Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

yet another search engine redirection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: yet another search engine redirection

Unread postby vict0r » April 30th, 2011, 5:50 pm

Sounds good that hibernation now works as expected and you're welcome. :)


Backup the Registry again

Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.

  • Start ERUNT backup by clicking Start >> Programs/All Programs >> ERUNT >> ERUNT.
  • Click on OK within the pop-up menu.
  • In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  • Next click on "OK"... at the prompt... reply "Yes".
    After a short duration the Registry backup is complete! pop-up message will appear.
  • Now click on "OK". A registry backup has now been created.

Note: Do not continue with the next step if the registry backup was unsuccessful, post back instead.


Run OTL Script

We need to run another OTL script. This OTL script will reboot the computer. Save all work before continuing.

  • Double-click OTL.exe (on your desktop) to start the program.
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code: Select all
    :files
    ipconfig /flushdns /c
    :services
    o1394bul
    :commands
    [emptyflash]
    [emptytemp]
    
    
  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot. Copy and Paste that report in your next reply.


Disable Microsoft Security Essentials

Make sure MSE is disabled:

Make sure there's no scheduled scan in Microsoft Security Essentials for the rest of the day before running the scan:
  • Start Microsoft Security Essentials, then click Settings -> Sceduled scan and uncheck Run a scheduled scan... if a scan is about to start, then click Save changes and close the program.
  • Go to Settings > Real Time Protection.
  • Then uncheck "Turn on real time protection".
  • Close MSE when done.


ESET Online Scanner:

  • Please go here to run the scan.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you post the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application when finished!
vict0r
Regular Member
 
Posts: 1043
Joined: December 3rd, 2008, 3:00 pm
Advertisement
Register to Remove

Re: yet another search engine redirection

Unread postby Scop » May 1st, 2011, 3:05 am

OTL report:



All processes killed
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Could not flush the DNS Resolver Cache: Function failed during execution.
C:\Documents and Settings\Dillon\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Dillon\Desktop\cmd.txt deleted successfully.
========== SERVICES/DRIVERS ==========
Service o1394bul stopped successfully!
Service o1394bul deleted successfully!
========== COMMANDS ==========

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 56504 bytes

User: All Users

User: Default User
->Flash cache emptied: 56466 bytes

User: Dillon
->Flash cache emptied: 3096199 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 3.00 mb


[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 134 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 0 bytes

User: Dillon
->Temp folder emptied: 112966122 bytes
->Temporary Internet Files folder emptied: 263465214 bytes
->Java cache emptied: 60081019 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 110224 bytes

User: NetworkService
->Temp folder emptied: 260544 bytes
->Temporary Internet Files folder emptied: 316338 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 3755025 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 10162501 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 12921084 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 97752944 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 536.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 04302011_214053

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...



ESET ran and I manually saved the .txt of its results to my Desktop. When I browsed to the location you gave me, though, there were no text files; just the ESET ActiveX and an Uninstall. What I saved manually follows:



C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\28\4e16e85c-2cf4d1b2 multiple threats
C:\_OTL\MovedFiles\04282011_095911\c_program files\QuickTime\QTSystem\QuickTimeEssentials.Resources\ru.lproj\QuickTimeResourcesQuickTime.exe a variant of Win32/Kryptik.NBO trojan
C:\_OTL\MovedFiles\04282011_095911\c_program files\QuickTime\QTSystem\QuickTimeVRAuthoring.Resources\pt.lproj\RecursosQuickTimeQuickTime.exe a variant of Win32/Kryptik.NBO trojan
C:\_OTL\MovedFiles\04282011_095911\c_program files\QuickTime\QTSystem\QuickTimeWebHelper.Resources\it.lproj\QuickTimeWebHelperQuickTime7.6.51327.79.exe a variant of Win32/Kryptik.NBO trojan
C:\_OTL\MovedFiles\04282011_095911\C_WINDOWS\system32\config\systemprofile\Application Data\AntiVirus_AntiSpyware_2011\AntiVirus AntiSpyware.exe a variant of Win32/Kryptik.NBO trojan
C:\_OTL\MovedFiles\04282011_095911\C_WINDOWS\system32\config\systemprofile\Application Data\AntiVirus_AntiSpyware_2011\securityhelper.exe a variant of Win32/Kryptik.NBO trojan
C:\_OTL\MovedFiles\04282011_095911\C_WINDOWS\system32\config\systemprofile\Application Data\AntiVirus_AntiSpyware_2011\securitymanager.exe a variant of Win32/Kryptik.NBO trojan
Scop
Regular Member
 
Posts: 41
Joined: April 17th, 2011, 2:08 am

Re: yet another search engine redirection

Unread postby vict0r » May 1st, 2011, 10:00 am

Hi.

Clear Java cache

  • Click on Start > Control Panel > Classic view then double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button.
  • There are two options in the window to clear the cache - Leave BOTH Checked.
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window
  • Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


Backup the Registry again

Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.

  • Start ERUNT backup by clicking Start >> Programs/All Programs >> ERUNT >> ERUNT.
  • Click on OK within the pop-up menu.
  • In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  • Next click on "OK"... at the prompt... reply "Yes".
    After a short duration the Registry backup is complete! pop-up message will appear.
  • Now click on "OK". A registry backup has now been created.

Note: Do not continue with the next step if the registry backup was unsuccessful, post back instead.


Run OTL Script

We need to run another OTL script. Save all work before continuing in case of reboot.

  • Double-click OTL.exe (on your desktop) to start the program.
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code: Select all
    :processes
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    :files
    ipconfig /flushdns /c
    :services
    Viewpoint Manager Service
    
    
  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot. Copy and Paste that report in your next reply.


Rename folder

Please rename the _OTL folder to "vict0r". Go to Start > My Computer and navigate to C:\. Right click the _OTL folder and click Rename, then write my username followed by Enter. Verify that the folder was renamed if not try again. Do not continue with the next step if it fails.


Combofix uninstaller


Let me know if it fails.


Re-run - RSIT (Random's System Information Tool)

Do this step even if other failed.

You should still have this program on your desktop.
  1. Double click on RSIT.exe to run it.
  2. Please read the disclaimer... click on Continue.
    RSIT will start running. When done... ONLY the "C:\RSIT\log.txt"...will be reproduced. (it will be maximized)
  3. Please post the contents of "log.txt" in your next reply.


To post:
  • OTL log
  • RSIT log
vict0r
Regular Member
 
Posts: 1043
Joined: December 3rd, 2008, 3:00 pm

Re: yet another search engine redirection

Unread postby Scop » May 1st, 2011, 5:09 pm

All steps went smoothly--Jave cache cleared (this isn't the first time Java's been a vulnerability. Then again, at that time I probably had old version updates taking up space on my hard drive, too), registry backup ran fine, the OTL script seemed to finish very quickly and didn't require a restart, _OTL folder renamed successfully, and ComboFix uninstaller also ran fine.

I feel relieved to have done something with Viewpoint. I've always been suspicious that it's just taking up space to market to me, and when I realized that Youtube uses Flash, Viewpoint didn't have that excuse any more.

Here follow both the requested logs:



:processes
C:\Program Files\Viewpoint\Common\ViewpointService.exe
:files
ipconfig /flushdns /c
:services
Viewpoint Manager Service



Logfile of random's system information tool 1.08 (written by random/random)
Run by Dillon at 2011-05-01 13:51:32
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 6 GB (17%) free of 38 GB
Total RAM: 502 MB (52% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:51:51 PM, on 5/1/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\system32\hphmon03.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Documents and Settings\Dillon\Desktop\RSIT.exe
C:\Program Files\trend micro\Dillon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net?cid=ie8_0904
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshoo ... aptest.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Custo ... anager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/in ... er_gmn.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7434653125
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos-be ... canner.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

--
End of file - 9210 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{432DC279-F38A-4F95-9128-676D04ECB646}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2011-04-05 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2011-04-05 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - HP view - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll [2003-11-21 98304]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2004-11-04 98394]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2004-11-04 688218]
"eabconfg.cpl"=C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe [2006-04-18 405504]
"Cpqset"=C:\Program Files\HPQ\Default Settings\cpqset.exe [2005-02-17 233534]
"LSBWatcher"=c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe [2004-10-14 253952]
"hpWirelessAssistant"=C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe [2005-01-21 790528]
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe [2003-03-11 172032]
"HPHmon03"=C:\WINDOWS\system32\hphmon03.exe [2003-01-30 311296]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2006-02-07 94208]
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2006-02-07 77824]
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2006-02-07 118784]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2006-03-20 86960]
"DeviceDiscovery"=C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe [2002-12-02 40960]
"YSearchProtection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [2008-10-07 111856]
"ddoctorv2"=C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe [2008-04-24 202560]
"HP Software Update"=C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe [2002-12-17 49152]
"MSC"=c:\Program Files\Microsoft Security Client\msseces.exe [2010-11-30 997408]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-10-29 249064]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"Search Protection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [2008-10-07 111856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
HP Digital Imaging Monitor.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2006-02-07 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-02-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\klmdb.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SMR161]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2011-04-28 09:59:11 ----D---- C:\vict0r
2011-04-28 09:55:03 ----D---- C:\Program Files\ERUNT
2011-04-28 09:07:14 ----D---- C:\Documents and Settings\Dillon\Application Data\Malwarebytes
2011-04-28 09:07:06 ----A---- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011-04-28 09:07:05 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2011-04-28 09:07:01 ----A---- C:\WINDOWS\system32\drivers\mbam.sys
2011-04-28 09:06:59 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2011-04-27 16:13:36 ----A---- C:\TDSSKiller.2.4.21.0_27.04.2011_16.13.36_log.txt
2011-04-26 22:51:11 ----ASH---- C:\hiberfil.sys
2011-04-26 08:31:03 ----D---- C:\Documents and Settings\Dillon\Application Data\com.amazon.music.uploader
2011-04-26 08:27:31 ----D---- C:\Program Files\Common Files\Adobe AIR
2011-04-24 16:24:26 ----A---- C:\Boot.bak
2011-04-24 16:24:16 ----RASHD---- C:\cmdcons
2011-04-24 16:18:17 ----D---- C:\WINDOWS\ERDNT
2011-04-24 09:01:42 ----D---- C:\Program Files\trend micro
2011-04-24 09:01:36 ----D---- C:\rsit
2011-04-14 14:09:47 ----HDC---- C:\WINDOWS\$NtUninstallKB2485663$
2011-04-14 14:06:07 ----HDC---- C:\WINDOWS\$NtUninstallKB2506223$
2011-04-14 14:01:59 ----HDC---- C:\WINDOWS\$NtUninstallKB2412687$
2011-04-14 13:51:01 ----HDC---- C:\WINDOWS\$NtUninstallKB2508272$
2011-04-14 13:50:39 ----HDC---- C:\WINDOWS\$NtUninstallKB2503658$
2011-04-14 13:49:56 ----HDC---- C:\WINDOWS\$NtUninstallKB2507618$
2011-04-14 13:49:39 ----HDC---- C:\WINDOWS\$NtUninstallKB2508429$
2011-04-14 13:49:14 ----HDC---- C:\WINDOWS\$NtUninstallKB2511455$
2011-04-14 13:48:34 ----HDC---- C:\WINDOWS\$NtUninstallKB2506212$
2011-04-14 13:43:41 ----HDC---- C:\WINDOWS\$NtUninstallKB2509553$
2011-04-05 18:49:25 ----D---- C:\Documents and Settings\All Users\Application Data\Sun
2011-04-05 18:48:41 ----A---- C:\WINDOWS\system32\javaws.exe
2011-04-05 18:48:41 ----A---- C:\WINDOWS\system32\javaw.exe
2011-04-05 18:48:41 ----A---- C:\WINDOWS\system32\java.exe
2011-04-05 18:48:41 ----A---- C:\WINDOWS\system32\deployJava1.dll

======List of files/folders modified in the last 1 months======

2011-05-01 13:50:02 ----D---- C:\WINDOWS
2011-05-01 13:26:25 ----D---- C:\WINDOWS\Temp
2011-05-01 13:15:29 ----SD---- C:\WINDOWS\Tasks
2011-05-01 13:10:47 ----D---- C:\WINDOWS\system32\CatRoot2
2011-05-01 13:09:34 ----RD---- C:\Program Files
2011-05-01 08:39:39 ----A---- C:\WINDOWS\SchedLgU.Txt
2011-04-30 22:23:19 ----SD---- C:\WINDOWS\Downloaded Program Files
2011-04-30 21:46:02 ----D---- C:\WINDOWS\system32
2011-04-29 12:06:00 ----D---- C:\WINDOWS\system32\drivers
2011-04-29 12:04:23 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI
2011-04-28 11:44:09 ----HDC---- C:\WINDOWS\$NtUninstallKB2419632$
2011-04-28 08:20:57 ----HD---- C:\Config.Msi
2011-04-28 08:15:29 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
2011-04-28 08:15:28 ----SHD---- C:\WINDOWS\Installer
2011-04-28 08:13:40 ----D---- C:\Program Files\Adobe
2011-04-28 08:13:39 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2011-04-27 16:26:08 ----D---- C:\WINDOWS\Prefetch
2011-04-26 22:05:07 ----A---- C:\WINDOWS\ntbtlog.txt
2011-04-26 08:27:31 ----D---- C:\Program Files\Common Files
2011-04-26 08:26:46 ----D---- C:\Program Files\Amazon
2011-04-25 23:44:18 ----D---- C:\Downloads
2011-04-25 23:39:33 ----HD---- C:\WINDOWS\inf
2011-04-25 23:39:30 ----D---- C:\Program Files\Common Files\Sonic Shared
2011-04-25 23:19:10 ----D---- C:\Program Files\Common Files\AOL
2011-04-24 16:24:26 ----RASH---- C:\boot.ini
2011-04-24 16:09:36 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2011-04-24 16:08:58 ----D---- C:\Program Files\Common Files\Symantec Shared
2011-04-18 15:46:44 ----A---- C:\WINDOWS\system32\MRT.exe
2011-04-15 12:07:26 ----D---- C:\WINDOWS\Microsoft.NET
2011-04-15 12:07:19 ----RSD---- C:\WINDOWS\assembly
2011-04-14 14:11:12 ----A---- C:\WINDOWS\win.ini
2011-04-14 14:09:23 ----HD---- C:\WINDOWS\$hf_mig$
2011-04-14 14:06:19 ----A---- C:\WINDOWS\imsins.BAK
2011-04-14 14:06:15 ----RSHD---- C:\WINDOWS\system32\dllcache
2011-04-14 14:04:26 ----D---- C:\Program Files\Internet Explorer
2011-04-14 14:02:05 ----D---- C:\WINDOWS\WinSxS
2011-04-14 13:43:06 ----D---- C:\WINDOWS\ie8updates
2011-04-05 18:49:18 ----D---- C:\Program Files\Common Files\Java
2011-04-05 18:43:10 ----D---- C:\Program Files\Java

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 IFP800;iriver Internet Audio Player IFP-800; C:\WINDOWS\system32\drivers\ifp800.sys [2004-03-29 14531]
R0 ohci1394;Texas Instruments OHCI Compliant IEEE 1394 Host Controller; C:\WINDOWS\system32\DRIVERS\ohci1394.sys [2008-04-13 61696]
R0 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
R1 eabfiltr;EABFiltr; \??\C:\WINDOWS\system32\drivers\EABFiltr.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2011-04-27 36352]
R1 MpFilter;Microsoft Malware Protection Driver; C:\WINDOWS\system32\DRIVERS\MpFilter.sys [2010-10-24 165264]
R1 MpKsl372c91ab;MpKsl372c91ab; \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B6A8FBEE-DB3C-486D-B7DB-43D2A5D00DA1}\MpKsl372c91ab.sys []
R1 MpKsl6fd870d3;MpKsl6fd870d3; \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BCA0004A-8955-48A3-BDE1-772D361E3420}\MpKsl6fd870d3.sys []
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys [2007-11-14 8413]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-16 13059]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 btaudio;Bluetooth Audio Device; C:\WINDOWS\system32\drivers\btaudio.sys [2004-11-29 399616]
R3 BTKRNL;Bluetooth Bus Enumerator; C:\WINDOWS\system32\DRIVERS\btkrnl.sys [2004-11-29 1337850]
R3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2004-11-29 55320]
R3 CAMCAUD;Conexant AMC Audio; C:\WINDOWS\system32\drivers\camc6aud.sys [2005-02-17 38016]
R3 CAMCHALA;CAMCHALA; C:\WINDOWS\system32\drivers\camc6hal.sys [2005-02-17 349696]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-12-14 1038208]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys [2004-12-14 207232]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2006-02-07 1399615]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 RTL8023xp;Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys [2004-12-02 70912]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-13 79232]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2004-11-04 186016]
R3 tifm21;tifm21; C:\WINDOWS\system32\drivers\tifm21.sys [2005-09-20 162432]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 w29n51;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w29n51.sys [2006-12-11 2209536]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2004-12-14 703232]
S1 MpKsl18e74faf;MpKsl18e74faf; \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB9DBF00-4EC0-4AD2-BB90-EE9BBF296FF5}\MpKsl18e74faf.sys []
S1 MpKsl3012dce8;MpKsl3012dce8; \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB9DBF00-4EC0-4AD2-BB90-EE9BBF296FF5}\MpKsl3012dce8.sys []
S1 MpKsl47654546;MpKsl47654546; \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0D190D73-1BCB-4679-8637-0F4A7F3402EF}\MpKsl47654546.sys []
S1 MpKsl5cae0751;MpKsl5cae0751; \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FA28EEDE-0D14-4B93-AAEE-E5F4435B9BDD}\MpKsl5cae0751.sys []
S1 MpKsl5e870acb;MpKsl5e870acb; \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5363D11A-073A-477C-AF8C-5911FB120E4D}\MpKsl5e870acb.sys []
S1 MpKsl8256047d;MpKsl8256047d; \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{42B3415E-53FF-49B0-A788-E1651AE75A36}\MpKsl8256047d.sys []
S1 MpKsldd31af8b;MpKsldd31af8b; \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C14E954D-98C7-44A9-82BC-41AA19C485DA}\MpKsldd31af8b.sys []
S3 2WIREPCP;2Wire USB; C:\WINDOWS\system32\DRIVERS\2WirePCP.sys [2002-09-23 68672]
S3 BTWDNDIS;Bluetooth LAN Access Server; C:\WINDOWS\system32\DRIVERS\btwdndis.sys [2004-11-29 148040]
S3 Dot4 HPH09;Dot4 HPH09; C:\WINDOWS\system32\DRIVERS\hphid409.sys [2003-01-30 50800]
S3 Dot4Print HPH09;Print Class Driver for IEEE-1284.4 HPH09; C:\WINDOWS\system32\DRIVERS\hphipr09.sys [2003-01-30 16112]
S3 Dot4Storage HPH09;Storage Class Driver for IEEE-1284.4 (HPH09); C:\WINDOWS\System32\Drivers\hphs2k09.sys [2003-01-30 50211]
S3 Dot4Usb HPH09;Dot4Usb HPH09; C:\WINDOWS\System32\drivers\hphius09.sys [2003-01-30 18864]
S3 eabusb;eabusb; \??\C:\WINDOWS\system32\drivers\eabusb.sys []
S3 FsUsbExDisk;FsUsbExDisk; \??\C:\WINDOWS\system32\FsUsbExDisk.SYS []
S3 GT680x;GrandTechICNameNT; C:\WINDOWS\System32\Drivers\gt680x.sys [2001-11-08 18120]
S3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2009-09-16 79816]
S3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2009-09-16 35272]
S3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2009-09-16 34248]
S3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2009-09-16 40552]
S3 PalmUSBD;PalmUSBD; C:\WINDOWS\system32\drivers\PalmUSBD.sys [2001-11-20 12338]
S3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
S3 RT25USBAP;Nintendo Wi-Fi USB Connector Service; C:\WINDOWS\system32\DRIVERS\rt25usbap.sys [2006-04-10 162816]
S3 SMCIRDA;SMC IrCC Miniport Device Driver; C:\WINDOWS\system32\DRIVERS\smcirda.sys [2001-08-17 35913]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM); C:\WINDOWS\system32\DRIVERS\ssadbus.sys [2010-12-20 96488]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter); C:\WINDOWS\system32\DRIVERS\ssadmdfl.sys [2010-12-20 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers; C:\WINDOWS\system32\DRIVERS\ssadmdm.sys [2010-12-20 121576]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 btwdins;Bluetooth Service; C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [2004-11-29 254007]
R2 hpqwmiex;hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [2005-12-22 98304]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2011-04-05 153376]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2005-01-13 38912]
R2 MsMpSvc;Microsoft Antimalware Service; c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe [2010-11-11 11736]
R2 sprtsvc_ddoctorv2;SupportSoft Sprocket Service (ddoctorv2); C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe [2008-04-24 202560]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 hpqwmi;HP WMI Interface; C:\Program Files\HPQ\SHARED\HPQWMI.exe [2004-11-17 98304]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 nosGetPlusHelper;getPlus(R) Helper 3004; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Pml Driver;Pml Driver; C:\WINDOWS\system32\HPHipm09.exe [2003-01-30 77824]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------
Scop
Regular Member
 
Posts: 41
Joined: April 17th, 2011, 2:08 am

Re: yet another search engine redirection

Unread postby vict0r » May 1st, 2011, 10:27 pm

Hi. :)

You posted the OTL-script, not the log. The log file should be located in C:\vict0r\Moved Files, please locate and post the content of that logfile (it should contain the word Viewpoint).

Combofix (zzz.exe) on your desktop should now be deleted/uninstalled, if not, please delete it.

I believe I have found a way to get Combofix to run. Please back up any important files (i.e. to the cloud storage) before you continue.


Viewpoint

Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. Anything that is installed without your consent is suspect. Though not exactly classed as malware they do have some undersirible characteristics. Read what Viewpoint says and make your own decision.
To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Usually there is no point uninstalling it, as the AIM 6(plus other AOL software) application you had installed, next time used will download/install the aforementioned again without your knowledge.


Download ComboFix

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper.

**IMPORTANT !!! Save ComboFix.exe to your Desktop**.

Please rename ComboFix when you save the file to the desktop. Right click one of the following links and choose "Save as". name the file iexplore(.exe), do not run the tool yet:

Link1
Link2


Disable Microsoft Security Essentials

Make sure MSE is disabled:

  • Open Microsoft Security Essentials (MSE) and go to Settings > Real Time Protection.
  • Then uncheck "Turn on real time protection".
  • Close MSE when done.


Run ComboFix

You might want to print the rest of the instructions in this step in case Combofix crashes again.

Click the Windows 'Start' button > Select 'Run' - then copy/paste the following line (including all quotes) into the run box & click OK (ComboFix must be located on the desktop named iexplore.exe):

"%userprofile%\desktop\iexplore.exe" /nombr

Click Yes to the disclaimer.

If Combofix asks to reboot, click Yes/OK. Combofix might reboot the computer automatically.

If Combofix still stall at the usual point and the system appears to have hung then

open task-manager - press ctrl alt and del at the same time, then select Task Manager

end any processes of

pev
findstr
sed
grep
nircmd
nircmd
swsc
* ........ any other process that has the .cfexe extension except for CFxxx.cfexe

combofix should then continue.

Please include the ComboFix log (C:\ComboFix.txt) in your next reply for further review and make sure MSE is re-enabled after Combofix is finished.

Continue with the rest of the instructions in this post even if Combofix fails.


Fix HijackThis entries

Start HijackThis: Click Start -> Run, copy and paste the following line into the run box and click OK:
"C:\Program Files\trend micro\HijackThis.exe"

  • From the Main Menu, click Do a system scan only
  • When the scan finishes...Place a check mark next to the following entries
  • Note: Only check those items listed below.
    Code: Select all
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    
  • After checking these items... CLOSE ALL open windows except HijackThis.
  • Click the Fix Checked button to remove the entries you checked.
  • Choose YES when prompted to fix the selected items.
  • Once it has fixed them, close HijackThis.


aswMBR

  • Double click aswMBR.exe (on your desktop) to run it.
  • Click the Scan button.
  • After a short while when the scan reports "Scan finished successfully", click Save log & save the log to your desktop.
  • Click OK > Exit.
  • Note: Do not attempt to fix anything at this stage!
  • Two files will be created, aswMBR.txt & a file named MBR.dat.
  • MBR.dat is a backup of the MBR(master boot record), do not delete it..
  • I strongly suggest you keep a copy of this backup stored on an external device.
  • Copy & Paste the contents of aswMBR.txt into your next reply.


OTL

  • Double click on OTL.exe (on your desktop) to run it.
  • Check the boxes labeled :
    • Scan All Users
    • LOP check
    • Purity check
  • Click on the Run Scan button at the top left hand corner.
  • OTL will start running. When done, 2 Notepad files will open; OTL.txt and Extras.txt.
    They will be saved on your desktop.


Make sure to enable Microsoft Security essentials again.

To Post:
  • OTL log (script)
  • Combofix log
  • aswMBR log
  • OTL logs (scan)
vict0r
Regular Member
 
Posts: 1043
Joined: December 3rd, 2008, 3:00 pm

Re: yet another search engine redirection

Unread postby Scop » May 1st, 2011, 10:50 pm

vict0r wrote:
You posted the OTL-script, not the log. The log file should be located in C:\vict0r\Moved Files, please locate and post the content of that logfile (it should contain the word Viewpoint).



... Oh! I see what happened; I must not have copied the log and still had the script on my clipboard when I pasted. Here goes:



========== PROCESSES ==========
Process ViewpointService.exe killed successfully!
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Could not flush the DNS Resolver Cache: Function failed during execution.
C:\Documents and Settings\Dillon\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Dillon\Desktop\cmd.txt deleted successfully.
========== SERVICES/DRIVERS ==========
Service Viewpoint Manager Service stopped successfully!
Service Viewpoint Manager Service deleted successfully!

OTL by OldTimer - Version 3.2.22.3 log created on 05012011_134633



Stand by for the next steps; wanted to do this one first before moving on.
Scop
Regular Member
 
Posts: 41
Joined: April 17th, 2011, 2:08 am

Re: yet another search engine redirection

Unread postby Scop » May 2nd, 2011, 12:35 am

Ah-hah, that did it and ComboFix finally ran! This time with no hang-ups, and I didn't need to reach for my Task Manager. Its report follows, at long last. Looks like a big one, so I'll paste the aswMBR and OLT.txt into a third reply.




ComboFix 11-05-01.01 - Dillon 05/01/2011 20:11:21.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.136 [GMT -7:00]
Running from: c:\documents and settings\Dillon\Desktop\ComboFix.exe
Command switches used :: /nombr
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Yahoo!
c:\documents and settings\All Users\Application Data\Yahoo!\competitor.xml
c:\documents and settings\All Users\Application Data\Yahoo!\Messenger\Plugin\4eb73995-f313-4f4a-49a5-1bc4d7c3ee68.yplugin\MANIFEST\plugin.properties
c:\documents and settings\All Users\Application Data\Yahoo!\YOP\yop.html
c:\documents and settings\All Users\Application Data\Yahoo!\ytaggedbm\Globaltags.ybm
c:\documents and settings\Dillon\Application Data\Yahoo!
c:\documents and settings\Dillon\Application Data\Yahoo!\bluefire_dust@sbcglobal.net\Bookmarks\personal.xml
c:\documents and settings\Dillon\Application Data\Yahoo!\bluefire_dust@sbcglobal.net\History\his13574
c:\documents and settings\Dillon\Application Data\Yahoo!\Browser\YScamGuard.xml
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\allrecipes.com.ico
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\baparkour.ning.com.ico
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\en.wikipedia.org.ico
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\lb166473de129.ybn
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\lb167473de203.ybn
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\lb168473de2dd.ybn
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\lb774760967b.ybn
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\mail.google.com.ico
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\mail.live.com.ico
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\rd.yahoo.com.ico
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\rvb.roosterteeth.com.ico
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\tsgk.captainn.net.ico
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\www.bankofamerica.com.ico
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\www.cingular.com.ico
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\www.craigslist.org.ico
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\www.cvrpg.com.ico
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\www.d20srd.org.ico
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\www.fanfiction.net.ico
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\www.findsounds.com.ico
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\www.flashkit.com.ico
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\www.grsites.com.ico
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\www.hp.com.ico
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\www.imdb.com.ico
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\www.livejournal.com.ico
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\www.microsoft.com.ico
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\www.msn.com.ico
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\www.nuklearpower.com.ico
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\www.photobucket.com.ico
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\www.sluggy.com.ico
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\www.threepanelsoul.com.ico
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\www.twolumps.net.ico
c:\documents and settings\Dillon\Application Data\Yahoo!\Companion\Buttons\www.wizards.com.ico
c:\documents and settings\Dillon\Application Data\Yahoo!\morningmist_lala\Bookmarks\personal.xml
c:\documents and settings\Dillon\Application Data\Yahoo!\morningmist_lala\History\his13485
c:\documents and settings\Dillon\Application Data\Yahoo!\morningmist_lala\History\his13497
c:\documents and settings\Dillon\Application Data\Yahoo!\newcityboy_das\Bookmarks\personal.xml
c:\documents and settings\Dillon\Application Data\Yahoo!\newcityboy_das\History\his13514
c:\documents and settings\Dillon\Application Data\Yahoo!\tanman_das\Bookmarks\personal.xml
c:\documents and settings\Dillon\Application Data\Yahoo!\tanman_das\History\his13177
c:\documents and settings\Dillon\Application Data\Yahoo!\tanman_das\History\his13178
c:\documents and settings\Dillon\Application Data\Yahoo!\tanman_das\History\his13181
c:\documents and settings\Dillon\Application Data\Yahoo!\tanman_das\History\his13185
c:\documents and settings\Dillon\Application Data\Yahoo!\tanman_das\History\his13366
c:\documents and settings\Dillon\Application Data\Yahoo!\tanman_das\History\his13463
c:\documents and settings\Dillon\Application Data\Yahoo!\tanman_das\History\his13494
c:\documents and settings\Dillon\Application Data\Yahoo!\tanman_das\History\his13497
c:\documents and settings\Dillon\Application Data\Yahoo!\tanman_das\History\his13514
c:\documents and settings\Dillon\Application Data\Yahoo!\tanman_das\History\his13703
c:\documents and settings\Dillon\Application Data\Yahoo!\tanman_das\History\his13905
c:\documents and settings\Dillon\Application Data\Yahoo!\YUMs\YOP.xml
c:\windows\system32\muzapp.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-04-02 to 2011-05-02 )))))))))))))))))))))))))))))))
.
.
2011-05-02 03:28 . 2011-05-02 03:28 -------- d--h--r- c:\documents and settings\Dillon\Application Data\yahoo!
2011-05-01 20:25 . 2011-05-01 20:25 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BCA0004A-8955-48A3-BDE1-772D361E3420}\MpKsl6fd870d3.sys
2011-05-01 20:23 . 2011-04-11 07:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BCA0004A-8955-48A3-BDE1-772D361E3420}\mpengine.dll
2011-04-28 16:59 . 2011-04-28 16:59 -------- d-----w- C:\vict0r
2011-04-28 16:55 . 2011-04-28 16:55 -------- d-----w- c:\program files\ERUNT
2011-04-28 16:07 . 2011-04-28 16:07 -------- d-----w- c:\documents and settings\Dillon\Application Data\Malwarebytes
2011-04-28 16:07 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-28 16:07 . 2011-04-28 16:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-28 16:07 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-28 16:06 . 2011-04-28 16:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-26 15:31 . 2011-04-26 15:31 -------- d-----w- c:\documents and settings\Dillon\Application Data\com.amazon.music.uploader
2011-04-26 15:27 . 2011-04-26 15:27 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-04-26 14:59 . 2011-04-26 14:59 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-04-24 16:01 . 2011-05-01 20:51 -------- d-----w- c:\program files\trend micro
2011-04-24 16:01 . 2011-04-24 16:02 -------- d-----w- C:\rsit
2011-04-21 23:32 . 2011-04-11 07:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-06 01:48 . 2011-04-06 01:48 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-06 01:48 . 2011-04-06 01:48 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-27 23:20 . 2004-08-04 08:00 36352 ----a-w- c:\windows\system32\drivers\intelppm.sys
2011-03-07 05:33 . 2004-08-04 08:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 08:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 08:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 08:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-04 08:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 08:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-04 08:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 08:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-17 01:17 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-04 08:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2004-08-04 08:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 08:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2004-08-04 08:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-04 08:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2004-08-04 08:00 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2006-04-18 405504]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-11 172032]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2003-01-31 311296]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-21 86960]
"DeviceDiscovery"="c:\program files\HP\Digital Imaging\bin\hpotdd01.exe" [2002-12-03 40960]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
AutoTBar.exe [2003-9-30 57344]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
AutoTBar.exe [2003-9-30 57344]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-11-29 569405]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"="0"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 MpKsl6fd870d3;MpKsl6fd870d3;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BCA0004A-8955-48A3-BDE1-772D361E3420}\MpKsl6fd870d3.sys [5/1/2011 1:25 PM 28752]
S1 MpKsl18e74faf;MpKsl18e74faf;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB9DBF00-4EC0-4AD2-BB90-EE9BBF296FF5}\MpKsl18e74faf.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB9DBF00-4EC0-4AD2-BB90-EE9BBF296FF5}\MpKsl18e74faf.sys [?]
S1 MpKsl3012dce8;MpKsl3012dce8;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB9DBF00-4EC0-4AD2-BB90-EE9BBF296FF5}\MpKsl3012dce8.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB9DBF00-4EC0-4AD2-BB90-EE9BBF296FF5}\MpKsl3012dce8.sys [?]
S1 MpKsl47654546;MpKsl47654546;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0D190D73-1BCB-4679-8637-0F4A7F3402EF}\MpKsl47654546.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0D190D73-1BCB-4679-8637-0F4A7F3402EF}\MpKsl47654546.sys [?]
S1 MpKsl5cae0751;MpKsl5cae0751;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FA28EEDE-0D14-4B93-AAEE-E5F4435B9BDD}\MpKsl5cae0751.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FA28EEDE-0D14-4B93-AAEE-E5F4435B9BDD}\MpKsl5cae0751.sys [?]
S1 MpKsl5e870acb;MpKsl5e870acb;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5363D11A-073A-477C-AF8C-5911FB120E4D}\MpKsl5e870acb.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5363D11A-073A-477C-AF8C-5911FB120E4D}\MpKsl5e870acb.sys [?]
S1 MpKsl8256047d;MpKsl8256047d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{42B3415E-53FF-49B0-A788-E1651AE75A36}\MpKsl8256047d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{42B3415E-53FF-49B0-A788-E1651AE75A36}\MpKsl8256047d.sys [?]
S1 MpKsldd31af8b;MpKsldd31af8b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C14E954D-98C7-44A9-82BC-41AA19C485DA}\MpKsldd31af8b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C14E954D-98C7-44A9-82BC-41AA19C485DA}\MpKsldd31af8b.sys [?]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [1/30/2003 7:55 PM 18864]
S3 FsUsbExDisk;FsUsbExDisk;\??\c:\windows\system32\FsUsbExDisk.SYS --> c:\windows\system32\FsUsbExDisk.SYS [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 1:00 AM 14336]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [1/7/2011 11:50 AM 96488]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [1/7/2011 11:51 AM 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [1/7/2011 11:51 AM 121576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 19:26]
.
2011-05-02 c:\windows\Tasks\User_Feed_Synchronization-{432DC279-F38A-4F95-9128-676D04ECB646}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customi ... ch/ie.html
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customi ... .yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} - hxxp://www.nintendowifi.com/troubleshoo ... aptest.cab
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-hpWirelessAssistant - %ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
SafeBoot-klmdb.sys
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-24_flashusbdriver - c:\program files\Samsung\USB Drivers\24_flashusbdriver\Uninstall.exe
AddRemove-25_escape - c:\program files\Samsung\USB Drivers\25_escape\Uninstall.exe
AddRemove-Macromedia Central - c:\documents and settings\Dillon\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\Central\Central.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Dillon\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
AddRemove-Quest for Glory II - c:\program files\Sierra\AGD\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-01 20:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????8?6?4?5??????? ???B?????????????hLC? ??????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,32,04,34,ff,6f,a4,26,49,b2,9d,fb,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,32,04,34,ff,6f,a4,26,49,b2,9d,fb,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(668)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
.
**************************************************************************
.
Completion time: 2011-05-01 20:43:34 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-02 03:43
.
Pre-Run: 6,559,703,040 bytes free
Post-Run: 6,763,487,232 bytes free
.
- - End Of File - - 52D2D11C8C8B7CCF0A6C96663EEDDDFC
Scop
Regular Member
 
Posts: 41
Joined: April 17th, 2011, 2:08 am

Re: yet another search engine redirection

Unread postby Scop » May 2nd, 2011, 12:37 am

aswMBR's latest log:



aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-26 12:23:38
-----------------------------
12:23:38.156 OS Version: Windows 5.1.2600 Service Pack 3
12:23:38.156 Number of processors: 1 586 0xD08
12:23:38.156 ComputerName: DILLONA UserName: Dillon
12:23:38.671 Initialize success
12:23:40.609 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0
12:23:40.609 Disk 0 Vendor: HTS424040M9AT00 MA2OA72A Size: 38154MB BusType: 3
12:23:40.625 Device \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskHTS424040M9AT00_________________________MA2OA72A#5&2d04cccb&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
12:23:40.625 Device \Driver\atapi -> DriverStartIo 82aaaaf1
12:23:42.640 Disk 0 MBR read successfully
12:23:42.640 Disk 0 MBR scan
12:23:44.656 Disk 0 scanning sectors +78140160
12:23:44.843 Disk 0 scanning C:\WINDOWS\system32\drivers
12:23:54.781 File C:\WINDOWS\system32\drivers\intelppm.sys TDL3 **ROOTKIT**
12:23:54.796 Disk 0 trace - called modules:
12:23:54.828 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82aaaecc]<<
12:23:54.843 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82b9a030]
12:23:54.859 3 CLASSPNP.SYS[f8554fd7] -> nt!IofCallDriver -> \Device\00000084[0x82b5fd80]
12:23:54.875 5 ACPI.sys[f83cb620] -> nt!IofCallDriver -> [0x82be65f0]
12:23:55.390 [0x82b7c638] -> IRP_MJ_CREATE -> 0x82aaaecc
12:23:55.406 Scan finished successfully
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-26 21:50:21
-----------------------------
21:50:21.093 OS Version: Windows 5.1.2600 Service Pack 3
21:50:21.093 Number of processors: 1 586 0xD08
21:50:21.109 ComputerName: DILLONA UserName: Dillon
21:50:21.781 Initialize success
21:50:27.375 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0
21:50:27.421 Disk 0 Vendor: HTS424040M9AT00 MA2OA72A Size: 38154MB BusType: 3
21:50:27.421 Device \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskHTS424040M9AT00_________________________MA2OA72A#5&2d04cccb&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
21:50:27.437 Device \Driver\atapi -> DriverStartIo 82aaaaf1
21:50:29.468 Disk 0 MBR read successfully
21:50:29.468 Disk 0 MBR scan
21:50:31.484 Disk 0 scanning sectors +78140160
21:50:31.656 Disk 0 scanning C:\WINDOWS\system32\drivers
21:50:42.359 File C:\WINDOWS\system32\drivers\intelppm.sys TDL3 **ROOTKIT**
21:50:42.375 Disk 0 trace - called modules:
21:50:42.421 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82aaaecc]<<
21:50:42.437 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82b49030]
21:50:42.437 3 CLASSPNP.SYS[f8554fd7] -> nt!IofCallDriver -> \Device\00000085[0x82b99ae8]
21:50:42.453 5 ACPI.sys[f83cb620] -> nt!IofCallDriver -> [0x82b95218]
21:50:43.000 [0x82b65858] -> IRP_MJ_CREATE -> 0x82aaaecc
21:50:43.015 Scan finished successfully
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-05-01 21:00:59
-----------------------------
21:00:59.031 OS Version: Windows 5.1.2600 Service Pack 3
21:00:59.031 Number of processors: 1 586 0xD08
21:00:59.031 ComputerName: DILLONA UserName: Dillon
21:01:02.875 Initialize success
21:01:11.484 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
21:01:11.484 Disk 0 Vendor: HTS424040M9AT00 MA2OA72A Size: 38154MB BusType: 3
21:01:13.562 Disk 0 MBR read successfully
21:01:13.562 Disk 0 MBR scan
21:01:15.578 Disk 0 scanning sectors +78140160
21:01:15.750 Disk 0 scanning C:\WINDOWS\system32\drivers
21:01:29.375 Service scanning
21:01:31.234 Disk 0 trace - called modules:
21:01:31.265 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
21:01:31.265 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82bd3030]
21:01:31.281 3 CLASSPNP.SYS[f8554fd7] -> nt!IofCallDriver -> \Device\00000085[0x82b86ae8]
21:01:31.296 5 ACPI.sys[f83cb620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x82b8c218]
21:01:31.312 Scan finished successfully



And finally, the OTL scan:



OTL logfile created on: 5/1/2011 9:18:31 PM - Run 3
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Dillon\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.00 Mb Total Physical Memory | 191.00 Mb Available Physical Memory | 38.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 65.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.05 Gb Total Space | 6.32 Gb Free Space | 17.07% Space Free | Partition Type: NTFS

Computer Name: DILLONA | User Name: Dillon | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/28 09:58:22 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dillon\Desktop\OTL.exe
PRC - [2010/11/30 13:20:36 | 000,997,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2008/10/07 08:23:46 | 000,111,856 | ---- | M] (Yahoo! Inc) -- C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
PRC - [2008/04/24 13:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
PRC - [2008/04/24 13:25:22 | 000,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/11/29 20:55:44 | 000,569,405 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2004/11/04 11:40:08 | 000,098,394 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2003/03/11 01:08:52 | 000,172,032 | ---- | M] (HP) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
PRC - [2003/01/30 19:55:46 | 000,311,296 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\system32\hphmon03.exe
PRC - [2002/12/17 11:40:22 | 000,049,152 | R--- | M] () -- C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe
PRC - [2002/12/02 20:56:10 | 000,040,960 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hp\Digital Imaging\bin\hpotdd01.exe


========== Modules (SafeList) ==========

MOD - [2011/04/28 09:58:22 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dillon\Desktop\OTL.exe
MOD - [2010/08/23 09:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2007/04/19 14:21:40 | 000,116,264 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprthook.dll
MOD - [2004/11/04 11:39:58 | 000,069,722 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\SynTPFcs.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (nosGetPlusHelper) getPlus(R)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2008/04/24 13:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe -- (sprtsvc_ddoctorv2) SupportSoft Sprocket Service (ddoctorv2)
SRV - [2003/01/30 19:55:44 | 000,077,824 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\hphipm09.exe -- (Pml Driver)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2011/05/01 13:25:10 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BCA0004A-8955-48A3-BDE1-772D361E3420}\MpKsl6fd870d3.sys -- (MpKsl6fd870d3)
DRV - [2010/12/20 22:55:02 | 000,121,576 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssadmdm.sys -- (ssadmdm)
DRV - [2010/12/20 22:55:02 | 000,096,488 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssadbus.sys -- (ssadbus) SAMSUNG Android USB Composite Device driver (WDM)
DRV - [2010/12/20 22:55:02 | 000,012,776 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssadmdfl.sys -- (ssadmdfl) SAMSUNG Android USB Modem (Filter)
DRV - [2009/09/16 11:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 11:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 11:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2007/11/14 17:35:24 | 000,008,413 | ---- | M] (RealNetworks, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\mcstrm.sys -- (MCSTRM)
DRV - [2006/12/11 12:05:28 | 002,209,536 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel(R)
DRV - [2006/04/10 15:02:00 | 000,162,816 | ---- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RT25USBAP.SYS -- (RT25USBAP)
DRV - [2005/09/20 11:30:56 | 000,162,432 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2005/05/05 12:04:08 | 000,007,936 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\eabfiltr.sys -- (eabfiltr)
DRV - [2005/05/05 12:04:04 | 000,005,760 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EabUsb.sys -- (eabusb)
DRV - [2005/02/17 23:42:02 | 000,349,696 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camc6hal.sys -- (CAMCHALA)
DRV - [2005/02/17 23:41:18 | 000,038,016 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camc6aud.sys -- (CAMCAUD)
DRV - [2004/12/14 15:18:34 | 000,207,232 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2004/12/14 15:18:28 | 000,703,232 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/12/14 15:18:26 | 001,038,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/12/02 09:36:08 | 000,070,912 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
DRV - [2004/11/29 20:36:22 | 000,399,616 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2004/11/29 20:34:20 | 000,148,040 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2004/11/29 20:33:14 | 001,337,850 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2004/11/29 20:30:44 | 000,055,320 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2004/03/29 18:28:24 | 000,014,531 | ---- | M] (iRiver, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\ifp800.sys -- (IFP800)
DRV - [2003/01/30 19:55:44 | 000,050,800 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hphid409.sys -- (Dot4 HPH09)
DRV - [2003/01/30 19:55:44 | 000,050,211 | ---- | M] (Hewlett-Packard) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hphs2k09.sys -- (Dot4Storage HPH09) Storage Class Driver for IEEE-1284.4 (HPH09)
DRV - [2003/01/30 19:55:44 | 000,018,864 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hphius09.sys -- (Dot4Usb HPH09)
DRV - [2003/01/30 19:55:44 | 000,016,112 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hphipr09.sys -- (Dot4Print HPH09)
DRV - [2002/09/23 14:49:44 | 000,068,672 | ---- | M] (2Wire, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\2WirePCP.sys -- (2WIREPCP)
DRV - [2001/11/20 17:01:00 | 000,012,338 | ---- | M] (Palm, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD)
DRV - [2001/11/08 08:53:54 | 000,018,120 | ---- | M] ( ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gt680x.sys -- (GT680x)
DRV - [2001/08/17 12:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch =


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = about:blank
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = :0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = about:blank
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = :0



IE - HKU\S-1-5-21-3863108728-1907864540-2948979912-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-3863108728-1907864540-2948979912-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\S-1-5-21-3863108728-1907864540-2948979912-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKU\S-1-5-21-3863108728-1907864540-2948979912-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
IE - HKU\S-1-5-21-3863108728-1907864540-2948979912-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3863108728-1907864540-2948979912-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>



O1 HOSTS File: ([2011/05/01 20:26:50 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (HP view) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\Hp\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)
O3 - HKU\S-1-5-21-3863108728-1907864540-2948979912-1006\..\Toolbar\ShellBrowser: (HP view) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\Hp\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)
O3 - HKU\S-1-5-21-3863108728-1907864540-2948979912-1006\..\Toolbar\WebBrowser: (HP view) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\Hp\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [ddoctorv2] C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [DeviceDiscovery] C:\Program Files\Hp\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)
O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe (Hewlett-Packard )
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe ()
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe (HP)
O4 - HKLM..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe (Hewlett-Packard)
O4 - HKLM..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKU\S-1-5-21-3863108728-1907864540-2948979912-1006..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\AutoTBar.exe (Hewlett-Packard)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\StartUp\BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\AutoTBar.exe (Hewlett-Packard)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3863108728-1907864540-2948979912-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3863108728-1907864540-2948979912-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3863108728-1907864540-2948979912-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3863108728-1907864540-2948979912-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} http://www.nintendowifi.com/troubleshoo ... aptest.cab (USBAPTester Class)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/200 ... oader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} http://h20278.www2.hp.com/HPISWeb/Custo ... anager.CAB (Hewlett-Packard Online Support Services)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} http://h20270.www2.hp.com/ediags/gmn/in ... er_gmn.cab (VerifyGMN Class)
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} C:\Program Files\Yahoo!\common\yucconfig.dll (yucsetreg Class)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdat ... /opuc3.cab (Office Update Installation Engine)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/Shar ... /cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftup ... 7434653125 (MUWebControl Class)
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} http://mediaplayer.walmart.com/installer/install.cab (Reg Error: Key error.)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-be ... canner.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.76.182 68.87.78.134
O18 - Protocol\Handler\widimg {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\BTXPPanel.dll (Broadcom Corporation.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Dillon\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Dillon\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/01 21:17:15 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/05/01 20:28:33 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Dillon\Application Data\yahoo!
[2011/05/01 20:22:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/05/01 20:06:22 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/05/01 20:06:22 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/05/01 20:06:22 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/05/01 20:06:22 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/05/01 20:05:36 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/04/28 09:59:11 | 000,000,000 | ---D | C] -- C:\vict0r
[2011/04/28 09:58:20 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dillon\Desktop\OTL.exe
[2011/04/28 09:55:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2011/04/28 09:55:03 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/04/28 09:50:13 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Dillon\Desktop\erunt-setup.exe
[2011/04/28 09:07:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dillon\Application Data\Malwarebytes
[2011/04/28 09:07:06 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/04/28 09:07:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/28 09:07:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/04/28 09:07:01 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/04/28 09:06:59 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/28 09:05:25 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Dillon\Desktop\mbam-setup.exe
[2011/04/27 18:06:45 | 000,258,560 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dillon\Desktop\master.exe
[2011/04/27 16:08:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dillon\Desktop\tdsskiller
[2011/04/26 12:14:15 | 000,566,272 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Dillon\Desktop\aswMBR.exe
[2011/04/26 08:31:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dillon\Application Data\com.amazon.music.uploader
[2011/04/26 08:30:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dillon\My Documents\Amazon MP3 Uploader
[2011/04/26 08:27:31 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2011/04/24 16:24:16 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/04/24 16:18:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/04/24 09:01:42 | 000,000,000 | ---D | C] -- C:\Program Files\trend micro
[2011/04/24 09:01:36 | 000,000,000 | ---D | C] -- C:\rsit
[2011/04/05 18:49:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2011/04/05 18:48:41 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/04/05 18:48:41 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/04/05 18:48:41 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/04/05 18:48:41 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/04/05 18:48:41 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2007/04/11 17:09:46 | 000,018,120 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\gt680x.sys
[8 C:\Documents and Settings\Dillon\My Documents\*.tmp files -> C:\Documents and Settings\Dillon\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/01 21:16:48 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{432DC279-F38A-4F95-9128-676D04ECB646}.job
[2011/05/01 21:13:43 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\MBR.dat
[2011/05/01 20:33:32 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/05/01 20:27:12 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/01 20:26:50 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/05/01 20:25:46 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/01 20:25:44 | 526,897,152 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/01 19:55:41 | 004,334,470 | R--- | M] () -- C:\Documents and Settings\Dillon\Desktop\ComboFix.exe
[2011/05/01 13:49:25 | 000,244,224 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\CF_UNINST.EXE
[2011/04/29 12:04:24 | 000,441,692 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/04/29 12:04:24 | 000,071,462 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/04/28 10:14:45 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\RKUnhookerLE.EXE
[2011/04/28 09:58:22 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dillon\Desktop\OTL.exe
[2011/04/28 09:55:04 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\ERUNT.lnk
[2011/04/28 09:50:15 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Dillon\Desktop\erunt-setup.exe
[2011/04/28 09:07:07 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/28 09:05:28 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Dillon\Desktop\mbam-setup.exe
[2011/04/27 18:06:46 | 000,258,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dillon\Desktop\master.exe
[2011/04/27 16:05:19 | 001,263,721 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\tdsskiller.zip
[2011/04/26 17:38:38 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/26 12:14:23 | 000,566,272 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Dillon\Desktop\aswMBR.exe
[2011/04/26 12:14:01 | 000,075,264 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\SystemLook.exe
[2011/04/24 16:24:26 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/04/24 08:45:10 | 000,339,991 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\RSIT.exe
[2011/04/24 08:43:29 | 001,006,778 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\rkill.exe
[2011/04/16 23:04:30 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\dds.scr
[2011/04/15 10:27:46 | 000,319,544 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/14 14:06:19 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/04/13 22:04:59 | 000,001,852 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Amazon Cloud Player.lnk
[2011/04/05 18:48:05 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/04/05 18:48:05 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/04/05 18:48:05 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/04/05 18:48:05 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/04/05 18:48:04 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[8 C:\Documents and Settings\Dillon\My Documents\*.tmp files -> C:\Documents and Settings\Dillon\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/01 20:06:22 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/05/01 20:06:22 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/05/01 20:06:22 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/05/01 20:06:22 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/05/01 20:06:22 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/05/01 19:55:33 | 004,334,470 | R--- | C] () -- C:\Documents and Settings\Dillon\Desktop\ComboFix.exe
[2011/05/01 13:49:22 | 000,244,224 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\CF_UNINST.EXE
[2011/04/30 23:58:04 | 000,000,424 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/04/28 10:14:45 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\RKUnhookerLE.EXE
[2011/04/28 09:55:04 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\ERUNT.lnk
[2011/04/28 09:07:07 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/27 16:05:12 | 001,263,721 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\tdsskiller.zip
[2011/04/26 22:51:11 | 526,897,152 | -HS- | C] () -- C:\hiberfil.sys
[2011/04/26 12:24:41 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\MBR.dat
[2011/04/26 12:14:00 | 000,075,264 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\SystemLook.exe
[2011/04/26 08:30:12 | 000,000,921 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Amazon MP3 Uploader.lnk
[2011/04/24 16:24:26 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/04/24 16:24:19 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/04/24 08:45:08 | 000,339,991 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\RSIT.exe
[2011/04/24 08:43:24 | 001,006,778 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\rkill.exe
[2011/04/16 23:04:30 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\dds.scr
[2011/04/13 22:04:59 | 000,001,852 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Amazon Cloud Player.lnk
[2011/01/08 10:05:14 | 000,181,600 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/01/04 17:10:56 | 000,974,848 | ---- | C] () -- C:\WINDOWS\System32\cis-2.4.dll
[2011/01/04 17:10:56 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\issacapi_bs-2.3.dll
[2011/01/04 17:10:56 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\issacapi_pe-2.3.dll
[2011/01/04 17:10:56 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\issacapi_se-2.3.dll
[2007/09/30 08:28:49 | 000,000,057 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2007/04/21 21:46:11 | 000,007,313 | ---- | C] () -- C:\WINDOWS\hpdj3500.ini
[2007/04/21 21:45:35 | 000,000,414 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
[2007/02/16 14:23:13 | 000,000,107 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2007/02/16 14:22:44 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\pdfmona.dll
[2007/02/16 14:22:44 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2006/11/17 12:34:40 | 000,091,848 | ---- | C] () -- C:\WINDOWS\HPBroker.dll
[2006/06/14 20:03:52 | 000,001,362 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/05/13 21:21:11 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2006/04/29 08:38:16 | 000,000,206 | ---- | C] () -- C:\WINDOWS\HPGdiPlus.ini
[2006/02/26 09:33:53 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/02/26 09:26:20 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/02/20 18:38:32 | 000,000,008 | ---- | C] () -- C:\Documents and Settings\Dillon\Application Data\usb.dat.bin
[2006/02/07 19:44:53 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iplayer.INI
[2006/02/01 22:14:47 | 000,000,034 | ---- | C] () -- C:\WINDOWS\hpfsched.ini
[2006/01/31 10:29:58 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\Dillon\Local Settings\Application Data\fusioncache.dat
[2006/01/31 10:19:55 | 000,050,523 | ---- | C] () -- C:\WINDOWS\hpdins05.dat
[2006/01/31 10:19:55 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpdmdl01.dat
[2006/01/30 00:58:43 | 000,058,368 | ---- | C] () -- C:\Documents and Settings\Dillon\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/01/30 00:16:05 | 000,000,203 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2006/01/29 10:35:40 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll
[2006/01/28 18:32:40 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Dillon\Local Settings\Application Data\FASTWiz.html
[2005/11/11 16:46:02 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\usbaptest.dll
[2005/08/26 15:28:20 | 000,024,576 | ---- | C] () -- C:\WINDOWS\shortcut.exe
[2005/04/11 04:43:13 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/04/11 04:41:01 | 000,015,669 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/11/29 20:44:04 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2004/08/07 06:16:54 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/07 06:16:44 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/07 06:10:30 | 000,441,692 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/07 06:10:30 | 000,071,462 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/07 06:10:08 | 000,000,882 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/07 06:02:54 | 000,319,544 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/07 05:57:54 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/07 05:54:58 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/04 01:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 01:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 01:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 01:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 01:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 01:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 01:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 01:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/01/13 20:46:34 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\tifmicon.dll
[2003/03/05 22:03:18 | 000,004,978 | ---- | C] () -- C:\WINDOWS\hpfmdl01.dat
[2003/03/05 18:28:38 | 000,000,309 | ---- | C] () -- C:\WINDOWS\hpfins01.dat
[2003/01/30 19:55:40 | 000,036,864 | ---- | C] () -- C:\WINDOWS\hpfsched.exe
[2003/01/30 19:54:28 | 000,003,691 | ---- | C] () -- C:\WINDOWS\hphinfs.dat
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/07/26 15:09:58 | 000,143,360 | ---- | C] () -- C:\WINDOWS\unzip.exe
[2002/07/22 17:57:58 | 000,045,056 | ---- | C] () -- C:\WINDOWS\devenum.exe
[2002/05/28 01:55:42 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/05/28 01:54:40 | 000,004,605 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/11/14 13:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== LOP Check ==========

[2008/07/13 19:05:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
[2006/12/14 07:04:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA
[2011/02/27 21:03:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\mMcHmPf06300
[2005/04/11 05:06:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\muvee Technologies
[2008/01/28 11:59:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2007/02/16 14:22:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2009/06/01 09:17:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2011/02/27 20:26:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/10/21 11:23:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2006/10/10 17:23:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dillon\Application Data\Alien Skin
[2009/11/10 11:42:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dillon\Application Data\Amazon
[2011/04/26 08:31:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dillon\Application Data\com.amazon.music.uploader
[2006/01/30 01:17:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dillon\Application Data\InterVideo
[2006/01/29 11:08:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dillon\Application Data\Leadertech
[2006/01/30 17:29:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dillon\Application Data\Musicmatch
[2011/01/07 12:08:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dillon\Application Data\Samsung
[2009/10/19 18:40:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2011/05/01 20:33:32 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2011/05/01 21:16:48 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{432DC279-F38A-4F95-9128-676D04ECB646}.job

========== Purity Check ==========



< End of report >
Scop
Regular Member
 
Posts: 41
Joined: April 17th, 2011, 2:08 am

Re: yet another search engine redirection

Unread postby vict0r » May 2nd, 2011, 7:47 pm

Scop wrote:Ah-hah, that did it and ComboFix finally ran!
Good! :)

Here's more work for you. I hope we will be finished soon.


CA uninstaller

Please run the Computer Associates uninstaller as described here:
http://homeofficekb.ca.com/CIDocument.a ... BEA49F571B


SystemLook

  • Double-click SystemLook.exe (on your desktop) to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :dir
    C:\Qoobox\Quarantine /s /nmuzapp*.*
    C:\vict0r\ /s /no1394bul.sys
    

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Leave it open (needed in the next step).

    Note: The log can also be found on your Desktop entitled SystemLook.txt


Upload Files for testing

Please go to Virustotal or jotti.org

Copy/paste this file and path into the white box at the top (refer to the systemlook log if incorrect):
C:\Qoobox\Quarantine\c\windows\system32\muzapp.exe.vir

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish, then copy and paste the permalink (web address) in your next response.
Example of web address :
Image

Repeat this step for the following file (refer to the systemlook log from the previous step):
C:\vict0r\<path to>\o1394bul.sys

Post the links before you continue with the next step. If problems, post the systemlook log.


Fixpolicies

Please Download FixPolicies.exe, a self-extracting ZIP archive from Here and Save it to your Desktop.
  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.exe.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box should briefly appear and then close. This is normal and there's no log.


Combofix

This script is for this user and computer ONLY! ComboFix SHOULD NOT be used unless requested by a forum helper.


Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
NOMBR::
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]



Save the file as "CFScript.txt", and as Type: All Files (*.*) on your desktop.

Image

Refer to the picture above, then save all work and close all programs including any open browsers(!) and drag CFScript onto iexplore.exe (the one with the combofix icon).

If Combofix prompts you to upgrade, please allow it. Please do not use the computer at all while Combofix is running.

When finished, it shall produce a log for you at C:\ComboFix.txt.


MBR -t

  • Click Start > Run.
  • Copy and paste the contents of the codebox below into the run box (Do Not include Code:)
    Code: Select all
    CMD /C \mbr -t >Log.txt&Log.txt&del Log.txt
  • then click OK.
  • A log will be generated, Post the contents in your next reply.
  • If the step failed so far, then please try the following:
  • Right click and select Save as... MBR Rootkit Detector by GMER. Save the file to the desktop as vmr.com
  • Double click on the vmr.com file to run it.
  • A window will open briefly then close.
  • A log will be produced & saved to the desktop, called MBR.log.
  • Please post the contents of that log in your next reply and remember to tell me if you had to download a renamed copy.


MBRCheck

    Please download MBRCheck.exe and save it to your desktop.
  • Double click on MBRCheck.exe to run it.
  • A window similar to this should open on your desktop:

Image

  • If you are prompted with options, enter N at the prompt and press Enter
  • Press Enter again.
  • A log will open on your Desktop ...... MBRCheck_mm.dd.yy_hh.mm.ss.txt (where mm.dd.yy_hh.mm.ss are the date and time the scan was run)
  • Please post the contents of the log in your next reply.


To post:
  • Virustotal links/Systemlook log
  • Combofix log
  • MBR log (renamed?)
  • MBRCheck
vict0r
Regular Member
 
Posts: 1043
Joined: December 3rd, 2008, 3:00 pm

Re: yet another search engine redirection

Unread postby Scop » May 3rd, 2011, 12:59 am

Virustotal's Browse field wouldn't accept the paste of the path, but it did direct me for Browsing and selecting manually. The Qoobox file uploaded successfully and lead to the following address:

http://www.virustotal.com/file-scan/reanalysis.html?id=be085232a2f467be4ef3c4b781c3de579b97dca8a23d23946083ed9ea2a31390-1304396169

The 'o1394bul.sys' file, though, I couldn't find. Its only occurance in the SystemLook log looks to me like it came from the code provided to Paste.

I noticed:

Code: Select all
:dir
C:\Qoobox\Quarantine /s /nmuzapp*.*
C:\vict0r\ /s /[color=#FF0000]n[/color]o1394bul.sys


Compared to:
C:\vict0r\<path to>\o1394bul.sys


Yet I found the muzapp.exe.vir file in Qoobox successfully, so I figure the 'n' must be deliberate. Unable to find o1394bul.sys.

SystemLook report following:




SystemLook 04.09.10 by jpshortstuff
Log created at 21:19 on 02/05/2011 by Dillon
Administrator - Elevation successful

========== dir ==========

C:\Qoobox\Quarantine - Parameters: "/s /nmuzapp*.*"

---Files---
None found.

C:\Qoobox\Quarantine\C d------ [03:10 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\All Users d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Yahoo! d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Yahoo!\Messenger d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Yahoo!\Messenger\Plugin d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Yahoo!\Messenger\Plugin\4eb73995-f313-4f4a-49a5-1bc4d7c3ee68.yplugin d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Yahoo!\Messenger\Plugin\4eb73995-f313-4f4a-49a5-1bc4d7c3ee68.yplugin\MANIFEST d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Yahoo!\YOP d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Yahoo!\ytaggedbm d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\Dillon d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\Dillon\Application Data d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\Dillon\Application Data\Yahoo! d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\Dillon\Application Data\Yahoo!\bluefire_dust@sbcglobal.net d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\Dillon\Application Data\Yahoo!\bluefire_dust@sbcglobal.net\Bookmarks d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\Dillon\Application Data\Yahoo!\bluefire_dust@sbcglobal.net\History d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\Dillon\Application Data\Yahoo!\Browser d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\Dillon\Application Data\Yahoo!\Companion d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\Dillon\Application Data\Yahoo!\Companion\Buttons d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\Dillon\Application Data\Yahoo!\morningmist_lala d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\Dillon\Application Data\Yahoo!\morningmist_lala\Bookmarks d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\Dillon\Application Data\Yahoo!\morningmist_lala\History d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\Dillon\Application Data\Yahoo!\newcityboy_das d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\Dillon\Application Data\Yahoo!\newcityboy_das\Bookmarks d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\Dillon\Application Data\Yahoo!\newcityboy_das\History d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\Dillon\Application Data\Yahoo!\tanman_das d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\Dillon\Application Data\Yahoo!\tanman_das\Bookmarks d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\Dillon\Application Data\Yahoo!\tanman_das\History d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\Dillon\Application Data\Yahoo!\YUMs d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\WINDOWS d------ [03:21 02/05/2011]

C:\Qoobox\Quarantine\C\WINDOWS\system32 d------ [03:21 02/05/2011]
muzapp.exe.vir --a---- 177496 bytes [06:22 06/01/2011] [06:22 06/01/2011]

C:\Qoobox\Quarantine\Registry_backups d------ [03:05 02/05/2011]

C:\vict0r - Parameters: "/s /no1394bul.sys"

---Files---
None found.

C:\vict0r\MovedFiles d------ [16:59 28/04/2011]

C:\vict0r\MovedFiles\04282011_095911 d------ [16:59 28/04/2011]

C:\vict0r\MovedFiles\04282011_095911\C_Documents and Settings d------ [16:59 28/04/2011]

C:\vict0r\MovedFiles\04282011_095911\C_Documents and Settings\Dillon d------ [16:59 28/04/2011]

C:\vict0r\MovedFiles\04282011_095911\C_Documents and Settings\Dillon\Local Settings d------ [16:59 28/04/2011]

C:\vict0r\MovedFiles\04282011_095911\C_Documents and Settings\Dillon\Local Settings\Application Data d------ [16:59 28/04/2011]

C:\vict0r\MovedFiles\04282011_095911\C_Documents and Settings\Dillon\Local Settings\Application Data\enrmqj d------ [06:14 04/03/2010]

C:\vict0r\MovedFiles\04282011_095911\c_program files d------ [16:59 28/04/2011]

C:\vict0r\MovedFiles\04282011_095911\c_program files\QuickTime d------ [16:59 28/04/2011]

C:\vict0r\MovedFiles\04282011_095911\c_program files\QuickTime\QTSystem d------ [16:59 28/04/2011]

C:\vict0r\MovedFiles\04282011_095911\c_program files\QuickTime\QTSystem\QuickTimeEssentials.Resources d------ [16:59 28/04/2011]

C:\vict0r\MovedFiles\04282011_095911\c_program files\QuickTime\QTSystem\QuickTimeEssentials.Resources\ru.lproj d------ [17:20 18/02/2010]

C:\vict0r\MovedFiles\04282011_095911\c_program files\QuickTime\QTSystem\QuickTimeVRAuthoring.Resources d------ [16:59 28/04/2011]

C:\vict0r\MovedFiles\04282011_095911\c_program files\QuickTime\QTSystem\QuickTimeVRAuthoring.Resources\pt.lproj d------ [17:20 18/02/2010]

C:\vict0r\MovedFiles\04282011_095911\c_program files\QuickTime\QTSystem\QuickTimeWebHelper.Resources d------ [16:59 28/04/2011]

C:\vict0r\MovedFiles\04282011_095911\c_program files\QuickTime\QTSystem\QuickTimeWebHelper.Resources\it.lproj d------ [17:20 18/02/2010]

C:\vict0r\MovedFiles\04282011_095911\C_WINDOWS d------ [16:59 28/04/2011]

C:\vict0r\MovedFiles\04282011_095911\C_WINDOWS\system32 d------ [16:59 28/04/2011]

C:\vict0r\MovedFiles\04282011_095911\C_WINDOWS\system32\config d------ [16:59 28/04/2011]

C:\vict0r\MovedFiles\04282011_095911\C_WINDOWS\system32\config\systemprofile d------ [16:59 28/04/2011]

C:\vict0r\MovedFiles\04282011_095911\C_WINDOWS\system32\config\systemprofile\Application Data d------ [16:59 28/04/2011]

C:\vict0r\MovedFiles\04282011_095911\C_WINDOWS\system32\config\systemprofile\Application Data\AntiVirus_AntiSpyware_2011 d------ [02:38 27/04/2011]

C:\vict0r\MovedFiles\04292011_115311 d------ [18:53 29/04/2011]

C:\vict0r\MovedFiles\04292011_115311\C_Documents and Settings d------ [18:53 29/04/2011]

C:\vict0r\MovedFiles\04292011_115311\C_Documents and Settings\All Users d------ [18:53 29/04/2011]

C:\vict0r\MovedFiles\04292011_115311\C_Documents and Settings\All Users\Application Data d------ [18:53 29/04/2011]

C:\vict0r\MovedFiles\04292011_115311\C_Documents and Settings\Dillon d------ [18:53 29/04/2011]

C:\vict0r\MovedFiles\04292011_115311\C_Documents and Settings\Dillon\Local Settings d------ [18:53 29/04/2011]

C:\vict0r\MovedFiles\04292011_115311\C_Documents and Settings\Dillon\Local Settings\Application Data d------ [18:53 29/04/2011]

C:\vict0r\MovedFiles\04292011_115311\C_WINDOWS d------ [18:53 29/04/2011]

C:\vict0r\MovedFiles\04292011_115311\C_WINDOWS\Downloaded Program Files d------ [18:53 29/04/2011]

C:\vict0r\MovedFiles\04302011_214053 d------ [04:40 01/05/2011]

C:\vict0r\MovedFiles\05012011_134633 d------ [20:46 01/05/2011]

-= EOF =-

You may be amused to hear that MSE got its hackles up while I was trying to Browse for the file on the VirusTotal webpage. I Cancelled the browsing to re-check your instructions, and a few seconds later MSE popped up an alert saying that it had detected and suspended a trojan. When I looked at its more detailed report, the file path it listed was the same as I'd been looking at. I figure I set off a false alarm, but MSE declared that it cleaned it of its own volition anyway.
Scop
Regular Member
 
Posts: 41
Joined: April 17th, 2011, 2:08 am

Re: yet another search engine redirection

Unread postby Scop » May 3rd, 2011, 2:13 am

ComboFix seems to be up to its old performance anxieties again. It's also been renamed from iexplore.exe to ComboFix.exe, and I would've remembered if I'd done that. Perhaps that happened when dropping the CFScript.txt prompted it to update? In any case, it's stalling in the old place. I disabled more settings in MSE, the scheduled scanning and applying default actions, in case they were interfering with ComboFix. MSE did try to flash the 'Your computer was cleaned' pop-up when I tried to initiate the script into ComboFix. I'm suspicious of the renaming, and unsure if I should proceed to the MBR steps.
Scop
Regular Member
 
Posts: 41
Joined: April 17th, 2011, 2:08 am

Re: yet another search engine redirection

Unread postby vict0r » May 3rd, 2011, 3:04 am

Please continue with the MBR steps.
vict0r
Regular Member
 
Posts: 1043
Joined: December 3rd, 2008, 3:00 pm

Re: yet another search engine redirection

Unread postby Scop » May 3rd, 2011, 12:45 pm

The MBR -t Run command didn't go through. Copied from its window:



'\mbr' is not recognized as an internal or external command,
operable program or batch file.



It generated a blank Log.txt. I downloaded and renamed the MBR Rootkit Detector and ran it, but instead of opening, closing, and generating a log, it stayed open at the line:



user & kernel MBR OK



There it froze, forcing me to hard-reset. Upon restarting, the mbr.log had only this to say:



Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net



... and that was it.

Fortunately the MBRCheck appears to have ran successfully. This is its log:



MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 129):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D1000 \WINDOWS\system32\hal.dll
0xF89F4000 \WINDOWS\system32\KDCOM.DLL
0xF8904000 \WINDOWS\system32\BOOTVID.dll
0xF83C5000 ACPI.sys
0xF89F6000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF83B4000 pci.sys
0xF84F4000 isapnp.sys
0xF8504000 ohci1394.sys
0xF8514000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF8908000 compbatt.sys
0xF890C000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF8ABC000 pciide.sys
0xF8774000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF89F8000 intelide.sys
0xF89FA000 viaide.sys
0xF89FC000 aliide.sys
0xF8396000 pcmcia.sys
0xF8524000 MountMgr.sys
0xF8377000 ftdisk.sys
0xF8910000 ACPIEC.sys
0xF8ABD000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF877C000 PartMgr.sys
0xF8534000 VolSnap.sys
0xF835F000 atapi.sys
0xF8544000 disk.sys
0xF8554000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF833F000 fltmgr.sys
0xF8328000 KSecDD.sys
0xF8914000 ifp800.sys
0xF89FE000 \WINDOWS\system32\drivers\USBD.SYS
0xF8315000 WudfPf.sys
0xF8288000 Ntfs.sys
0xF825B000 NDIS.sys
0xF8564000 serial.sys
0xF8241000 Mup.sys
0xF8584000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF89C4000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF8644000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7246000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF7232000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF880C000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF720E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF8814000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF71D6000 \SystemRoot\system32\DRIVERS\Rtlnicxp.sys
0xF6DE5000 \SystemRoot\system32\DRIVERS\w29n51.sys
0xF6C9D000 \SystemRoot\system32\drivers\tifm21.sys
0xF6C78000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xF6BEA000 \SystemRoot\system32\drivers\camc6hal.sys
0xF8754000 \SystemRoot\system32\drivers\camc6aud.sys
0xF6B48000 \SystemRoot\system32\drivers\portcls.sys
0xF8764000 \SystemRoot\system32\drivers\drmk.sys
0xF6B14000 \SystemRoot\system32\drivers\ks.sys
0xF6ABF000 \SystemRoot\system32\DRIVERS\HSFHWICH.sys
0xF6870000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xF6743000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF88B4000 \SystemRoot\System32\Drivers\Modem.SYS
0xF78F0000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF88C4000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF6715000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF88D4000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF78D0000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF78C0000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF78B0000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF8998000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF65D2000 \SystemRoot\system32\DRIVERS\btkrnl.sys
0xF8AC7000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF78A0000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7BF3000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF65BB000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7890000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF85F4000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF87A4000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF65AA000 \SystemRoot\system32\DRIVERS\psched.sys
0xF85A4000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF87B4000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF87C4000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF85B4000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF8A38000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF654C000 \SystemRoot\system32\DRIVERS\update.sys
0xF89A8000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF85C4000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF8604000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xAA760000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0xF8A80000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8C09000 \SystemRoot\System32\Drivers\Null.SYS
0xF8A82000 \SystemRoot\System32\Drivers\Beep.SYS
0xF88BC000 \SystemRoot\System32\drivers\vga.sys
0xF8A84000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8A86000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF8864000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF886C000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF899C000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAA543000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAA4EA000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAA4C2000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAA4A0000 \SystemRoot\System32\drivers\afd.sys
0xF86C4000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAA475000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAA405000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF86D4000 \SystemRoot\System32\Drivers\Fips.SYS
0xF8A88000 \??\C:\WINDOWS\system32\drivers\EABFiltr.sys
0xAA3BF000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF86E4000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF86F4000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF8744000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xAA37F000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8A8E000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xAA79B000 \SystemRoot\System32\drivers\Dxapi.sys
0xF88A4000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8C3B000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF021000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF043000 \SystemRoot\System32\ialmdev5.DLL
0xBF07C000 \SystemRoot\System32\ialmdd5.DLL
0xBF16B000 \SystemRoot\System32\ATMFD.DLL
0xAA1EB000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA9F82000 \SystemRoot\system32\drivers\wdmaud.sys
0xF8694000 \SystemRoot\system32\drivers\sysaudio.sys
0xA9D6F000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF8A9A000 \SystemRoot\System32\Drivers\MCSTRM.SYS
0xA9FBB000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA9C27000 \SystemRoot\system32\DRIVERS\srv.sys
0xA991D000 \SystemRoot\system32\DRIVERS\sr.sys
0xA96AC000 \SystemRoot\System32\Drivers\HTTP.sys
0xA92E9000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 42):
0 System Idle Process
4 System
624 C:\WINDOWS\system32\smss.exe
676 csrss.exe
700 C:\WINDOWS\system32\winlogon.exe
744 C:\WINDOWS\system32\services.exe
756 C:\WINDOWS\system32\lsass.exe
916 C:\WINDOWS\system32\svchost.exe
972 svchost.exe
1060 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
1100 C:\WINDOWS\system32\svchost.exe
1212 C:\WINDOWS\system32\svchost.exe
1488 C:\WINDOWS\explorer.exe
1508 svchost.exe
1776 C:\WINDOWS\system32\spoolsv.exe
152 svchost.exe
188 C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
288 C:\Program Files\Java\jre6\bin\jqs.exe
384 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
420 C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
512 C:\WINDOWS\system32\svchost.exe
1904 C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
1964 alg.exe
2140 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
2152 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2204 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
2216 C:\WINDOWS\system32\hphmon03.exe
2224 C:\WINDOWS\system32\igfxtray.exe
2284 C:\WINDOWS\system32\hkcmd.exe
2332 C:\WINDOWS\system32\igfxpers.exe
2348 C:\Program Files\Hp\Digital Imaging\bin\hpotdd01.exe
2356 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
2368 C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
2396 C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe
2516 C:\Program Files\Microsoft Security Client\msseces.exe
2528 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2648 C:\WINDOWS\system32\ctfmon.exe
2772 C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
3280 wmiprvse.exe
3320 C:\Program Files\Internet Explorer\iexplore.exe
3520 C:\Program Files\Internet Explorer\iexplore.exe
4072 C:\Documents and Settings\Dillon\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: HTS424040M9AT00, Rev: MA2OA72A

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows 98 MBR code detected
SHA1: 48F01D7E76A0F3C038D08611E3FDC0EE4EF9FD3E


Done!
Scop
Regular Member
 
Posts: 41
Joined: April 17th, 2011, 2:08 am

Re: yet another search engine redirection

Unread postby vict0r » May 3rd, 2011, 1:37 pm

I will consult some other helpers about this problem.

Have you got the windows install cd that followed this or another computer when it was new?

Please follow the instructions below.

MBRBackup

Download MBRBackup to your Desktop.

  • Double-click MBRBackup.exe to launch the program.
  • Click SaveMBR (top left corner) and save the backup file to your Desktop.
  • It will have a name similar to MBR_2010-10-06.bin where the numbers correspond to the date the backup was made.
  • Exit the program.
  • I strongly suggest you keep a copy of this backup stored on an external device.


Upload File for testing

Please go to Virustotal or jotti.org

Submit the MBR_<date>.bin file for testing.
Please wait for all the scanners to finish, then copy and paste the permalink (web address) in your next response.
Example of web address :
Image


OTL

  1. Double-click on OTL.exe to run it.
  2. Click the Quick Scan button. (Do not change any settings.)
  3. When done, two Notepad files will open.
    • OTL.txt <-- Will be opened, maximized
  4. Please post the contents of OTL.txt in your next reply.


When finished, please post the following:
  • Windows install cd?
  • Virustotal link.
  • OTL log
  • Describe any problems while following the instructions (if any).
vict0r
Regular Member
 
Posts: 1043
Joined: December 3rd, 2008, 3:00 pm

Re: yet another search engine redirection

Unread postby Scop » May 4th, 2011, 1:21 am

I've scoured my home, but I can't find my XP Install disc. It seems to be lost. My mother's computer is also an HP and I believe it runs XP; if worst comes to worst I might be able to take a drive to make use of hers next week.

After I uploaded the .bin to Virustotal it simply returned me to its homepage with no permalink. Perhaps this is normal if it finds nothing? Jotti actually told me that its scanners found nothing, though: http://virusscan.jotti.org/en/scanresult/1a933cb199e6d5e31060d31e4d6e3b80f4405785

The OTL report follows here:



OTL logfile created on: 5/3/2011 10:05:31 PM - Run 4
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Dillon\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.00 Mb Total Physical Memory | 76.00 Mb Available Physical Memory | 15.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 48.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.05 Gb Total Space | 6.23 Gb Free Space | 16.82% Space Free | Partition Type: NTFS

Computer Name: DILLONA | User Name: Dillon | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/28 09:58:22 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dillon\Desktop\OTL.exe
PRC - [2010/11/30 13:20:36 | 000,997,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2008/10/07 08:23:46 | 000,111,856 | ---- | M] (Yahoo! Inc) -- C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
PRC - [2008/04/24 13:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
PRC - [2008/04/24 13:25:22 | 000,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/11/29 20:55:44 | 000,569,405 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2004/11/04 11:40:08 | 000,098,394 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2003/03/11 01:08:52 | 000,172,032 | ---- | M] (HP) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
PRC - [2003/01/30 19:55:46 | 000,311,296 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\system32\hphmon03.exe
PRC - [2002/12/17 11:40:22 | 000,049,152 | R--- | M] () -- C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe
PRC - [2002/12/02 20:56:10 | 000,040,960 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hp\Digital Imaging\bin\hpotdd01.exe


========== Modules (SafeList) ==========

MOD - [2011/04/28 09:58:22 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dillon\Desktop\OTL.exe
MOD - [2010/08/23 09:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2007/04/19 14:21:40 | 000,116,264 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprthook.dll
MOD - [2004/11/04 11:39:58 | 000,069,722 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\SynTPFcs.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (nosGetPlusHelper) getPlus(R)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2008/04/24 13:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe -- (sprtsvc_ddoctorv2) SupportSoft Sprocket Service (ddoctorv2)
SRV - [2003/01/30 19:55:44 | 000,077,824 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\hphipm09.exe -- (Pml Driver)


========== Driver Services (SafeList) ==========

DRV - [2010/12/20 22:55:02 | 000,121,576 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssadmdm.sys -- (ssadmdm)
DRV - [2010/12/20 22:55:02 | 000,096,488 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssadbus.sys -- (ssadbus) SAMSUNG Android USB Composite Device driver (WDM)
DRV - [2010/12/20 22:55:02 | 000,012,776 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssadmdfl.sys -- (ssadmdfl) SAMSUNG Android USB Modem (Filter)
DRV - [2009/09/16 11:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 11:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 11:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2007/11/14 17:35:24 | 000,008,413 | ---- | M] (RealNetworks, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\mcstrm.sys -- (MCSTRM)
DRV - [2006/12/11 12:05:28 | 002,209,536 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel(R)
DRV - [2006/04/10 15:02:00 | 000,162,816 | ---- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RT25USBAP.SYS -- (RT25USBAP)
DRV - [2005/09/20 11:30:56 | 000,162,432 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2005/05/05 12:04:08 | 000,007,936 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\eabfiltr.sys -- (eabfiltr)
DRV - [2005/05/05 12:04:04 | 000,005,760 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EabUsb.sys -- (eabusb)
DRV - [2005/02/17 23:42:02 | 000,349,696 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camc6hal.sys -- (CAMCHALA)
DRV - [2005/02/17 23:41:18 | 000,038,016 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camc6aud.sys -- (CAMCAUD)
DRV - [2004/12/14 15:18:34 | 000,207,232 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2004/12/14 15:18:28 | 000,703,232 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/12/14 15:18:26 | 001,038,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/12/02 09:36:08 | 000,070,912 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
DRV - [2004/11/29 20:36:22 | 000,399,616 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2004/11/29 20:34:20 | 000,148,040 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2004/11/29 20:33:14 | 001,337,850 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2004/11/29 20:30:44 | 000,055,320 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2004/03/29 18:28:24 | 000,014,531 | ---- | M] (iRiver, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\ifp800.sys -- (IFP800)
DRV - [2003/01/30 19:55:44 | 000,050,800 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hphid409.sys -- (Dot4 HPH09)
DRV - [2003/01/30 19:55:44 | 000,050,211 | ---- | M] (Hewlett-Packard) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hphs2k09.sys -- (Dot4Storage HPH09) Storage Class Driver for IEEE-1284.4 (HPH09)
DRV - [2003/01/30 19:55:44 | 000,018,864 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hphius09.sys -- (Dot4Usb HPH09)
DRV - [2003/01/30 19:55:44 | 000,016,112 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hphipr09.sys -- (Dot4Print HPH09)
DRV - [2002/09/23 14:49:44 | 000,068,672 | ---- | M] (2Wire, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\2WirePCP.sys -- (2WIREPCP)
DRV - [2001/11/20 17:01:00 | 000,012,338 | ---- | M] (Palm, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD)
DRV - [2001/11/08 08:53:54 | 000,018,120 | ---- | M] ( ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gt680x.sys -- (GT680x)
DRV - [2001/08/17 12:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>



O1 HOSTS File: ([2011/05/01 20:26:50 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (HP view) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\Hp\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)
O3 - HKCU\..\Toolbar\ShellBrowser: (HP view) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\Hp\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)
O3 - HKCU\..\Toolbar\WebBrowser: (HP view) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\Hp\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [ddoctorv2] C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [DeviceDiscovery] C:\Program Files\Hp\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)
O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe (Hewlett-Packard )
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe ()
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe (HP)
O4 - HKLM..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe (Hewlett-Packard)
O4 - HKLM..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKCU..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\StartUp\BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} http://www.nintendowifi.com/troubleshoo ... aptest.cab (USBAPTester Class)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/200 ... oader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} http://h20278.www2.hp.com/HPISWeb/Custo ... anager.CAB (Hewlett-Packard Online Support Services)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} http://h20270.www2.hp.com/ediags/gmn/in ... er_gmn.cab (VerifyGMN Class)
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} C:\Program Files\Yahoo!\common\yucconfig.dll (yucsetreg Class)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdat ... /opuc3.cab (Office Update Installation Engine)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/Shar ... /cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftup ... 7434653125 (MUWebControl Class)
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} http://mediaplayer.walmart.com/installer/install.cab (Reg Error: Key error.)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-be ... canner.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.76.182 68.87.78.134
O18 - Protocol\Handler\widimg {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\BTXPPanel.dll (Broadcom Corporation.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Dillon\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Dillon\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/02 22:36:06 | 000,000,000 | --SD | C] -- C:\ComboFix
[2011/05/02 22:04:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dillon\Desktop\FixPolicies
[2011/05/02 21:16:49 | 001,445,888 | ---- | C] (Option^Explicit Software Solutions) -- C:\Documents and Settings\Dillon\Desktop\WinsockxpFix.exe
[2011/05/02 21:16:41 | 000,186,368 | ---- | C] (CEXX.ORG) -- C:\Documents and Settings\Dillon\Desktop\LSPFix.exe
[2011/05/02 21:16:32 | 000,036,864 | ---- | C] (Rock Systems & Development) -- C:\Documents and Settings\Dillon\Desktop\SafeMSI.exe
[2011/05/02 21:15:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\CA-SupportBridge
[2011/05/01 21:17:15 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/05/01 20:28:33 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Dillon\Application Data\yahoo!
[2011/05/01 20:22:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/05/01 20:06:22 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/05/01 20:06:22 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/05/01 20:06:22 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/05/01 20:06:22 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/05/01 20:05:36 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/04/28 09:59:11 | 000,000,000 | ---D | C] -- C:\vict0r
[2011/04/28 09:58:20 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dillon\Desktop\OTL.exe
[2011/04/28 09:55:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2011/04/28 09:55:03 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/04/28 09:50:13 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Dillon\Desktop\erunt-setup.exe
[2011/04/28 09:07:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dillon\Application Data\Malwarebytes
[2011/04/28 09:07:06 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/04/28 09:07:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/28 09:07:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/04/28 09:07:01 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/04/28 09:06:59 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/28 09:05:25 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Dillon\Desktop\mbam-setup.exe
[2011/04/27 18:06:45 | 000,258,560 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dillon\Desktop\master.exe
[2011/04/27 16:08:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dillon\Desktop\tdsskiller
[2011/04/26 12:14:15 | 000,566,272 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Dillon\Desktop\aswMBR.exe
[2011/04/26 08:31:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dillon\Application Data\com.amazon.music.uploader
[2011/04/26 08:30:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dillon\My Documents\Amazon MP3 Uploader
[2011/04/26 08:27:31 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2011/04/24 16:24:16 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/04/24 16:18:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/04/24 09:01:42 | 000,000,000 | ---D | C] -- C:\Program Files\trend micro
[2011/04/24 09:01:36 | 000,000,000 | ---D | C] -- C:\rsit
[2011/04/05 18:49:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2007/04/11 17:09:46 | 000,018,120 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\gt680x.sys
[8 C:\Documents and Settings\Dillon\My Documents\*.tmp files -> C:\Documents and Settings\Dillon\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/03 22:10:25 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{432DC279-F38A-4F95-9128-676D04ECB646}.job
[2011/05/03 22:00:34 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\MBR_2011-05-03.bin
[2011/05/03 22:00:00 | 001,452,824 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\MBRBackup.exe
[2011/05/03 09:35:17 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\MBRCheck.exe
[2011/05/03 09:30:07 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/03 09:29:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/03 09:29:26 | 526,897,152 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/03 09:23:24 | 000,089,088 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\vmr.com
[2011/05/02 22:11:12 | 004,335,631 | R--- | M] () -- C:\Documents and Settings\Dillon\Desktop\ComboFix.exe
[2011/05/02 22:04:05 | 000,185,065 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\FixPolicies.exe
[2011/05/02 21:16:50 | 001,445,888 | ---- | M] (Option^Explicit Software Solutions) -- C:\Documents and Settings\Dillon\Desktop\WinsockxpFix.exe
[2011/05/02 21:16:42 | 000,186,368 | ---- | M] (CEXX.ORG) -- C:\Documents and Settings\Dillon\Desktop\LSPFix.exe
[2011/05/02 21:16:37 | 000,036,864 | ---- | M] (Rock Systems & Development) -- C:\Documents and Settings\Dillon\Desktop\SafeMSI.exe
[2011/05/01 21:13:43 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\MBR.dat
[2011/05/01 20:26:50 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/05/01 13:49:25 | 000,244,224 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\CF_UNINST.EXE
[2011/04/29 12:04:24 | 000,441,692 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/04/29 12:04:24 | 000,071,462 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/04/28 10:14:45 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\RKUnhookerLE.EXE
[2011/04/28 09:58:22 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dillon\Desktop\OTL.exe
[2011/04/28 09:55:04 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\ERUNT.lnk
[2011/04/28 09:50:15 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Dillon\Desktop\erunt-setup.exe
[2011/04/28 09:07:07 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/28 09:05:28 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Dillon\Desktop\mbam-setup.exe
[2011/04/27 18:06:46 | 000,258,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dillon\Desktop\master.exe
[2011/04/27 16:05:19 | 001,263,721 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\tdsskiller.zip
[2011/04/26 17:38:38 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/26 12:14:23 | 000,566,272 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Dillon\Desktop\aswMBR.exe
[2011/04/26 12:14:01 | 000,075,264 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\SystemLook.exe
[2011/04/24 16:24:26 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/04/24 08:45:10 | 000,339,991 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\RSIT.exe
[2011/04/24 08:43:29 | 001,006,778 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\rkill.exe
[2011/04/16 23:04:30 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Dillon\Desktop\dds.scr
[2011/04/15 10:27:46 | 000,319,544 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/14 14:06:19 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/04/13 22:04:59 | 000,001,852 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Amazon Cloud Player.lnk
[8 C:\Documents and Settings\Dillon\My Documents\*.tmp files -> C:\Documents and Settings\Dillon\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/03 22:00:34 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\MBR_2011-05-03.bin
[2011/05/03 21:59:57 | 001,452,824 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\MBRBackup.exe
[2011/05/03 09:35:17 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\MBRCheck.exe
[2011/05/03 08:49:26 | 000,089,088 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\vmr.com
[2011/05/02 22:04:06 | 000,185,065 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\FixPolicies.exe
[2011/05/01 20:06:22 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/05/01 20:06:22 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/05/01 20:06:22 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/05/01 20:06:22 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/05/01 20:06:22 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/05/01 19:55:33 | 004,335,631 | R--- | C] () -- C:\Documents and Settings\Dillon\Desktop\ComboFix.exe
[2011/05/01 13:49:22 | 000,244,224 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\CF_UNINST.EXE
[2011/04/28 10:14:45 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\RKUnhookerLE.EXE
[2011/04/28 09:55:04 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\ERUNT.lnk
[2011/04/28 09:07:07 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/27 16:05:12 | 001,263,721 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\tdsskiller.zip
[2011/04/26 22:51:11 | 526,897,152 | -HS- | C] () -- C:\hiberfil.sys
[2011/04/26 12:24:41 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\MBR.dat
[2011/04/26 12:14:00 | 000,075,264 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\SystemLook.exe
[2011/04/26 08:30:12 | 000,000,921 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Amazon MP3 Uploader.lnk
[2011/04/24 16:24:26 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/04/24 16:24:19 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/04/24 08:45:08 | 000,339,991 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\RSIT.exe
[2011/04/24 08:43:24 | 001,006,778 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\rkill.exe
[2011/04/16 23:04:30 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Dillon\Desktop\dds.scr
[2011/04/13 22:04:59 | 000,001,852 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Amazon Cloud Player.lnk
[2011/01/08 10:05:14 | 000,181,600 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/01/04 17:10:56 | 000,974,848 | ---- | C] () -- C:\WINDOWS\System32\cis-2.4.dll
[2011/01/04 17:10:56 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\issacapi_bs-2.3.dll
[2011/01/04 17:10:56 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\issacapi_pe-2.3.dll
[2011/01/04 17:10:56 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\issacapi_se-2.3.dll
[2007/09/30 08:28:49 | 000,000,057 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2007/04/21 21:46:11 | 000,007,313 | ---- | C] () -- C:\WINDOWS\hpdj3500.ini
[2007/04/21 21:45:35 | 000,000,414 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
[2007/02/16 14:23:13 | 000,000,107 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2007/02/16 14:22:44 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\pdfmona.dll
[2007/02/16 14:22:44 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2006/11/17 12:34:40 | 000,091,848 | ---- | C] () -- C:\WINDOWS\HPBroker.dll
[2006/06/14 20:03:52 | 000,001,362 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/05/13 21:21:11 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2006/04/29 08:38:16 | 000,000,206 | ---- | C] () -- C:\WINDOWS\HPGdiPlus.ini
[2006/02/26 09:33:53 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/02/26 09:26:20 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/02/20 18:38:32 | 000,000,008 | ---- | C] () -- C:\Documents and Settings\Dillon\Application Data\usb.dat.bin
[2006/02/07 19:44:53 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iplayer.INI
[2006/02/01 22:14:47 | 000,000,034 | ---- | C] () -- C:\WINDOWS\hpfsched.ini
[2006/01/31 10:29:58 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\Dillon\Local Settings\Application Data\fusioncache.dat
[2006/01/31 10:19:55 | 000,050,523 | ---- | C] () -- C:\WINDOWS\hpdins05.dat
[2006/01/31 10:19:55 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpdmdl01.dat
[2006/01/30 00:58:43 | 000,058,368 | ---- | C] () -- C:\Documents and Settings\Dillon\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/01/30 00:16:05 | 000,000,203 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2006/01/29 10:35:40 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll
[2006/01/28 18:32:40 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Dillon\Local Settings\Application Data\FASTWiz.html
[2005/11/11 16:46:02 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\usbaptest.dll
[2005/08/26 15:28:20 | 000,024,576 | ---- | C] () -- C:\WINDOWS\shortcut.exe
[2005/04/11 04:43:13 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/04/11 04:41:01 | 000,015,669 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/11/29 20:44:04 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2004/08/07 06:16:54 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/07 06:16:44 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/07 06:10:30 | 000,441,692 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/07 06:10:30 | 000,071,462 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/07 06:10:08 | 000,000,882 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/07 06:02:54 | 000,319,544 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/07 05:57:54 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/07 05:54:58 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/04 01:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 01:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 01:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 01:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 01:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 01:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 01:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 01:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/01/13 20:46:34 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\tifmicon.dll
[2003/03/05 22:03:18 | 000,004,978 | ---- | C] () -- C:\WINDOWS\hpfmdl01.dat
[2003/03/05 18:28:38 | 000,000,309 | ---- | C] () -- C:\WINDOWS\hpfins01.dat
[2003/01/30 19:55:40 | 000,036,864 | ---- | C] () -- C:\WINDOWS\hpfsched.exe
[2003/01/30 19:54:28 | 000,003,691 | ---- | C] () -- C:\WINDOWS\hphinfs.dat
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/07/26 15:09:58 | 000,143,360 | ---- | C] () -- C:\WINDOWS\unzip.exe
[2002/07/22 17:57:58 | 000,045,056 | ---- | C] () -- C:\WINDOWS\devenum.exe
[2002/05/28 01:55:42 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/05/28 01:54:40 | 000,004,605 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/11/14 13:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== LOP Check ==========

[2008/07/13 19:05:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
[2006/12/14 07:04:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA
[2011/05/02 21:15:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA-SupportBridge
[2011/02/27 21:03:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\mMcHmPf06300
[2005/04/11 05:06:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\muvee Technologies
[2008/01/28 11:59:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2007/02/16 14:22:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2009/06/01 09:17:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2011/02/27 20:26:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/10/21 11:23:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2006/10/10 17:23:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dillon\Application Data\Alien Skin
[2009/11/10 11:42:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dillon\Application Data\Amazon
[2011/04/26 08:31:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dillon\Application Data\com.amazon.music.uploader
[2006/01/30 01:17:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dillon\Application Data\InterVideo
[2006/01/29 11:08:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dillon\Application Data\Leadertech
[2006/01/30 17:29:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dillon\Application Data\Musicmatch
[2011/01/07 12:08:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dillon\Application Data\Samsung
[2011/05/03 22:10:25 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{432DC279-F38A-4F95-9128-676D04ECB646}.job

========== Purity Check ==========



< End of report >
Scop
Regular Member
 
Posts: 41
Joined: April 17th, 2011, 2:08 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 331 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware