}" = TextPad 5
"{B74D4E10-6884-0000-0000-000000000103}" = Adobe Bridge 1.0
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240BC}" = WinZip 14.0
"{D6F879CC-59D6-4D4B-AE9B-D761E48D25ED}" = Skype™ 5.3
"{DEA491FB-48BC-4B6B-8902-FCD4BAB069BE}" = iLok Client Helper
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F0EB3969-C007-4ABE-9245-990C5E021A8F}_is1" = Sibelius Sounds Essentials for Sibelius 6
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FCDBEA60-79F0-4FAE-BBA8-55A26C609A49}" = Visual Studio 2008 x64 Redistributables
"ActiveTouchMeetingClient" = WebEx
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"Amazon Games & Software Downloader_is1" = Amazon Games & Software Downloader
"Amazon Kindle" = Amazon Kindle
"Cakewalk Beatscape_is1" = Beatscape 1.0.2
"Carrara 8 (64bit) 8.0.0.231" = Carrara 8 (64bit)
"DimensionPro_x64_is1" = Dimension Pro 1.5
"FileZilla Client" = FileZilla Client 3.5.1
"Finale NotePad 2011" = Finale NotePad 2011
"FX - Video Converter" = FoxTab Video Converter (remove only)
"GPL Ghostscript 8.56" = GPL Ghostscript 8.56
"GPL Ghostscript Fonts" = GPL Ghostscript Fonts
"InstallShield_{06C89319-FE17-435D-BF51-66F5C15E6CDA}" = ME-25 Librarian
"InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink Blu-ray Disc Suite
"InstallShield_{54A4839E-87F8-4BD1-9682-A349E9943F0A}" = Amazon Unbox Video
"InstallShield_{DEA491FB-48BC-4B6B-8902-FCD4BAB069BE}" = iLok Client Helper
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.1.1800
"Mozilla Firefox 6.0.2 (x86 en-US)" = Mozilla Firefox 6.0.2 (x86 en-US)
"Mozilla Thunderbird (6.0.2)" = Mozilla Thunderbird (6.0.2)
"Native Instruments Guitar Rig 4" = Native Instruments Guitar Rig 4
"Native Instruments Kontakt 3" = Native Instruments Kontakt 3
"Native Instruments Kontakt 3 Factory Content" = Native Instruments Kontakt 3 Factory Content
"Native Instruments Kontakt 4" = Native Instruments Kontakt 4
"Native Instruments Kontakt 4 Factory Content" = Native Instruments Kontakt 4 Factory Content
"Native Instruments Service Center" = Native Instruments Service Center
"Native Instruments Session Strings" = Native Instruments Session Strings
"Neuratron AudioScore Lite" = Neuratron AudioScore Lite
"Neuratron PhotoScore Lite" = Neuratron PhotoScore Lite
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"RealPlayer 12.0" = RealPlayer
"Sibelius 6_is1" = Sibelius 6.2.0.88
"SONAR85Producer_is1" = SONAR 8.5 Producer
"SONAR85Producer_x64_is1" = SONAR 8.5 Producer x64
"SONARX1Producer_x64_is1" = SONAR X1 Producer x64
"Unreal Tournament – Game of the Year Edition_is1" = Unreal Tournament – Game of the Year Edition
"Vue 8" = Vue 8
"Winamp" = Winamp
"WZCLINE" = WinZip Command Line Support Add-On 3.2

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-599480282-1703417149-2220395402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Winamp Detect" = Winamp Detector Plug-in

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >
UserZero
Active Member
 
Posts: 6
Joined: September 5th, 2011, 2:09 pm

Re: Checking removal of Generic24 / search redirect virus

Unread postby Alander » September 13th, 2011, 1:37 pm

Please do not update your computer or run any scans unless I instruct you do so, as this will make my analysis harder


Step 1.
Create a System Restore Point (Vista - W7)
  1. Right-click on Computer ... select Properties.
  2. In the left pane under Tasks ... click System protection.
    If UAC prompts for an administrator password or approval, type the password or give your "permission to continue".
  3. Select System Protection ...then choose Create.
  4. In the System Restore dialog box, type a description for the restore point ... click Create, again.
    A window will pop up with "The Restore Point was created successfully" confirmation message.
  5. Click OK ...then close the System Restore dialog.

Unless you use some other method to create system restore points...
Please leave the System Restore function "turned on" until we are finished and I give you the 'all clean' sign.

Step 2.
Retrieve Malwarebytes Anti-Malware (MBAM) Log(s)
There is a need to see a scan log from a previous run of MBAM, please do the following:
  1. Start MBAM... click the Logs tab at the top.
    The log will be named by the date & time of scan in the following format: mbam-log-yyyy-mm-dd (time).txt
    If you have had multiple runs of MBAM, there may be several logs showing in the list.
  2. Click on the last (most recent) log name to highlight it... then click the Open button, at bottom left. The log should open in Notepad as a text file.
  3. Please copy and paste the entire mbam-log-yyyy-mm-dd (time).txt file in your next reply.
    Be sure to post the complete log... including the top portion showing MBAM's database version and your operating system.
  4. Exit MBAM when done.
Note: MBAM logs are saved to the following locations:
?:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\Logs
?:\ is the System Drive... normally C. - and - Username = logon Id.

Step 3.
OTL - System Scan
RUN OTL on your desktop as you have saved earlier..
Important! Close all applications and windows so that you have nothing open and are at your Desktop
  1. Right click on OTL.exe select "Run As Administrator" to run it. If prompted by UAC, please allow it.
  2. When the window appears, make sure Include 64bit Scans is CHECKED.
  3. Underneath Output at the top, make sure Minimal Output is selected.
  4. Under the Standard Registry box change it to All.
  5. Check/tick the boxes beside LOP Check and Purity Check.
  6. Copy the following text... do not include the quote box title "Quote'
    :OTL
    O2:64bit: - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - No CLSID value found.
    O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
    O3 - HKU\S-1-5-21-599480282-1703417149-2220395402-1000\..\Toolbar\WebBrowser: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
    @Alternate Data Stream - 1334 bytes -> C:\Users\Owner-91030\AppData\Local\IewcMpf40H:DP06TOLYJQsNXYxuWZgSboci
    @Alternate Data Stream - 1175 bytes -> C:\Users\Owner-91030\AppData\Local\Ys19yUxyqetc7:bRaOGnrf45BiFQJ6GZChdDiXGs4
    @Alternate Data Stream - 1063 bytes -> C:\Users\Owner-91030\AppData\Local\Temp:dZiFhkHt6MxhDt8dwYg9cg

    :Commands
    [emptytemp]
    [emptyflash]
    [restart]
  7. Click under the Custom Scan/Fixes box and paste the copied text.
  8. Click the Run Fix button. If prompted... click OK.
  9. When the scan completes, Notepad will open with the scan results (OTL.txt). The report is saved in the same location as OTL.
  10. Please post the contents of report in your next reply.

Step 4.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. Your last MBAM log
  3. OTL.txt
  4. How is the computer doing?
Thanks
User avatar
Alander
Regular Member
 
Posts: 1599
Joined: September 15th, 2007, 2:04 pm
Location: Singapore

Re: Checking removal of Generic24 / search redirect virus

Unread postby Alander » September 16th, 2011, 6:35 am

3 Day Response
Hi...
It has been 2 days since my last post to you.
  • Do you still need help with this problem?
  • Do you need more time?
  • Are you having problems understanding or following my instructions?
Just let me know what's going on otherwise...
After 24 hrs., if you have not replied to this thread... it will be closed!
User avatar
Alander
Regular Member
 
Posts: 1599
Joined: September 15th, 2007, 2:04 pm
Location: Singapore

Re: Checking removal of Generic24 / search redirect virus

Unread postby UserZero » September 16th, 2011, 8:20 am

Hi,

Thanks for helping with this. Work has been crazy and since everything seems back to normal, I haven't done these scans.

I'll perform them when time permits, but for right now I think things are okay.

You can close this thread. Again - thanks so much for your assistance!

cheers,

U0
UserZero
Active Member
 
Posts: 6
Joined: September 5th, 2011, 2:09 pm

Re: Checking removal of Generic24 / search redirect virus

Unread postby Wingman » September 16th, 2011, 9:10 am

As your problems appear to have been resolved, this topic is now closed.
We are pleased we could help you resolve your computer's malware issues.

If you are satisfied with our assistance and wish to donate to help with the costs of this volunteer site, please read :
Donations For Malware Removal
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14109
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 42 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware