Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Jump hijack malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Jump hijack malware

Unread postby elerrina » May 14th, 2012, 2:30 pm

Ok so this wasnt so successfull, the otl scanner i think completed but it seemed to completely stop responding i ctrl+alt+deleted to start task manager and then the screen went black so i had to manually turn of the pc. Upon startup though it did pop up with otl results but im just not sure if that was the full thing.
And the scanner that was running hung on a file for over 30 mins even though i hadn't touched the computer so i stopped it. (I have college work to do and can't really not have access to the computer for over 2 hours) but it did find a threat

Edit: i did also randomly get redirected from a webpage not from google, it acted like i had searched for something with the avg search. It showed rxd in the search bar and said nothing could be found.
Edit2: i am experience more redirects than before now.
Edit3: I reran the scan but changed the settings slightly so it didnt scan all my games folders like Skyrim, Dragon Age, and WoW as theyre pretty large and take a long time. The results were the same as previous scan. This should be the last edit xD

Files\Folders moved on Reboot...
C:\Users\Ash\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Ash\AppData\Local\Temp\~DF9CBA20F55D2171AD.TMP moved successfully.
C:\Users\Ash\AppData\Local\Mozilla\Firefox\Profiles\l6k2sjcs.default\startupCache\startupCache.4.little moved successfully.
C:\Users\Ash\AppData\Local\Mozilla\Firefox\Profiles\l6k2sjcs.default\Cache\_CACHE_001_ moved successfully.
C:\Users\Ash\AppData\Local\Mozilla\Firefox\Profiles\l6k2sjcs.default\Cache\_CACHE_002_ moved successfully.
C:\Users\Ash\AppData\Local\Mozilla\Firefox\Profiles\l6k2sjcs.default\Cache\_CACHE_003_ moved successfully.
C:\Users\Ash\AppData\Local\Mozilla\Firefox\Profiles\l6k2sjcs.default\Cache\_CACHE_MAP_ moved successfully.
C:\Users\Ash\AppData\Local\Mozilla\Firefox\Profiles\l6k2sjcs.default\urlclassifier3.sqlite moved successfully.
File move failed. C:\Windows\temp\logishrd\LVPrcInj01.dll scheduled to be moved on reboot.
File move failed. C:\Windows\temp\logishrd\LVPrcInj02.dll scheduled to be moved on reboot.

Registry entries deleted on Reboot...


and here is the eset scanner.

C:\Users\Ash\Downloads\MsgPlusLive-485.exe a variant of Win32/MessengerPlus application

I can run the scan again tomorrow when im at work, just didnt realise it would take so long =)
Cheers
elerrina
Regular Member
 
Posts: 27
Joined: May 9th, 2012, 1:42 pm
Advertisement
Register to Remove

Re: Jump hijack malware

Unread postby Dakeyras » May 14th, 2012, 6:03 pm

Hi. :)

I have college work to do and can't really not have access to the computer for over 2 hours
OK I appreciative this however in future it is best to let any scan I ask for to complete unless off course it stalls then merely inform myself.

I reran the scan but changed the settings slightly so it didnt scan all my games folders like Skyrim, Dragon Age, and WoW as theyre pretty large and take a long time. The results were the same as previous scan.
Fair play but please do not change the settings for any scan unless advised otherwise. As this will actually hinder myself trying to eradicate your machine of malware.

Anyway as to what was flagged by the online scan, that appears to be what is known as a false positive detection so no further action is required with regard to that. Though I will be asking for another type of online Anti-Virus scan again at some point in the future most likely.

Next:

Re-run Farbar Service Scanner(with all options selected this time apart from Windows Defender) and also RogueKiller again please as per my prior instructions and post the new logs.

Next:

Also could you send the MBR.dat file created by aswMBR to a zip-file, then in turn attach the zip-file to your next reply. That way I can analyse your machine's MBR(master boot record) myself, thank you.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Jump hijack malware

Unread postby elerrina » May 15th, 2012, 5:20 pm

Hi,
Yeh i didnt stop the scan coz it was taking too long, it had frozen on a paticular file and then when i tried to ctrl alt delete the screen went black. Also i wouldnt normally change any scan settings ofc but i thought it would just be usefull to ensure that it finished scanning and it had already scanned all my games folders beforehand =)

I can't upload the dat file i get a message saying the extension is not allowed.

Farbar Service Scanner Version: 11-05-2012
Ran by Ash (administrator) on 15-05-2012 at 22:03:46
Running from "C:\Users\Ash\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is blocked.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****


RogueKiller V7.4.4 [05/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/fi ... guekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Ash [Admin rights]
Mode: Scan -- Date: 05/15/2012 22:14:24

¤¤¤ Bad processes: 1 ¤¤¤
[SUSP PATH] FSS.exe -- C:\Users\Ash\Desktop\FSS.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 2 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost #[IPv6]
127.0.0.1 fr.a2dfp.net
127.0.0.1 m.fr.a2dfp.net
127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 abcstats.com
127.0.0.1 a.abv.bg
127.0.0.1 adserver.abv.bg
127.0.0.1 adv.abv.bg
127.0.0.1 bimg.abv.bg
127.0.0.1 ca.abv.bg
127.0.0.1 www2.a-counter.kiev.ua
127.0.0.1 track.acclaimnetwork.com
127.0.0.1 accuserveadsystem.com
127.0.0.1 http://www.accuserveadsystem.com
127.0.0.1 achmedia.com
127.0.0.1 aconti.net
127.0.0.1 secure.aconti.net
127.0.0.1 http://www.aconti.net #[Dialer.Aconti]
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HD502HJ ATA Device +++++
--- User ---
[MBR] c638ce7024a2ec8e245bfe1c07f5058d
[BSP] 9a0c03fdd536f34388a25a6dc08d7586 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: SanDisk Cruzer Blade USB Device +++++
--- User ---
[MBR] ab45f4a43524e2f1959a78007a8c87c4
[BSP] 659552e289dfc5a087bd01aee0312314 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 7629 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
elerrina
Regular Member
 
Posts: 27
Joined: May 9th, 2012, 1:42 pm

Re: Jump hijack malware

Unread postby Dakeyras » May 15th, 2012, 5:46 pm

Hi. :)

Yeh i didnt stop the scan coz it was taking too long, it had frozen on a paticular file and then when i tried to ctrl alt delete the screen went black. Also i wouldnt normally change any scan settings ofc but i thought it would just be usefull to ensure that it finished scanning and it had already scanned all my games folders beforehand =)
OK.

I can't upload the dat file i get a message saying the extension is not allowed.
What you need to do is right-click on MBR.dat >> Send to > >> Compressed (zipped) folder

When completed there should be a file on your desktop named MBR.zip, attach that in your next reply.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Jump hijack malware

Unread postby elerrina » May 16th, 2012, 11:53 am

Sorry was being a spoon and didnt read the instructions properly.
My computer seems to be running a lot better at the moment, and the internet sites are loading much faster than before searching random words but not getting any redirect as of yet
You do not have the required permissions to view the files attached to this post.
elerrina
Regular Member
 
Posts: 27
Joined: May 9th, 2012, 1:42 pm

Re: Jump hijack malware

Unread postby Dakeyras » May 16th, 2012, 1:00 pm

Hi. :)

Sorry was being a spoon and didnt read the instructions properly.
Not a problem.

Download/Run ComboFix:

Please visit this webpage for download links, and instructions for running the tool:

How to use ComboFix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please include the C:\ComboFix.txt in your next reply for further review.

Note: If ComboFix detects Rootkit activity and asks to reboot the system, please allow this to be done.

If you recieve an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use. ComboFix Should Not be used unless requested by a forum helper


When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any other symptoms and or problems encountered?
  • ComboFix Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Jump hijack malware

Unread postby elerrina » May 16th, 2012, 1:41 pm

ComboFix 12-05-16.02 - Ash 16/05/2012 18:16:33.3.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.4095.2414 [GMT 1:00]
Running from: c:\users\Ash\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\TEMP\logishrd\LVPrcInj02.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2012-04-16 to 2012-05-16 )))))))))))))))))))))))))))))))
.
.
2012-05-16 17:22 . 2012-05-16 17:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-16 15:55 . 2012-05-16 15:55 -------- d-----w- c:\programdata\HitmanPro
2012-05-15 20:40 . 2012-05-15 20:40 -------- d-----w- c:\windows\SysWow64\drivers\AVG
2012-05-11 14:29 . 2012-05-11 14:29 -------- d-----w- C:\_OTL
2012-05-11 14:25 . 2012-05-11 14:26 -------- d-----w- c:\program files (x86)\ERUNT
2012-05-08 20:39 . 2012-03-03 06:35 1544704 ----a-w- c:\windows\system32\DWrite.dll
2012-05-08 20:39 . 2012-03-03 05:31 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-05-08 20:39 . 2012-03-31 06:05 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-08 20:39 . 2012-03-31 03:10 3146240 ----a-w- c:\windows\system32\win32k.sys
2012-05-08 20:39 . 2012-03-31 04:39 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-08 20:39 . 2012-03-31 04:39 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-05-08 20:38 . 2012-03-17 07:58 75120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-08 20:38 . 2012-03-30 11:35 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-08 20:38 . 2012-03-31 05:42 1732096 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2012-05-08 20:38 . 2012-03-31 05:40 1402880 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2012-05-08 20:38 . 2012-03-31 05:40 1367552 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-08 20:38 . 2012-03-31 05:40 1393664 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2012-05-08 20:38 . 2012-03-31 04:29 936960 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-05-05 18:06 . 2012-05-05 18:06 -------- d-----w- c:\program files\iPod
2012-05-05 18:06 . 2012-05-05 18:07 -------- d-----w- c:\program files\iTunes
2012-05-05 18:06 . 2012-05-05 18:07 -------- d-----w- c:\program files (x86)\iTunes
2012-05-05 18:04 . 2012-05-05 18:04 -------- d-----w- c:\program files\Bonjour
2012-05-05 18:04 . 2012-05-05 18:04 -------- d-----w- c:\program files (x86)\Bonjour
2012-05-05 17:32 . 2012-05-05 17:32 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-05-05 17:32 . 2012-04-04 14:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-05 17:18 . 2012-05-05 17:18 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-05-05 17:17 . 2012-05-05 17:17 476960 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-05-04 18:58 . 2012-05-04 18:58 -------- d-----w- c:\users\Ash\AppData\Local\AVG Secure Search
2012-05-04 18:55 . 2012-05-04 18:55 -------- d-----w- c:\users\Ash\AppData\Roaming\AVG2012
2012-05-04 18:55 . 2012-05-04 19:15 -------- d-----w- c:\programdata\AVG2012
2012-05-04 18:50 . 2012-05-04 18:50 -------- d-----w- c:\users\Ash\AppData\Local\CRE
2012-05-04 18:49 . 2012-05-05 12:17 -------- d-----w- c:\users\Ash\AppData\Roaming\Nico Mak Computing
2012-05-04 18:49 . 2011-11-10 09:33 18760 ----a-w- c:\windows\system32\roboot64.exe
2012-05-04 18:49 . 2012-05-05 12:20 -------- d-----w- c:\program files (x86)\WinZip Registry Optimizer
2012-05-04 18:47 . 2012-05-04 18:47 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2012-05-04 18:47 . 2012-05-04 18:47 157352 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice_installer.exe
2012-05-04 18:47 . 2012-05-04 18:47 129976 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice.exe
2012-05-03 21:22 . 2012-05-03 21:22 -------- d-----w- c:\users\Ash\AppData\Roaming\Nuance
2012-05-03 21:22 . 2012-05-03 21:22 -------- d-----w- c:\users\Ash\AppData\Roaming\FLEXnet
2012-05-03 21:22 . 2012-05-03 21:22 -------- d-----w- c:\users\Ash\AppData\Roaming\Zeon
2012-05-03 21:21 . 2012-05-03 21:22 -------- d-----w- c:\programdata\Nuance
2012-05-03 21:21 . 2012-05-03 21:21 -------- d-----w- c:\programdata\ScanSoft
2012-05-03 21:21 . 2012-05-03 21:21 -------- d-----w- c:\programdata\FLEXnet
2012-05-03 21:21 . 2012-05-03 21:21 -------- d-----w- c:\program files (x86)\Nuance
2012-05-03 21:20 . 2012-05-03 21:20 -------- d-----w- c:\users\Ash\AppData\Local\Downloaded Installations
2012-05-01 15:51 . 2012-05-01 15:51 -------- d-----w- c:\programdata\ATI
2012-05-01 15:50 . 2012-05-01 15:50 -------- d-----w- c:\program files (x86)\AMD APP
2012-04-22 10:17 . 2012-04-22 10:20 -------- d-----w- c:\users\Ash\AppData\Roaming\Notepad++
2012-04-22 10:17 . 2012-04-22 10:17 -------- d-----w- c:\program files (x86)\Notepad++
2012-04-21 17:50 . 2012-04-21 17:50 -------- d-----w- c:\windows\en
2012-04-21 17:44 . 2012-04-21 17:44 89944 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\619045591cd1fe601\DSETUP.dll
2012-04-21 17:44 . 2012-04-21 17:44 537432 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\619045591cd1fe601\DXSETUP.exe
2012-04-21 17:44 . 2012-04-21 17:44 1801048 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\619045591cd1fe601\dsetup32.dll
2012-04-19 03:50 . 2012-04-19 03:50 28480 ----a-w- c:\windows\system32\drivers\avgidsha.sys
2012-04-18 17:05 . 2012-04-18 17:05 -------- d-----w- c:\users\Ash\AppData\Local\AMD
2012-04-17 21:14 . 2012-05-02 15:52 -------- d-----w- c:\programdata\AMD
2012-04-17 21:14 . 2012-04-17 21:14 -------- d-----w- c:\program files (x86)\AMD AVT
2012-04-17 21:14 . 2012-04-17 21:14 -------- d-----w- c:\program files (x86)\Common Files\ATI Technologies
2012-04-17 21:12 . 2010-02-18 08:18 46136 ----a-w- c:\windows\system32\drivers\amdiox64.sys
2012-04-17 21:08 . 2012-04-17 21:08 -------- d-----w- C:\AMD
2012-04-17 19:13 . 2012-04-17 19:13 -------- d-----w- c:\programdata\AVAST Software
2012-04-17 19:13 . 2012-04-17 19:13 -------- d-----w- c:\program files\AVAST Software
2012-04-17 18:30 . 2012-04-17 18:30 -------- d-----w- c:\users\Ash\AppData\Roaming\Malwarebytes
2012-04-17 18:30 . 2012-04-17 18:30 -------- d-----w- c:\programdata\Malwarebytes
2012-04-17 18:09 . 2012-04-21 12:21 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-04-17 18:09 . 2012-04-21 12:21 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-04-17 17:48 . 2012-04-22 10:04 -------- d-----w- c:\program files (x86)\PC Tools
2012-04-17 17:41 . 2012-04-22 10:04 -------- d-----w- c:\program files (x86)\Common Files\PC Tools
2012-04-17 17:41 . 2012-03-20 12:50 251528 ----a-w- c:\windows\system32\drivers\PCTSD64.sys
2012-04-17 17:41 . 2012-04-21 12:22 -------- d-----w- c:\programdata\PC Tools
2012-04-17 17:41 . 2012-04-17 17:41 -------- d-----w- c:\users\Ash\AppData\Roaming\TestApp
2012-04-17 17:38 . 2012-04-17 17:38 -------- d-----w- C:\TDSSKiller_Quarantine
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-05 17:17 . 2010-09-19 20:34 472864 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-04-06 05:22 . 2012-04-06 05:22 11174400 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2012-04-06 02:22 . 2012-04-06 02:22 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2012-04-06 02:21 . 2010-08-04 00:54 909312 ----a-w- c:\windows\SysWow64\aticfx32.dll
2012-04-06 02:20 . 2010-02-03 04:22 1067520 ----a-w- c:\windows\system32\aticfx64.dll
2012-04-06 02:16 . 2012-04-06 02:16 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2012-04-06 02:16 . 2012-04-06 02:16 503808 ----a-w- c:\windows\system32\atieclxx.exe
2012-04-06 02:16 . 2012-04-06 02:16 236544 ----a-w- c:\windows\system32\atiesrxx.exe
2012-04-06 02:14 . 2012-04-06 02:14 120320 ----a-w- c:\windows\system32\atitmm64.dll
2012-04-06 02:14 . 2012-04-06 02:14 21504 ----a-w- c:\windows\system32\atimuixx.dll
2012-04-06 02:14 . 2012-04-06 02:14 59392 ----a-w- c:\windows\system32\atiedu64.dll
2012-04-06 02:14 . 2012-04-06 02:14 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2012-04-06 02:13 . 2010-08-04 00:46 6800896 ----a-w- c:\windows\SysWow64\atidxx32.dll
2012-04-06 02:10 . 2012-04-06 02:10 26181632 ----a-w- c:\windows\system32\atio6axx.dll
2012-04-06 02:00 . 2010-08-25 00:18 64000 ----a-w- c:\windows\system32\coinst.dll
2012-04-06 01:54 . 2010-02-03 04:04 7479296 ----a-w- c:\windows\system32\atidxx64.dll
2012-04-06 01:50 . 2012-04-06 01:50 19753984 ----a-w- c:\windows\SysWow64\atioglxx.dll
2012-04-06 01:35 . 2012-04-06 01:35 1120768 ----a-w- c:\windows\system32\atiumd6v.dll
2012-04-06 01:34 . 2012-04-06 01:34 1831424 ----a-w- c:\windows\SysWow64\atiumdmv.dll
2012-04-06 01:34 . 2010-02-03 03:43 4731904 ----a-w- c:\windows\system32\atiumd6a.dll
2012-04-06 01:34 . 2012-04-06 01:34 6203392 ----a-w- c:\windows\SysWow64\atiumdag.dll
2012-04-06 01:30 . 2012-04-06 01:30 51200 ----a-w- c:\windows\system32\aticalrt64.dll
2012-04-06 01:30 . 2012-04-06 01:30 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2012-04-06 01:30 . 2012-04-06 01:30 44544 ----a-w- c:\windows\system32\aticalcl64.dll
2012-04-06 01:30 . 2012-04-06 01:30 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2012-04-06 01:29 . 2012-04-06 01:29 16090624 ----a-w- c:\windows\system32\aticaldd64.dll
2012-04-06 01:25 . 2012-04-06 01:25 13764096 ----a-w- c:\windows\SysWow64\aticaldd.dll
2012-04-06 01:23 . 2010-02-03 03:49 7431680 ----a-w- c:\windows\system32\atiumd64.dll
2012-04-06 01:22 . 2012-04-06 01:22 4795904 ----a-w- c:\windows\SysWow64\atiumdva.dll
2012-04-06 01:11 . 2010-02-03 03:24 514560 ----a-w- c:\windows\system32\atiadlxx.dll
2012-04-06 01:11 . 2012-04-06 01:11 360448 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2012-04-06 01:11 . 2012-04-06 01:11 17408 ----a-w- c:\windows\system32\atig6pxx.dll
2012-04-06 01:11 . 2012-04-06 01:11 14848 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2012-04-06 01:11 . 2012-04-06 01:11 14848 ----a-w- c:\windows\system32\atiglpxx.dll
2012-04-06 01:11 . 2012-04-06 01:11 41984 ----a-w- c:\windows\system32\atig6txx.dll
2012-04-06 01:10 . 2012-04-06 01:10 33280 ----a-w- c:\windows\SysWow64\atigktxx.dll
2012-04-06 01:10 . 2012-04-06 01:10 343040 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2012-04-06 01:09 . 2010-02-03 03:23 54784 ----a-w- c:\windows\system32\atiuxp64.dll
2012-04-06 01:09 . 2010-08-04 00:15 41984 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2012-04-06 01:09 . 2010-02-03 03:23 44544 ----a-w- c:\windows\system32\atiu9p64.dll
2012-04-06 01:09 . 2012-04-06 01:09 32256 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2012-04-06 01:09 . 2012-04-06 01:09 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2012-04-06 01:06 . 2012-04-06 01:06 54784 ----a-w- c:\windows\system32\atimpc64.dll
2012-04-06 01:06 . 2012-04-06 01:06 54784 ----a-w- c:\windows\system32\amdpcom64.dll
2012-04-06 01:06 . 2012-04-06 01:06 53760 ----a-w- c:\windows\SysWow64\atimpc32.dll
2012-04-06 01:06 . 2012-04-06 01:06 53760 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2012-04-05 21:34 . 2012-04-05 21:34 187392 ----a-w- c:\windows\system32\clinfo.exe
2012-04-05 21:34 . 2012-04-05 21:34 74752 ----a-w- c:\windows\system32\OpenVideo64.dll
2012-04-05 21:34 . 2012-04-05 21:34 64512 ----a-w- c:\windows\SysWow64\OpenVideo.dll
2012-04-05 21:33 . 2012-04-05 21:33 63488 ----a-w- c:\windows\system32\OVDecode64.dll
2012-04-05 21:33 . 2012-04-05 21:33 56320 ----a-w- c:\windows\SysWow64\OVDecode.dll
2012-04-05 21:33 . 2012-04-05 21:33 16457216 ----a-w- c:\windows\system32\amdocl64.dll
2012-04-05 21:32 . 2012-04-05 21:32 13007872 ----a-w- c:\windows\SysWow64\amdocl.dll
2012-03-25 16:27 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2012-03-25 16:27 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2012-03-19 04:17 . 2012-03-19 04:17 383808 ----a-w- c:\windows\system32\drivers\avgtdia.sys
2012-03-09 00:24 . 2012-03-09 00:24 54272 ----a-w- c:\windows\system32\OpenCL.dll
2012-03-09 00:24 . 2012-03-09 00:24 48128 ----a-w- c:\windows\SysWow64\OpenCL.dll
2012-03-08 17:50 . 2012-03-08 17:50 49016 ----a-w- c:\windows\SysWow64\sirenacm.dll
2012-03-08 17:37 . 2012-03-08 17:37 302448 ----a-w- c:\windows\WLXPGSS.SCR
2012-03-01 06:46 . 2012-04-12 21:07 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-03-01 06:38 . 2012-04-12 21:07 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-03-01 06:33 . 2012-04-12 21:07 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-03-01 06:28 . 2012-04-12 21:07 5120 ----a-w- c:\windows\system32\wmi.dll
2012-03-01 05:37 . 2012-04-12 21:07 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-03-01 05:33 . 2012-04-12 21:07 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-03-01 05:29 . 2012-04-12 21:07 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-02-28 06:39 . 2012-04-12 08:31 1188864 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 05:38 . 2012-04-12 08:31 981504 ----a-w- c:\windows\SysWow64\wininet.dll
2012-02-28 04:31 . 2012-04-12 08:31 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-28 03:52 . 2012-04-12 08:31 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-02-23 12:32 . 2012-02-23 12:32 95760 ----a-w- c:\windows\system32\drivers\AtihdW76.sys
2012-02-22 04:25 . 2012-02-22 04:25 289872 ----a-w- c:\windows\system32\drivers\avgldx64.sys
2012-02-21 22:07 . 2011-04-03 14:55 21840 ----atw- c:\windows\SysWow64\SIntfNT.dll
2012-02-21 22:07 . 2011-04-03 14:55 17212 ----atw- c:\windows\SysWow64\SIntf32.dll
2012-02-21 22:07 . 2011-04-03 14:55 12067 ----atw- c:\windows\SysWow64\SIntf16.dll
2012-02-17 06:38 . 2012-03-13 18:24 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-13 18:24 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-13 18:24 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-13 18:24 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2009-07-16 22:13 . 2009-07-16 22:13 1246440 ----a-w- c:\program files\DAOriginsLauncher.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-05-04 18:57 2067328 ----a-w- c:\program files (x86)\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll" [2012-05-04 2067328]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"SoftAuto.exe"="c:\program files (x86)\Creative\Software Update 3\SoftAuto.exe" [2008-08-13 405504]
"ISUSPM"="c:\programdata\FLEXnet\Connect\11\ISUSPM.exe" [2009-05-05 222496]
"HydraVisionDesktopManager"="c:\program files (x86)\ATI Technologies\HydraVision\HydraDM.exe" [2010-02-02 385024]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2010-05-24 2439072]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
"vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-05-04 1116544]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-06 641664]
"Nuance PDF Reader-reminder"="c:\program files (x86)\Nuance\PDF Reader\Ereg\Ereg.exe" [2010-07-05 333088]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [x]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [x]
R3 ALSysIO;ALSysIO;c:\users\Ash\AppData\Local\Temp\ALSysIO64.sys [x]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [2011-11-10 167264]
R3 CTUPnPSv;Creative Centrale Media Server;c:\program files (x86)\Creative\Creative Centrale\CTUPnPSv.exe [2008-05-21 64000]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
R3 lvpepf64;Volume Adapter;c:\windows\system32\DRIVERS\lv302a64.sys [x]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-05-04 129976]
R3 nmwcdx64;Nokia USB Phone Parent;c:\windows\system32\drivers\nmwcdx64.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [x]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [x]
S0 mv61xx;mv61xx;c:\windows\system32\DRIVERS\mv61xx.sys [x]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [x]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [x]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-04-05 361984]
S2 AODDriver4.1;AODDriver4.1;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [2012-03-05 53888]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\avgidsagent.exe [2012-04-30 5106744]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-02-14 193288]
S2 LVPrcS64;Process Monitor;c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2009-10-07 191000]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 MSSQL$BWDATOOLSET;SQL Server (BWDATOOLSET);c:\program files (x86)\DAODB\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
S2 vToolbarUpdater11.0.2;vToolbarUpdater11.0.2;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\11.0.2\ToolbarUpdater.exe [2012-05-04 932736]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [x]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfiltera.sys [x]
S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [x]
S3 LVUSBS64;Logitech USB Monitor Filter;c:\windows\system32\DRIVERS\LVUSBS64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-10-01 825184]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.co.uk/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: {{68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files (x86)\AVG\AVG2012\avgdtiex.dll
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Ash\AppData\Roaming\Mozilla\Firefox\Profiles\l6k2sjcs.default\
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Bff ... &sap=ku&q=
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
HKLM-Run-ISW - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-689666306-1716364123-2076767426-1000\Software\SecuROM\License information*]
"datasecu"=hex:d8,50,03,bf,fc,15,f7,ed,da,8e,0b,19,99,4e,f7,da,37,ef,77,ff,15,
66,71,49,b1,6b,4a,4d,bc,e8,77,9c,66,23,ad,06,85,eb,5a,2e,cc,77,5c,44,04,0b,\
"rkeysecu"=hex:32,ba,43,f7,df,4c,07,7e,0d,b6,2b,2e,f5,61,45,cc
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10c.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Creative\Shared Files\CTDevSrv.exe
c:\program files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe
c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
.
**************************************************************************
.
Completion time: 2012-05-16 18:28:50 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-16 17:28
.
Pre-Run: 123,962,875,904 bytes free
Post-Run: 123,550,400,512 bytes free
.
- - End Of File - - D06ED821D3913BF36F8DE1F0111A389F


Computer seems to be running fine now, havent experienced a redirect for a while and the internet seems to be faster. Also i was reading a bit about the google redirect virus and some people say about it being caused by a file masquerading as atapi.sys so i just did a search (before the scan) and i had two which i was going to mention to see if it was relevant, but after the scan i only have one now. Though im not sure how many i should have anyways but i thought it might be something to note at least.
elerrina
Regular Member
 
Posts: 27
Joined: May 9th, 2012, 1:42 pm

Re: Jump hijack malware

Unread postby Dakeyras » May 17th, 2012, 7:21 am

Hi. :)

Computer seems to be running fine now, havent experienced a redirect for a while and the internet seems to be faster.
Good.

Also i was reading a bit about the google redirect virus and some people say about it being caused by a file masquerading as atapi.sys so i just did a search (before the scan) and i had two which i was going to mention to see if it was relevant, but after the scan i only have one now. Though im not sure how many i should have anyways but i thought it might be something to note at least.
Aye indeed that particular file can become patched by malware as can any file in theory actually. Anyway the one present on your machine is fine as that was checked twice via prior scans I asked you to perform. As for how many versions are present on your machine I would not be overly concerned about that as I plan to check the integrity of your machines file system once I am satisfied malware is no longer a issue.

On a different note if wondering why this output in the ComboFix log:-

c:\windows\TEMP\logishrd\LVPrcInj01.dll . . . . Failed to delete
That actually relates to the Logitech software you have installed, though why a vendor would choose to use such a location is beyond me!

Also it appears you may have uninstalled ZoneAlarm? If so not a problem I will add but I would have preferred if the case you had not made such a major change to your system during the course of the Malware Removal process.

Now if you have uninstalled ZoneAlarm probably prudent when I give the all clear to download and run the this removal tool to ensure all relevant to the software is removed. Also check the actual Windows 7 inbuilt Firewall is active.

Custom ComboFix-Script:

  • Please open Notepad and copy and paste the text present inside the code box below:
    Code: Select all
    SkipFix::
    
    ClearJavaCache::
    
    RegLock::
    [HKEY_USERS\S-1-5-21-689666306-1716364123-2076767426-1000\Software\SecuROM\License information*]
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    
    ReBoot::
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your Desktop.
Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

Next:

Click on Start(Windows 7 Orb) >> Accessories >> System Tools >> Disk Cleanup

  • Ensure the boxes for Temporary Files, Temporary Internet Files and Recycle Bin are checked.
  • You can choose to check other boxes if you wish but they are not required.
  • Click on OK then Delete files.

Panda Online Scan:

Use Internet Explorer for the below please...

Windows 7 users: You will need to to right-click on the IE in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

Now please go here to run Panda's ActiveScan

  • Once you are on the Panda site, click the Scan your PC now button
  • A new window will open...select the option Quick scan then click on the Scan Now button <-- Allow all the UAC(User Access Control prompts)
  • Allow the ActiveX control to be installed. It will start downloading the files it requires for the scan. Note: This may take a couple of minutes
  • Run the ActiveX control, if requested. The screen will then show the scanning progress - the scan will take a while to finish. Please be patient.
  • When the scan has finished, click on Export To
  • Save the file as Activescan.txt to your Desktop
  • Close the Activescan window then go to your Desktop
  • Double-click on Activescan.txt and it will open in Notepad
  • Post this log in your next reply
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Jump hijack malware

Unread postby elerrina » May 17th, 2012, 9:14 am

Yes I removed it because I wasn't 100% sure it was deactivated for the combofix scan. I followed the instructions but it still appeared to be active. And yes windows firewall is on now
elerrina
Regular Member
 
Posts: 27
Joined: May 9th, 2012, 1:42 pm

Re: Jump hijack malware

Unread postby Dakeyras » May 17th, 2012, 9:19 am

Fair play, carry out my prior instructions and post the resulting logs when ready, thank you. :)
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Jump hijack malware

Unread postby elerrina » May 17th, 2012, 9:54 am

Yeh will do as soon as i get home just at work at the mo :-)
elerrina
Regular Member
 
Posts: 27
Joined: May 9th, 2012, 1:42 pm

Re: Jump hijack malware

Unread postby Dakeyras » May 17th, 2012, 10:04 am

OK. :)
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Jump hijack malware

Unread postby elerrina » May 17th, 2012, 4:42 pm

Hi there, Ok so everything done as you requested. Just a couple of things i had another redirect today was slightly different to usual as hitting the back button didnt work i had to manually right click and select the page i wanted to go back to as it kept just redirecting to the same page.

ComboFix 12-05-17.05 - Ash 17/05/2012 21:16:53.4.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.4095.2649 [GMT 1:00]
Running from: c:\users\Ash\Desktop\ComboFix.exe
Command switches used :: c:\users\Ash\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
- REDUCED FUNCTIONALITY MODE -
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\TEMP\logishrd\LVPrcInj01.dll . . . . Failed to delete
c:\windows\TEMP\logishrd\LVPrcInj02.dll . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2012-04-17 to 2012-05-17 )))))))))))))))))))))))))))))))
.
.
2012-05-17 20:18 . 2012-05-17 20:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-15 20:40 . 2012-05-15 20:40 -------- d-----w- c:\windows\SysWow64\drivers\AVG
2012-05-11 14:29 . 2012-05-11 14:29 -------- d-----w- C:\_OTL
2012-05-11 14:25 . 2012-05-11 14:26 -------- d-----w- c:\program files (x86)\ERUNT
2012-05-08 20:39 . 2012-03-03 06:35 1544704 ----a-w- c:\windows\system32\DWrite.dll
2012-05-08 20:39 . 2012-03-03 05:31 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-05-08 20:39 . 2012-03-31 06:05 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-08 20:39 . 2012-03-31 03:10 3146240 ----a-w- c:\windows\system32\win32k.sys
2012-05-08 20:39 . 2012-03-31 04:39 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-08 20:39 . 2012-03-31 04:39 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-05-08 20:38 . 2012-03-17 07:58 75120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-08 20:38 . 2012-03-30 11:35 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-08 20:38 . 2012-03-31 05:42 1732096 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2012-05-08 20:38 . 2012-03-31 05:40 1402880 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2012-05-08 20:38 . 2012-03-31 05:40 1367552 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-08 20:38 . 2012-03-31 05:40 1393664 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2012-05-08 20:38 . 2012-03-31 04:29 936960 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-05-05 18:06 . 2012-05-05 18:06 -------- d-----w- c:\program files\iPod
2012-05-05 18:06 . 2012-05-05 18:07 -------- d-----w- c:\program files\iTunes
2012-05-05 18:06 . 2012-05-05 18:07 -------- d-----w- c:\program files (x86)\iTunes
2012-05-05 18:04 . 2012-05-05 18:04 -------- d-----w- c:\program files\Bonjour
2012-05-05 18:04 . 2012-05-05 18:04 -------- d-----w- c:\program files (x86)\Bonjour
2012-05-05 17:32 . 2012-05-05 17:32 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-05-05 17:32 . 2012-04-04 14:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-05 17:18 . 2012-05-05 17:18 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-05-05 17:17 . 2012-05-05 17:17 476960 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-05-04 18:58 . 2012-05-04 18:58 -------- d-----w- c:\users\Ash\AppData\Local\AVG Secure Search
2012-05-04 18:55 . 2012-05-04 18:55 -------- d-----w- c:\users\Ash\AppData\Roaming\AVG2012
2012-05-04 18:55 . 2012-05-04 19:15 -------- d-----w- c:\programdata\AVG2012
2012-05-04 18:50 . 2012-05-04 18:50 -------- d-----w- c:\users\Ash\AppData\Local\CRE
2012-05-04 18:49 . 2012-05-05 12:17 -------- d-----w- c:\users\Ash\AppData\Roaming\Nico Mak Computing
2012-05-04 18:49 . 2011-11-10 09:33 18760 ----a-w- c:\windows\system32\roboot64.exe
2012-05-04 18:49 . 2012-05-05 12:20 -------- d-----w- c:\program files (x86)\WinZip Registry Optimizer
2012-05-04 18:47 . 2012-05-04 18:47 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2012-05-04 18:47 . 2012-05-04 18:47 157352 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice_installer.exe
2012-05-04 18:47 . 2012-05-04 18:47 129976 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice.exe
2012-05-03 21:22 . 2012-05-03 21:22 -------- d-----w- c:\users\Ash\AppData\Roaming\Nuance
2012-05-03 21:22 . 2012-05-03 21:22 -------- d-----w- c:\users\Ash\AppData\Roaming\FLEXnet
2012-05-03 21:22 . 2012-05-03 21:22 -------- d-----w- c:\users\Ash\AppData\Roaming\Zeon
2012-05-03 21:21 . 2012-05-03 21:22 -------- d-----w- c:\programdata\Nuance
2012-05-03 21:21 . 2012-05-03 21:21 -------- d-----w- c:\programdata\ScanSoft
2012-05-03 21:21 . 2012-05-03 21:21 -------- d-----w- c:\programdata\FLEXnet
2012-05-03 21:21 . 2012-05-03 21:21 -------- d-----w- c:\program files (x86)\Nuance
2012-05-03 21:20 . 2012-05-03 21:20 -------- d-----w- c:\users\Ash\AppData\Local\Downloaded Installations
2012-05-01 15:51 . 2012-05-01 15:51 -------- d-----w- c:\programdata\ATI
2012-05-01 15:50 . 2012-05-01 15:50 -------- d-----w- c:\program files (x86)\AMD APP
2012-04-22 10:17 . 2012-04-22 10:20 -------- d-----w- c:\users\Ash\AppData\Roaming\Notepad++
2012-04-22 10:17 . 2012-04-22 10:17 -------- d-----w- c:\program files (x86)\Notepad++
2012-04-21 17:50 . 2012-04-21 17:50 -------- d-----w- c:\windows\en
2012-04-21 17:44 . 2012-04-21 17:44 89944 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\619045591cd1fe601\DSETUP.dll
2012-04-21 17:44 . 2012-04-21 17:44 537432 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\619045591cd1fe601\DXSETUP.exe
2012-04-21 17:44 . 2012-04-21 17:44 1801048 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\619045591cd1fe601\dsetup32.dll
2012-04-19 03:50 . 2012-04-19 03:50 28480 ----a-w- c:\windows\system32\drivers\avgidsha.sys
2012-04-18 17:05 . 2012-04-18 17:05 -------- d-----w- c:\users\Ash\AppData\Local\AMD
2012-04-17 21:14 . 2012-05-02 15:52 -------- d-----w- c:\programdata\AMD
2012-04-17 21:14 . 2012-04-17 21:14 -------- d-----w- c:\program files (x86)\AMD AVT
2012-04-17 21:14 . 2012-04-17 21:14 -------- d-----w- c:\program files (x86)\Common Files\ATI Technologies
2012-04-17 21:12 . 2010-02-18 08:18 46136 ----a-w- c:\windows\system32\drivers\amdiox64.sys
2012-04-17 21:08 . 2012-04-17 21:08 -------- d-----w- C:\AMD
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-05 17:17 . 2010-09-19 20:34 472864 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-04-06 05:22 . 2012-04-06 05:22 11174400 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2012-04-06 02:22 . 2012-04-06 02:22 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2012-04-06 02:21 . 2010-08-04 00:54 909312 ----a-w- c:\windows\SysWow64\aticfx32.dll
2012-04-06 02:20 . 2010-02-03 04:22 1067520 ----a-w- c:\windows\system32\aticfx64.dll
2012-04-06 02:16 . 2012-04-06 02:16 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2012-04-06 02:16 . 2012-04-06 02:16 503808 ----a-w- c:\windows\system32\atieclxx.exe
2012-04-06 02:16 . 2012-04-06 02:16 236544 ----a-w- c:\windows\system32\atiesrxx.exe
2012-04-06 02:14 . 2012-04-06 02:14 120320 ----a-w- c:\windows\system32\atitmm64.dll
2012-04-06 02:14 . 2012-04-06 02:14 21504 ----a-w- c:\windows\system32\atimuixx.dll
2012-04-06 02:14 . 2012-04-06 02:14 59392 ----a-w- c:\windows\system32\atiedu64.dll
2012-04-06 02:14 . 2012-04-06 02:14 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2012-04-06 02:13 . 2010-08-04 00:46 6800896 ----a-w- c:\windows\SysWow64\atidxx32.dll
2012-04-06 02:10 . 2012-04-06 02:10 26181632 ----a-w- c:\windows\system32\atio6axx.dll
2012-04-06 02:00 . 2010-08-25 00:18 64000 ----a-w- c:\windows\system32\coinst.dll
2012-04-06 01:54 . 2010-02-03 04:04 7479296 ----a-w- c:\windows\system32\atidxx64.dll
2012-04-06 01:50 . 2012-04-06 01:50 19753984 ----a-w- c:\windows\SysWow64\atioglxx.dll
2012-04-06 01:35 . 2012-04-06 01:35 1120768 ----a-w- c:\windows\system32\atiumd6v.dll
2012-04-06 01:34 . 2012-04-06 01:34 1831424 ----a-w- c:\windows\SysWow64\atiumdmv.dll
2012-04-06 01:34 . 2010-02-03 03:43 4731904 ----a-w- c:\windows\system32\atiumd6a.dll
2012-04-06 01:34 . 2012-04-06 01:34 6203392 ----a-w- c:\windows\SysWow64\atiumdag.dll
2012-04-06 01:30 . 2012-04-06 01:30 51200 ----a-w- c:\windows\system32\aticalrt64.dll
2012-04-06 01:30 . 2012-04-06 01:30 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2012-04-06 01:30 . 2012-04-06 01:30 44544 ----a-w- c:\windows\system32\aticalcl64.dll
2012-04-06 01:30 . 2012-04-06 01:30 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2012-04-06 01:29 . 2012-04-06 01:29 16090624 ----a-w- c:\windows\system32\aticaldd64.dll
2012-04-06 01:25 . 2012-04-06 01:25 13764096 ----a-w- c:\windows\SysWow64\aticaldd.dll
2012-04-06 01:23 . 2010-02-03 03:49 7431680 ----a-w- c:\windows\system32\atiumd64.dll
2012-04-06 01:22 . 2012-04-06 01:22 4795904 ----a-w- c:\windows\SysWow64\atiumdva.dll
2012-04-06 01:11 . 2010-02-03 03:24 514560 ----a-w- c:\windows\system32\atiadlxx.dll
2012-04-06 01:11 . 2012-04-06 01:11 360448 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2012-04-06 01:11 . 2012-04-06 01:11 17408 ----a-w- c:\windows\system32\atig6pxx.dll
2012-04-06 01:11 . 2012-04-06 01:11 14848 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2012-04-06 01:11 . 2012-04-06 01:11 14848 ----a-w- c:\windows\system32\atiglpxx.dll
2012-04-06 01:11 . 2012-04-06 01:11 41984 ----a-w- c:\windows\system32\atig6txx.dll
2012-04-06 01:10 . 2012-04-06 01:10 33280 ----a-w- c:\windows\SysWow64\atigktxx.dll
2012-04-06 01:10 . 2012-04-06 01:10 343040 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2012-04-06 01:09 . 2010-02-03 03:23 54784 ----a-w- c:\windows\system32\atiuxp64.dll
2012-04-06 01:09 . 2010-08-04 00:15 41984 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2012-04-06 01:09 . 2010-02-03 03:23 44544 ----a-w- c:\windows\system32\atiu9p64.dll
2012-04-06 01:09 . 2012-04-06 01:09 32256 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2012-04-06 01:09 . 2012-04-06 01:09 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2012-04-06 01:06 . 2012-04-06 01:06 54784 ----a-w- c:\windows\system32\atimpc64.dll
2012-04-06 01:06 . 2012-04-06 01:06 54784 ----a-w- c:\windows\system32\amdpcom64.dll
2012-04-06 01:06 . 2012-04-06 01:06 53760 ----a-w- c:\windows\SysWow64\atimpc32.dll
2012-04-06 01:06 . 2012-04-06 01:06 53760 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2012-04-05 21:34 . 2012-04-05 21:34 187392 ----a-w- c:\windows\system32\clinfo.exe
2012-04-05 21:34 . 2012-04-05 21:34 74752 ----a-w- c:\windows\system32\OpenVideo64.dll
2012-04-05 21:34 . 2012-04-05 21:34 64512 ----a-w- c:\windows\SysWow64\OpenVideo.dll
2012-04-05 21:33 . 2012-04-05 21:33 63488 ----a-w- c:\windows\system32\OVDecode64.dll
2012-04-05 21:33 . 2012-04-05 21:33 56320 ----a-w- c:\windows\SysWow64\OVDecode.dll
2012-04-05 21:33 . 2012-04-05 21:33 16457216 ----a-w- c:\windows\system32\amdocl64.dll
2012-04-05 21:32 . 2012-04-05 21:32 13007872 ----a-w- c:\windows\SysWow64\amdocl.dll
2012-03-25 16:27 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2012-03-25 16:27 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2012-03-20 12:50 . 2012-04-17 17:41 251528 ----a-w- c:\windows\system32\drivers\PCTSD64.sys
2012-03-19 04:17 . 2012-03-19 04:17 383808 ----a-w- c:\windows\system32\drivers\avgtdia.sys
2012-03-09 00:24 . 2012-03-09 00:24 54272 ----a-w- c:\windows\system32\OpenCL.dll
2012-03-09 00:24 . 2012-03-09 00:24 48128 ----a-w- c:\windows\SysWow64\OpenCL.dll
2012-03-08 17:50 . 2012-03-08 17:50 49016 ----a-w- c:\windows\SysWow64\sirenacm.dll
2012-03-08 17:37 . 2012-03-08 17:37 302448 ----a-w- c:\windows\WLXPGSS.SCR
2012-03-01 06:46 . 2012-04-12 21:07 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-03-01 06:38 . 2012-04-12 21:07 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-03-01 06:33 . 2012-04-12 21:07 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-03-01 06:28 . 2012-04-12 21:07 5120 ----a-w- c:\windows\system32\wmi.dll
2012-03-01 05:37 . 2012-04-12 21:07 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-03-01 05:33 . 2012-04-12 21:07 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-03-01 05:29 . 2012-04-12 21:07 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-02-28 06:39 . 2012-04-12 08:31 1188864 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 05:38 . 2012-04-12 08:31 981504 ----a-w- c:\windows\SysWow64\wininet.dll
2012-02-28 04:31 . 2012-04-12 08:31 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-28 03:52 . 2012-04-12 08:31 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-02-23 12:32 . 2012-02-23 12:32 95760 ----a-w- c:\windows\system32\drivers\AtihdW76.sys
2012-02-22 04:25 . 2012-02-22 04:25 289872 ----a-w- c:\windows\system32\drivers\avgldx64.sys
2012-02-21 22:07 . 2011-04-03 14:55 21840 ----atw- c:\windows\SysWow64\SIntfNT.dll
2012-02-21 22:07 . 2011-04-03 14:55 17212 ----atw- c:\windows\SysWow64\SIntf32.dll
2012-02-21 22:07 . 2011-04-03 14:55 12067 ----atw- c:\windows\SysWow64\SIntf16.dll
2009-07-16 22:13 . 2009-07-16 22:13 1246440 ----a-w- c:\program files\DAOriginsLauncher.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-05-16_17.23.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2012-05-16 15:49 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-05-17 18:42 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-05-17 18:42 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-05-16 15:49 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-05-16 15:49 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-05-17 18:42 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-08-25 00:30 . 2012-05-17 20:22 68330 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-05-17 20:22 34028 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-08-25 00:30 . 2012-05-17 20:22 28418 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-689666306-1716364123-2076767426-1000_UserData.bin
- 2010-08-25 07:04 . 2012-05-16 17:23 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-08-25 07:04 . 2012-05-17 20:19 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-08-25 07:04 . 2012-05-16 17:23 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-08-25 07:04 . 2012-05-17 20:19 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-05-16 17:23 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-05-17 20:19 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-08-25 00:39 . 2012-05-17 20:22 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-08-25 00:39 . 2012-05-16 17:25 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-08-25 00:39 . 2012-05-16 17:25 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-08-25 00:39 . 2012-05-17 20:22 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-08-25 00:39 . 2012-05-16 17:25 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-08-25 00:39 . 2012-05-17 20:22 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-08-25 00:39 . 2012-05-16 17:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-08-25 00:39 . 2012-05-17 20:22 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-08-25 00:39 . 2012-05-17 20:22 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-08-25 00:39 . 2012-05-16 17:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-05-16 17:23 . 2012-05-16 17:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-05-17 20:19 . 2012-05-17 20:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-05-16 17:23 . 2012-05-16 17:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-05-17 20:19 . 2012-05-17 20:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-05-17 20:19 . 2009-10-07 00:46 131608 c:\windows\Temp\logishrd\LVPrcInj02.dll
- 2012-05-16 17:23 . 2009-10-07 00:46 131608 c:\windows\Temp\logishrd\LVPrcInj02.dll
+ 2012-05-17 20:19 . 2009-10-07 00:47 109080 c:\windows\Temp\logishrd\LVPrcInj01.dll
- 2012-05-16 17:23 . 2009-10-07 00:47 109080 c:\windows\Temp\logishrd\LVPrcInj01.dll
+ 2009-07-14 05:01 . 2012-05-17 20:18 390744 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-05-16 17:22 390744 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-07-23 23:05 . 2012-05-16 17:22 2087392 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-07-23 23:05 . 2012-05-17 20:18 2087392 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2011-08-03 08:24 . 2012-05-14 21:33 4653744 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-689666306-1716364123-2076767426-1000-12288.dat
+ 2011-08-03 08:24 . 2012-05-16 22:04 4653744 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-689666306-1716364123-2076767426-1000-12288.dat
- 2011-03-25 22:58 . 2012-05-16 17:22 38447799 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-689666306-1716364123-2076767426-1000-8192.dat
+ 2011-03-25 22:58 . 2012-05-17 20:18 38447799 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-689666306-1716364123-2076767426-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-05-04 18:57 2067328 ----a-w- c:\program files (x86)\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll" [2012-05-04 2067328]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"SoftAuto.exe"="c:\program files (x86)\Creative\Software Update 3\SoftAuto.exe" [2008-08-13 405504]
"ISUSPM"="c:\programdata\FLEXnet\Connect\11\ISUSPM.exe" [2009-05-05 222496]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2010-05-24 2439072]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
"vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-05-04 1116544]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-06 641664]
"Nuance PDF Reader-reminder"="c:\program files (x86)\Nuance\PDF Reader\Ereg\Ereg.exe" [2010-07-05 333088]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [x]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [x]
R3 ALSysIO;ALSysIO;c:\users\Ash\AppData\Local\Temp\ALSysIO64.sys [x]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [2011-11-10 167264]
R3 CTUPnPSv;Creative Centrale Media Server;c:\program files (x86)\Creative\Creative Centrale\CTUPnPSv.exe [2008-05-21 64000]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
R3 lvpepf64;Volume Adapter;c:\windows\system32\DRIVERS\lv302a64.sys [x]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-05-04 129976]
R3 nmwcdx64;Nokia USB Phone Parent;c:\windows\system32\drivers\nmwcdx64.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [x]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [x]
S0 mv61xx;mv61xx;c:\windows\system32\DRIVERS\mv61xx.sys [x]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [x]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [x]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-04-05 361984]
S2 AODDriver4.1;AODDriver4.1;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [2012-03-05 53888]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\avgidsagent.exe [2012-04-30 5106744]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-02-14 193288]
S2 LVPrcS64;Process Monitor;c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2009-10-07 191000]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 MSSQL$BWDATOOLSET;SQL Server (BWDATOOLSET);c:\program files (x86)\DAODB\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
S2 vToolbarUpdater11.0.2;vToolbarUpdater11.0.2;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\11.0.2\ToolbarUpdater.exe [2012-05-04 932736]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [x]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfiltera.sys [x]
S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [x]
S3 LVUSBS64;Logitech USB Monitor Filter;c:\windows\system32\DRIVERS\LVUSBS64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-10-01 825184]
"ISW"="" [BU]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.co.uk/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: {{68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files (x86)\AVG\AVG2012\avgdtiex.dll
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Ash\AppData\Roaming\Mozilla\Firefox\Profiles\l6k2sjcs.default\
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Bff ... &sap=ku&q=
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-689666306-1716364123-2076767426-1000\Software\SecuROM\License information*]
"datasecu"=hex:d8,50,03,bf,fc,15,f7,ed,da,8e,0b,19,99,4e,f7,da,37,ef,77,ff,15,
66,71,49,b1,6b,4a,4d,bc,e8,77,9c,66,23,ad,06,85,eb,5a,2e,cc,77,5c,44,04,0b,\
"rkeysecu"=hex:32,ba,43,f7,df,4c,07,7e,0d,b6,2b,2e,f5,61,45,cc
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Creative\Shared Files\CTDevSrv.exe
c:\program files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe
c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2012-05-17 21:25:21 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-17 20:25
ComboFix2.txt 2012-05-16 17:28
.
Pre-Run: 123,117,887,488 bytes free
Post-Run: 122,848,026,624 bytes free
.
- - End Of File - - CDAA36FBC5FE56D7690499ECA430E51C


;***********************************************************************************************************************************************************************************
ANALYSIS: 2012-05-17 21:40:17
PROTECTIONS: 1
MALWARE: 6
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AVG Anti-Virus Free Edition 2012 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\users\ash\appdata\roaming\microsoft\windows\cookies\urhww0zn.txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\users\ash\appdata\roaming\microsoft\windows\cookies\c31fg2xf.txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\users\ash\appdata\roaming\microsoft\windows\cookies\zffa32dx.txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No c:\users\ash\appdata\roaming\microsoft\windows\cookies\jv21e52t.txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No c:\users\ash\appdata\roaming\microsoft\windows\cookies\qjwl43by.txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\users\ash\appdata\roaming\microsoft\windows\cookies\5cqp95ws.txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\users\ash\appdata\roaming\microsoft\windows\cookies\9p4n4a69.txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\users\ash\appdata\roaming\microsoft\windows\cookies\zdqq0icq.txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\users\ash\appdata\roaming\microsoft\windows\cookies\vrafphzv.txt
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================
elerrina
Regular Member
 
Posts: 27
Joined: May 9th, 2012, 1:42 pm

Re: Jump hijack malware

Unread postby Dakeyras » May 17th, 2012, 5:25 pm

Hi. :)

Just a couple of things i had another redirect today was slightly different to usual as hitting the back button didnt work i had to manually right click and select the page i wanted to go back to as it kept just redirecting to the same page.
What was the name of the page and or was it random? OK lets have a another look at your system as follows...

Scan with Eset SysInspector:

Please download Eset SysInspector and save to your Desktop.

  • Right-click on SysInspector.exe and select Run as Administrator.
  • Your system will now be scanned, this may take some time.
  • When the main SysInspector appears, navigate go to the File drop down menu and select Save Log.
  • At the prompt click on Yes and save the Zip File to the desktop.
  • Please attach SysInspector-**** ******- **** ( * denotes computer name/date/time) in your next reply for myself to then download and research.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Jump hijack malware

Unread postby elerrina » May 18th, 2012, 12:22 pm

Sorry i didnt note down the name of the webpage. And its not allowing me to attach the file it says its too large
elerrina
Regular Member
 
Posts: 27
Joined: May 9th, 2012, 1:42 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 38 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware